Shulou(Shulou.com)06/03 Report--

This article mainly explains "what the encryption rules of Alipay are like". The explanation in the article is simple and clear, easy to learn and understand. Please follow the editor's train of thought. Let's study and learn what the encryption rules of Alipay are like.

What is a signature?

Before you learn about signatures, review the interactive process of payment. As shown in the figure above, the payment process can be roughly divided into six steps.

The user chooses his own product to submit the order.

The merchant server sends the commodity information and the required amount to Alipay to generate Alipay orders.

After the Alipay order is returned successfully, a payment page is generated to facilitate mobile payment or web payment.

The mobile phone calls Alipay app to make payment.

Enter the payment password and send it to Alipay server.

The Alipay server transferred money successfully, informing the merchant server that the amount of an order was transferred successfully.

Of these six steps, steps 2 and 6 are the most important. Take it apart as follows.

The information transmitted during the interaction between the merchant server and Alipay server is extremely sensitive, so it is necessary to prevent the middleman from tampering with the information during the interaction. For example, if the amount of the commodity is changed to 0 in step 2, Alipay is mistaken for a transfer of 0 yuan.

Digital signature solves the security problem when interacting. It can verify the authenticity of a message or document. In the Alipay interface, there is a sign parameter to fill in the signature. The purpose of this signature is to prevent the falsification of information. In this way, we can effectively prevent the message from being tampered with in the process of transmission.

Second, the principle of signature implementation

2.1 signature principle

Digital signature is a guarantee of information security, and its implementation depends on the keys of both systems.

The signing process is as follows:

Calculate the hash of the document you want to sign. The output length is always fixed regardless of the length of the input document. For example, using SHA256 is 256 bits.

Encode the result hash and some additional metadata. For example, the receiver needs to know the hashing algorithm you are using, otherwise the signature cannot be processed.

Encrypt encoded data with a private key, and the result is a signature, which can be appended to the document as a basis for authentication.

Verify the signature (signature verification):

The receiver receives the document and calculates the document hash independently using the same hashing algorithm.

Then, she uses the public key to decrypt the message, decode the hash, and then confirm whether the hash algorithm used is correct and whether the decrypted hash is the same as the local calculation.

2.2 asymmetric encryption

Alipay uses RSA asymmetric encryption to sign the information.

Asymmetric encryption consists of a public key and a private key, commonly named public key and private key in the code. The characteristic of asymmetric encryption is that the information encrypted by private key can only be decrypted by public key, and the information encrypted by public key can only be decrypted by private key.

The private key is generally retained and will be placed in the configuration file when developing. The security level is the same as the database account password. The public key will be handed over to other systems, so that when the middleman does not know the key, it is impossible to crack the interactive information. As long as the sender ensures that the private key is not disclosed, the information sent by anyone to the receiver cannot be matched during signature verification.

The implementation of Alipay signature way is roughly the same, Alipay in the exchange of information when two very important nouns Alipay public key and application public key, these two keys are always confusing. This is because Alipay provides two sets of RSA encryption. One set is used to ensure the information security when the order interface is issued uniformly in step 2, and the other is used to ensure the information security in the callback of step 6.

As shown in the figure below, step 2, the merchant server calculates the signature through the red application private key (priv key 2), Alipay verifies the signature through the red application public key (pub key 2); step 6, the Alipay server calculates the signature through the blue Alipay private key (priv key 6), and the merchant verifies the signature through the blue Alipay public key (pub key 6).

As shown in the figure above, RSA2 encryption is used and SHA256 is used in HASH algorithm. After entering the settings, set the application public key and save the Alipay public key.

The application public key and the application private key need to generate a pair to ensure the security of step 2. Generation mode jumps to Alipay open platform development assistant

Alipay public key and Alipay private key are provided by Alipay, and Alipay retains its own private key. Like the application private key of its own server, others will not provide it. The public key is copied for signature authentication on callback.

III. Symmetric encryption

Although the signature can prevent the information of the middleman from tampering, it can not prevent the middleman from viewing the information. For example, in step 2, the middleman can obtain the daily transaction amount of the merchant for the amount of goods sent to Alipay. The transmission of information in the network feels like an illusory process, and the information in the network may be intercepted by lawbreakers.

Therefore, in the process of payment, it is recommended to use https protocol for interaction to encrypt the transmission of interactive information. Moreover, many interfaces of Alipay also support the use of AES encryption for transmission, making the information more secure.

AES encryption is a symmetric encryption algorithm, which is simpler than asymmetric encryption. There is only one key between systems, which can be used for encryption or decryption.

The information exchanged with Alipay can be encrypted through AES. To prevent the disclosure of information, the official explanation of the interface is as follows:

If OpenAPI does not have bizContent parameters, it cannot be encrypted with AES key, otherwise it will report an error that the current API does not support encryption requests. For example: alipay.user.info.share (Alipay membership authorization information query interface) can not use AES key encryption if it does not use bizContent to transmit parameters. IV. The relationship between AES and RSA

The AES key encrypts the interface request and response content, and the ciphertext cannot be identified by a third party, thus preventing the interface transmission data from leaking.

The RSA key signs the request and response content of the interface, and the developer and Alipay open platform sign and verify respectively to confirm that the content transmitted by the interface has not been tampered with. RSA can sign the API normally regardless of whether the content of the API is plaintext or ciphertext.

Developers can encrypt the request parameters by AES first, and then sign the ciphertext with RSA.

Thank you for your reading. The above is the content of "what the encryption rules of Alipay are". After the study of this article, I believe you have a deeper understanding of how the encryption rules of Alipay are. The specific use of the situation also needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.