Add to Favorites | Login | Register
Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

About us Contact us

How to realize the Interface Security of ASP.NET MVC OR WebAPI

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Share

Shulou(Shulou.com)06/02 Report--

这篇文章主要讲解了"ASP.NET MVC OR WebAPI的接口安全怎么实现",文中的讲解内容简单清晰,易于学习与理解,下面请大家跟着小编的思路慢慢深入,一起来研究和学习"ASP.NET MVC OR WebAPI的接口安全怎么实现"吧!

当我们开发一款App的时候,App需要跟后台服务进行通信获取或者提交数据。

如果我们没有完善的安全机制则很容易被别用心的人伪造请求而篡改数据。

所以我们需要使用某种安全机制来保证请求的合法。现在最常用的办法是给每个http请求添加一个签名,服务端来验证签名的合法性,如果签名合法则执行响应的操作,如果签名非法则直接拒绝请求。

签名算法

签名算法一般都使用Hash散列算法,常用的有MD5,SHA系列算法。这些算法可以根据不同的输入,计算出不同的结果,而且碰撞的概率很低。

签名算法跟加密算法不是一回事。很多同学都会说使用MD5加密一下,其实这是错误的。签名算法不能恢复原来的数据,因为它本身并不包含原来数据的信息。

而加密方法不同,加密方法是可以根据加密结果重新推算出原来的数据的。

HMAC SHA作为一种更加安全的签名算法,使用一个Key来影响签名的结果。这样同样的输入配合不同的Key可以得出不同的签名,更加安全。

public static string HmacSHA256(string secretKey,string plain)

{

var keyBytes = Encoding.UTF8.GetBytes(secretKey);

var plainBytes = Encoding.UTF8.GetBytes(plain);

using (var hmacsha256 = new HMACSHA256(keyBytes))

{

var sb = new StringBuilder();

var hashValue = hmacsha256.ComputeHash(plainBytes);

foreach (byte x in hashValue)

{

sb.Append(String.Format("{0:x2}", x));

}

return sb.ToString();

}

}

签名的参数

有了签名算法,那么我们签名的内容哪里来呢?

一般我们使用http请求的queryString然后加上时间戳还有随机数来作为签名的参数。

public static string MakeSignPlain(SortedDictionary queryString,string time,string random )

{

var sb = new StringBuilder();

foreach (var keyValue in queryString)

{

sb.AppendFormat("{0}={1}&", keyValue.Key, keyValue.Value);

}

if (sb.Length>1)

{

sb.Remove(sb.Length - 1, 1);

}

sb.Append(time);

sb.Append(random);

return sb.ToString().ToUpper();

}

验证签名

验证签名就是简单的比较服务端生产的签名跟客户端生产的签名是否一直。

要注意的一点是最好验证下时间戳,跟服务端时间比较前后不能相差5分钟。这也是一个简单的防Replay Attack的手段。

public static bool Valid(string requestSign,string signPlain,string time, string secretKey)

{

if (string.IsNullOrEmpty(time)||string.IsNullOrEmpty(requestSign)||string.IsNullOrEmpty(signPlain))

{

return false;

}

//is in range

var now = DateTime.Now;

long requestTime =0;

if (long.TryParse(time,out requestTime))

{

var max = now.AddMinutes(5).ToString("yyyyMMddHHmmss");

var min = now.AddMinutes(-5).ToString("yyyyMMddHHmmss");

if (!(long.Parse(max) >= requestTime && long.Parse(min) 1)

{

//remove last &

signPlain.Remove(signPlain.Length - 1, 1);

}

signPlain.Append(time);

signPlain.Append(random);

Console.WriteLine("sign plain:{0}", signPlain.ToString().ToUpper());

//make sign

var sign = Encryption.HmacSHA256(secretKey, signPlain.ToString().ToUpper());

Console.WriteLine("sign:{0}", sign);

string requestUrl = string.Format("{0}?{1}={2}", url, "userId", userId);

HttpWebRequest request = (HttpWebRequest)WebRequest.Create(requestUrl);

request.Method = "GET";

//add headers

request.Headers.Add("time", time);

request.Headers.Add("appId", appId);

request.Headers.Add("random", random);

request.Headers.Add("sign", sign);

//

//start request

try

{

using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())

{

var responseStream = response.GetResponseStream();

if (responseStream != null)

{

using (StreamReader reader = new StreamReader(responseStream))

{

var content = reader.ReadToEnd();

Console.WriteLine(content);

}

}

}

}

catch (WebException ex)

{

using (HttpWebResponse response = (HttpWebResponse)ex.Response)

{

var responseStream = response.GetResponseStream();

if (responseStream != null)

{

using (StreamReader reader = new StreamReader(responseStream))

{

var content = reader.ReadToEnd();

Console.WriteLine(content);

}

}

}

}

}

感谢各位的阅读,以上就是"ASP.NET MVC OR WebAPI的接口安全怎么实现"的内容了,经过本文的学习后,相信大家对ASP.NET MVC OR WebAPI的接口安全怎么实现这一问题有了更深刻的体会,具体使用情况还需要大家实践验证。这里是,小编将为大家推送更多相关知识点的文章,欢迎关注!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Tag Search: Algorithm security time client data service authentication interface different encryption client legal content parameter end result learning that is commonly used method vpn macOS Linux MariaDB MySQL Docker Shulou Information Shulou Technology Shulou Tech Info OPPO Reno Redmi Xiaomi NVidia Microsoft Huawei Apple Apple OPPO Reno MySQL Redmi Shulou Tech Info Huawei vpn Shulou Technology MariaDB Linux Microsoft NVidia Shulou Information macOS Xiaomi Docker Apple OPPO Reno MySQL Redmi Shulou Tech Info Huawei vpn Shulou Technology MariaDB Linux Microsoft NVidia Shulou Information macOS Xiaomi Docker

Share To

Related

Development

More Development >

Latest Network Security More Network Security >

Latest Internet Technology More Internet Technology >

Latest Development More Development >

Latest Database More Database >

Latest Servers More Servers >

Latest Mobile Phone More Mobile Phone >

Latest Android Software More Android Software >

Latest Apple Software More Apple Software >

Latest Computer Software News More Computer Software News >

Latest IT Information More IT Information >

Wechat

About us Contact us Product review car news thenatureplanet

© 2024 shulou.com SLNews company. All rights reserved.

12
Report