Shulou(Shulou.com)05/31 Report--

What is the simple and secure API authorization mechanism based on signature algorithm? in order to solve this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

In the past, when doing advertising systems, the author found that the advertising systems of most platforms docked with token authorized interfaces, and this token has always been unchanged, provided by advertisers, it can be said that this is the interface of streaking, but this interface does not require high security, which can only prevent malicious calls and verify the identity of the channel.

Last year, the author wrote an API unified authorization platform, which provides unified authorization management for internal service open interfaces to third-party system calls. Except for convenient management interface authorization, it has no other uses, but it costs cost to deploy. This should be one of the most meaningless projects I've ever done.

The API authorization mechanism introduced today may also be a widely used API interface authorization mechanism. I remember that when the author used to do WeChat Pay function, the payment interface provided by Wechat also used this way: signature. Advantages: simplicity, no performance impact, no extra cost.

The implementation logic of this authorization method is that the authorized party sets a unique identity (key) and an independent key for each access platform, which is actually equivalent to the account password. The access system is required to carry three parameters in the request header each time it initiates the request, namely, the identity (key), the timestamp of the request, and the signature. The authorized system verifies the signature when it receives the request, and the verification passes before releasing the request.

The process of verifying the signature is to obtain the key and timestamp from the request header, then generate the signature through the same algorithm according to the key (the caller and the authorized party use the same signature algorithm), and finally compare whether the signatures obtained by the request header are equal. If so, the verification is successful, otherwise the verification fails.

The implementation process of the authorization method based on signature algorithm is as follows:

Authorized by:

1. Define the signature algorithm, provide the signature generation algorithm to the access party, and generate the key and identity for the access party.

two。 Intercept the interface that needs to verify the signature in the project, obtain the timestamp and identity from the request header, generate the signature according to the key and signature algorithm, compare the generated signature with the signature obtained from the request header, if the same, proceed to step 3, otherwise reject the request

3. Request timeliness check, compare the current system timestamp with the timestamp obtained from the request header, release the request if the request is within the valid time range, otherwise reject and respond to the expiration of the signature.

Access party:

1. Obtain the docking document from the licensor and ask the licensor for the key and identity

two。 Encapsulate the signature method according to the signature generation algorithm provided by the document

3. When initiating the request, the identity, current timestamp and signature are written into the request header.

Signature generation algorithm can be customized, such as the identity (key), time stamp (timestamp) and key spliced together, and then use an irreversible algorithm to encrypt the string to generate a signature, such as the MD5 algorithm. The more complex the rules, the less likely they are to be broken.

What are the benefits of signing with a timestamp?

One is to add timeliness to the signature. The authorized system can compare the request timestamp with the current timestamp of the system, and the signature can only be valid within one second or five seconds. But it requires that the system time of both sides must be correct.

The second is security. If the hacker intercepts the request of your system, and then modifies the request and then initiates the request, it must take time, so when the system receives the tampered request, the validity of the signature has passed. If you change the timestamp passed by the request header, the signature generated by the authorized system is different from the signature passed by the request header, and the request is equally invalid.

Even if you know the signature rules of the authorized party (broiler) system, you will not be able to generate a valid signature if you do not know the key. And because the signature uses asymmetric encryption algorithm, it is almost impossible to crack the key by explosive force.

So why use a timestamp instead of formatting a time string?

This may be to consider the compatibility in the time zone. If different computer rooms are in different time zones, the time will be different, but the timestamps are all the same.

In order to give full play to the security of this kind of authorization, first of all, the rules for generating signatures must be complex enough, then the encryption algorithm for signatures should be irreversible, do not use Base64, and finally, the key should be long enough and complex enough to ensure that even if you know the rules of signature generation, it is impossible to crack the key by force.

Signature rules refer to the rules that generate signature strings before encryption, such as key+ key + timestamp + key+ key. Suppose the key is "app", the key is "123", the timestamp is "1111111111111", and the signature before encryption is "app1231111111111111app123". Finally, the final signature can be generated by encrypting the spliced string through the encryption algorithm.

Isn't it troublesome to write the signature logic for each interface?

I don't need it. For the authorized party, the signature verification logic can be done through a filter or interceptor; for the caller, there are different ways to use different frameworks, but we can always think of a way to write the signature logic only once, right?

The answer to the question about the simple and secure API authorization mechanism based on the signature algorithm is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.