Shulou(Shulou.com)06/01 Report--

Editor to share with you how to do open API signature authentication, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

There is a set of restful APIs in the project that need to be exposed to the public network environment and need to be called safely. Including the following three aspects

1. The source (identity) of the request should be legal

2. Request parameters cannot be tampered with.

3. The request should be unique (not replicable)

In order to ensure the security of data in communication, parameter signature can be used for related verification.

First, the way of non-verification

The pseudo code is shown in the following figure

This approach is simple to implement, but the problem is obvious that anyone can get the data they want.

2. MD5 parameter signature

See "MD5's practice of preventing data from being tampered with"

We optimize the interface of api query products.

1. Assign corresponding key and secret to app

2.sign signature. You need to verify the signature of the request parameters when calling API. The signature method is as follows

(1) sort all request parameters in alphabetical order according to the request parameter name. Keyvaluekeyvalue...keyvalue string, such as: sort arong=1,mrong=2,crong=3 to arong=1, crong=3,mrong=2, and then concatenate the parameter name and parameter value to get the parameter string, arong1crong3mrong2.

(2) add secret to the header of the parameter string and encrypt it with MD5. The encrypted string needs to be capitalized. That is to get the signature sign

The new api interface code is as follows

This method requests more key and sign parameters, so you need a valid key and a correct signature sign to obtain the group data. This solves the problem of authentication and preventing parameter tampering. If the request parameter is taken away by someone, he will never get the secret because the secret is not passed (except for viruses in the client). You cannot forge a legitimate request without secrret.

But this is not enough. If you get your complete link, you can also get the data by using your key and sign and the same parameters.

III. Request for guarantee of uniqueness

In order to prevent others from reusing the request parameter problem, we need to ensure the uniqueness of the request, that is, the request can only be used once, so that it is invalid even if someone takes away the full link of the request.

Realization of uniqueness: in the above request parameters, we add the timestamp timestamp (yyyyMMddHHmmss). Similarly, as one of the request parameters, the timestamp is also added to the sign algorithm for encryption.

The timestamp timestamp is used to verify whether the request has expired. In this way, even if the complete request link is taken away, it will not be valid. In addition, technologies such as browser fingerprinting (subsequent separate articles) can be added to verify the uniqueness of the request.

Security Analysis of sign signature

From the above example, we can see that the key to security lies in the secret that participates in the signature. Secret does not participate in communication during the whole process, so as long as the secret is not disclosed, the request will not be forged.

The above sign signature method can prevent information from being tampered with and forged to a certain extent, and ensure the security of communication. Here, MD5 is used for encryption. In practical use, other signature algorithms can be used according to the needs, such as RSA,SHA and so on.

The above is all the contents of the article "how to do Open API signature Authentication". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.