Open API Interface Signature Verification

Do not worry, the source code to share at the bottom, first ask you a question, you write the Open API interface is how to ensure the security of the data. Let's take a look at some security issues. In an open API interface, when we request a server via an HTTP POST or get method, we face a number of security issues, such as whether the source of the request (identity) is legitimate. The request parameter was tampered with. Uniqueness of request (not replicable)

In order to ensure the security of data in communication, we can use the method of parameter signature to verify the correlation.

Analysis of the case list

We analyze the case of a [mobile End (APP)] write [backend interface (API)]:

Client: hereinafter referred to as app

Background interface: hereinafter referred to as API

We use the app to query the product list for the operation to analyze:

App Click query button = = "Call API to query = =" Return query results ==> display in App

On the code-_-.

First, not to verify the way

API Query Interface:

App Call: Http://api.test.com/getproducts? 1=value1 ...

As above, this method is simple and rough, by invoking the GetProducts method can get product list information, but this way there will be a serious security problems, without any verification, you can get to the product list, resulting in product information leakage. So, how do you validate the caller identity? How to prevent parameters from being tampered with.

Second, the way of MD5 parameter signature

We optimize the API query product interface:

1. Assign corresponding key, secret to app

2.Sign signatures, calling the API requires signature verification of the request parameters, which are signed as follows:

A. Sort all request parameters according to the request parameter name: Keyvaluekeyvalue...keyvalue strings such as: Arong=1,mrong=2,crong=3 sorted as: arong=1, crong=3, Mrong=2 then the parameter name and the parameter value are spliced to get the argument string: Arong1crong3mrong2.

B. MD5 encryption after the secret is added to the head of the parameter string, and the encrypted string should be capitalized. Get the signature sign

New API Interface Code:

App calls:http://api.test.com/getproducts?key=app_key&sign=bcc7c71cf93f9cdbdb88671b701d8a35& parameter 1=value1 & Parameters 2=value2 .....

Note: Secret is only used for encryption purposes, please do not use in request parameters to ensure data security.

As above, after the optimization of the request for more key and sign parameters, such requests need to be a legitimate key and the correct signature sign to obtain product data. This solves the problem of authentication and prevent parameter tampering, if the request parameters are taken away, nothing, they will never get secret, because secret is not passed. Can no longer forge a legitimate request.

But... Is that enough? Careful students may find that if I get your complete link, always use your key and sign and the same parameters can not get the data normally ...-_-! yes, just the above optimization is not enough

Uniqueness of Request:

To prevent others from reusing request parameter issues, we need to ensure that the request is unique, that the corresponding request can only be used once, so that even if someone takes away the full link of the request, it is not valid. Implementation of uniqueness: In the request parameters as above, we add the timestamp: Timestamp (YYYYMMDDHHMMSS), likewise, the timestamp as one of the request parameters is also added to the sign algorithm for encryption.

The new API interface:

App Call: http://api.test.com/getproducts?key=app_key&sign=BCC7C71CF93F9CDBDB88671B701D8A35&timestamp= 201603261407& parameter 1=value1& parameter 2=value2 .....

As above, we use the timestamp timestamp to verify that the request is out of date. This way, even if it's taken away, the complete request link is invalid.

Sign Signature security Analysis:

Through the above case, we can see that the key to security is to participate in the signature of the secret, the whole process secret is not involved in communication, so as long as the guarantee secret not leak, the request will not be forged.

The above sign signature method can prevent the information from being tampered and forged to a certain extent, guarantee the security of the communication, here uses the MD5 to carry on the encryption, of course the actual use everybody can carry on the custom signature algorithm according to the actual demand, for example: Rsa,sha. Related methods source sharing: