Open api signature verification and api Signature

Open api signature verification and api Signature

Don't worry. The source code is shared at the bottom. First, let's ask you a question. How do you ensure data security when writing open API interfaces? First, let's take a look at the security issues in the Open api interface. When we request the server through http Post or Get, we will face many security problems, such:

• 1. Is the request source (identity) valid?
• 2. Is the request parameter tampered?
• 3. Request uniqueness (cannot be copied)

To ensure data security during communication, we can use the parameter signature method for verification.

Case Column Analysis

We analyze the case by writing [Background interface (api)] to a [mobile terminal (app:

Client: hereinafter referred to as app

Background interface:
We use the app to query the product list for analysis:

In the app, click the query button =, call the api for query =, and return the query result ==> displayed in the app

On the code -_-!

1. No Verification Method

Api query interface:

App call: http://api.test.com/getproducts? Parameter 1 = value1 .......

As shown above, this method is simple and crude. You can call the getproducts method to obtain the product list information. However, this method may cause serious security problems and has not been verified, you can obtain the product list through this method, resulting in product information leakage.
How can I verify the identity of the caller? How can we prevent parameter tampering?
Ii. MD5 parameter signature method

We optimized the api query product interface:

1. Allocate the corresponding key and secret to the app

2. Sign the signature. when calling the API, you must Sign the request parameters. The signature method is as follows:

A. sort all Request Parameters by request parameter name in alphabetical order to get: keyvaluekeyvalue... keyvalue string: Sort arong = 1, mrong = 2, crong = 3 to: arong = 1, crong = 3, mrong = 2 and then concatenate the parameter name and value to obtain the parameter string: arong1crong3mrong2.

B. Add the secret to the header of the parameter string and perform MD5 encryption. The encrypted string must be capitalized. The signature Sign is obtained.
New api code:

App call: http://api.test.com/getproducts?Key= App_key &Sign= BCC7C71CF93F9CDBDB88671B701D8A35 & Parameter 1 = value1 & Parameter 2 = value2 .......

Note: secret is only used for encryption. Do not use it in request parameters to ensure data security.

As shown above, the key and sign parameters are added to the optimized request, so that the request requires a valid key and a correct signature sign to obtain product data. This solves the problem of authentication and parameter tampering. If the request parameters are taken away, they will never get the secret because the secret is not passed. No more legitimate requests can be forged.
But... is that enough? Careful students may find that if I have obtained your complete link and used the same key and sign parameters all the time, I will not be able to get the data normally ...-_-! Yes, the above optimization is not enough.
Request uniqueness:

In order to prevent repeated use of request parameters, we need to ensure the uniqueness of the request, that is, the corresponding request can only be used once, so that even if someone else takes the complete link of the request, it is invalid.
Implementation of uniqueness: in the preceding request parameters, we add the timestamp (yyyyMMddHHmmss). Similarly, the timestamp is also added to the sign algorithm as one of the Request Parameters for encryption.
New api:

App call:
Http://api.test.com/getproducts?Key= App_key &Sign= BCC7C71CF93F9CDBDB88671B701D8A35 &Timestamp= 201603261407 & Parameter 1 = value1 & Parameter 2 = value2 .......
As shown above, the timestamp is used to verify whether the request has expired. In this way, the complete request link is invalid.

Sign signature security analysis:

From the above case, we can see that the key to security lies in the secret involved in the signature. In the whole process, secret is not involved in communication, so as long as the secret is not disclosed, requests will not be forged.

Summary

The above Sign signature method can prevent information tampering and forgery to a certain extent to ensure communication security. MD5 encryption is used here, of course, you can customize the signature algorithm as needed, such as RSA and SHA.

Source code sharing:

The source code has been hosted on the Code cloud: https://git.oschina.net/daimali/Daimali.ISV

Source: http://www.daimali.com/index.php/2016/04/27/241/