16. How does the app backend ensure communication security-url signature, 16. app-url

16. How does the app backend ensure communication security-url signature, 16. app-url
During the communication between the app and the backend, api requests may be intercepted or accidentally leaked. So how can we ensure the security of api requests? In this article, we will introduce a common method to ensure the security of api requests-url signature.


1. url Signature Details

In the previous article <15. in app backend User Logon solution>, after verifying that the user name and password are correct on the server, a random token string (for example, "daf32da456hfdh") is generated "), maintain a visual table in redis or memcache to establish a token string and user information ing table. For example, match the token string "daf32da456hfdh" with the user ID "5, the server returns the token string to the app for authentication.


This authentication depends on the token string. If a user discloses his/her url, the token is leaked to a large extent.


How to Prevent the token from being leaked? Do not allow the token to be transmitted over the network.


Note that the url signature method is closely related to the previous <15. How to Design the user logon scheme on the app backend>. You have not read the previous article.


(1) After verifying that the user name and password are correct on the server, return the token string and user ID to the client, such as the token string "daf32da456hfdh" and user ID "5 ".


(2) assume that the api request is "test.com/user/info" and the md5 Signature is generated using the token string "daf32da456hfdh": md5 ("test.com/user/info&token=daf32da456hfdh") = Signature


Therefore, after the api request is signed and the user ID is "test.com/user/info? UserId = 5 & sign = C99DC0C22437AC275C08CE4A9708B25A"


(3) After the server receives the url, it uses the (2) algorithm to generate a signature and compare it with the sign parameter. If it is found to be equal, it indicates that the url is valid, then continue to execute this api call.


The above method can avoid token leakage during api calling.


The above method has another problem because this api requests "test.com/user/info? UserId = 5 & sign = C99DC0C22437AC275C08CE4A9708B25A "has no expiration time. If someone else receives the request for this api, they can call it again and again.


The improved method is to add a timestamp to the passed parameter. When the timestamp is found to be a long time away from the current time, it is determined that the url has expired.


But how can I ensure the time synchronization between the app time and the server time with the timestamp? At the app startup and server synchronization time, create a clock in the app and obtain the timestamp in the internal clock of the app to prevent Time Inconsistency caused by the user's modification of the mobile phone time.


So we have the following improvement methods:


(1) assume that the api request is "test.com/user/info" and generate an md5 Signature using the token string "daf32da456hfdh" and the timestamp: md5 ("test.com/user/info? UserId = 5 & token = daf32da456hfdh & timestamp = 1425860757 ") = c%161a6f%343b6cecf08562f1371


Therefore, after the api request is signed and the user ID is "test.com/user/info? UserId = 5 & timestamp = 1425860757 & sign = c%161a6f%343b6cecf08562f1371"


(2) The server receives this api request. if it finds that the time for receiving this url request is a long time away from time = 1425860757, it is determined that this url has been intercepted and called repeatedly. If the time is valid, use the (1) algorithm to determine if the sign is consistent.


2. url signature limitations

There are two disadvantages of url signature:


1. When a user logs on for the first time, the token is returned in plaintext, which may cause interception.


2. the url signature can only protect the token value but cannot protect other sensitive data. For example, when a user updates his/her personal information, all the information should be encrypted during transmission.

How can we solve these two problems? Use the symmetric encryption algorithm described in the next article.

Bytes ---------------------------------------------------------------------------------------------------------------------------

Open the General Directory of the back-end articles of the linked app series to view all the original "app back-end" articles published by me.

【Author】 Zeng jiansheng
[QQ] 190678908
[Backend QQ group of app] 254659220
[Public Account] appbackend
[Sina Weibo] @ newjueqi
Blog http://blog.csdn.net/newjueqi