I have heard of some signatures and symmetric encryption, but I don't know what to understand. How do you sign and encrypt them between servers and apps? How do you call signatures? Thank you. I have heard of some signatures and symmetric encryption, but I don't know what to understand. How do you sign and encrypt them between servers and apps? How do you call signatures? Thank you.
Reply content:
I have heard of some signatures and symmetric encryption, but I don't know what to understand. How do you sign and encrypt them between servers and apps? How do you call signatures? Thank you.
Access token is a method. In the early days, appid and appkey methods were simple. To be more complex, you can use RSA encryption.
The landlord's question is how to implement encrypted communication to prevent external API calls. Here is a solution for you.
The server and client store a TOKEN respectively. To prevent the decompilation, we use C language to write a file and perform shelling and obfuscation.
When the client accesses any interface of the Server API, the client must bring a special field, which is the signature. The signature generation method is as follows:
The accessed interface name + timestamp + encrypted TOKEN is used for overall MD5, and the client submits the local timestamp as a plaintext parameter to the server.
The server will first verify the two parameters: the verification timestamp. If the time difference exceeds the server's plus or minus one minute, the server will reject the access (to prevent the server from repeatedly requesting packets to be captured, plus or minus one minute is to prevent time errors, adjustable Parameters ),
Then, the server will generate a new signature based on the requested API address and the submitted timestamp plus the locally stored token according to MD5, and compare the signature. If the signature is consistent, the server will verify the signature, go to the next API Logic
Most servers and apps are called through interfaces, such as the user list. /User/list/
There is an encrypted token in post to/user/list/, which is used to verify whether you are a legal visitor. And now many development platforms such.
This is an example of valid signature verification. They use encryption mechanisms and tokens to perform secondary encryption. Then obtain valid verification.
You can join the group: 231566327 for further discussion.
What about signature and symmetric encryption? Generally, the signature uses asymmetric encryption algorithms. For example, if your company has two systems (A and B), the two systems can trust each other, but you do not want to log on from A to B and you need to enter the user name and password (because this will leak the user). Then you can configure an asymmetric encryption signature method. For example, if A stores the private key of the asymmetric encryption algorithm, B stores the corresponding public key. Use the private key in A to encrypt something and upload it to B. Then, B can use the public key to prove the identity of A, which is indeed from.
Not to mention asymmetric encryption ///
Https flood