How to ensure communication security--aes symmetric encryption **17.app back end

In the above "16.app back-end how to ensure communication security--url signature" mentioned, URL signature has two shortcomings, these two shortcomings, if the use of symmetric encryption method, you can completely avoid these two shortcomings. In this article, we will introduce the specific principles of symmetric encryption, and detailed solutions to make app communication more secure.

1. Principle of symmetric encryption

Using the encryption method of single-key cryptosystem, the same key can be used as the encryption and decryption of information, which is called symmetric encryption, also known as single-key encryption.


In fact, it is very simple, assuming that there is the original data "1000", 1000 plus 5 to get the ciphertext "1005", the ciphertext "1005" minus 5 to get the original data "1000". The original data plus 5 is the encryption algorithm, the ciphertext minus 5 is the decryption algorithm, the key is 5.


This paper uses AES as a general symmetric encryption algorithm.

2. Application of AES algorithm in API request

(1) About Curl


In the following example, the Curl tool is used to introduce a brief introduction.


Curl is an open source file Transfer tool that works with URL syntax in the command line mode.


The parameters to use:


-x: Specify what commands, such as Post,get, and so on.


-H: Specifies the HTTP header.


-D: Make HTTP body content


(2) How to guarantee the safety of token upon initial return


Return the encrypted token with the following API


Curl-x POST \


-H "token-param:< timestamp >,<sdkversion>" \


-d ' Base64Encode (AES (token, secretkey)) '


Http://test.com/api/login


The Secretkey is the key, using the 16-bit length in the Token-param in the HTTP header.


The method of encrypting tokens when the server returns is encrypted with AES and the key is Secretkey.


The client decrypts token by using AES decryption, the key is Secretkey.


(3) Encryption in the API request


Assume that the API call to update user data is as follows


Curl-x POST \


-H "token-param:< timestamp >,<sdkversion>" \


-H ' Token:base64encode (AES (Token, Secretkey)) '


-d ' Base64Encode (AES (date, token)) '


Http://test.com/api/user/update


Secretkey uses the 16-bit length from the Token-param in the HTTP header.


In the example above, data is the actual one to post.


In this process, token and post data are protected by encryption.


The process of encrypting when the client sends


(1) Take the 16-bit length of the Token-param in the HTTP header as the key, encrypt tokens with AES.


(2) Use token as the key to encrypt data with AES.


The server receives the decryption process for this API request:


(1) Take the HTTP header of the Token-param in the 16-bit length as the key, with AES decryption, get token.


(2) Use token as the key, decrypt the contents of HTTP body with AES, get the original text.

3. Summary of Symmetric encryption methods

When the token is returned, it is possible to make a contract to intercept a part of a string as the key at the time of the return, which is used only once to decrypt tokens, and then only tokens are used to make the secret key.

http://blog.csdn.net/newjueqi/article/details/44177063

How to ensure communication security--aes symmetric encryption **17.app back end