HMAC-SHA1 (message authentication code based on the SHA1 hash algorithm) is a keyed hash algorithm. This HMAC process mixes the key with the message data, uses a hash function to hash the mixed result, mixes the resulting hash value with the key, and then applies the hash function again. The hash value of the output is 160 bits long.
Although the Secure Hash algorithm (secured hash algorithm, referred to as SHA1) is an irreversible cryptographic algorithm, the results are the same after the same content calculation and are not duplicated, so the data can be restored by brute force computation. So hmac-sha1 on the basis of SHA1, add a key. As a result, the information content cannot be cracked as long as the key is not compromised.
During the interface verification process, the data parameters to be sent, together with the time slice and key to send the moment, are computed by HMAC-SHA1, and the computed signature is sent to the server as a parameter when requested. The server is also evaluated against the locally saved key and compared to the signature provided by the client. The same is true for authorization success.
With HMAC-SHA1 encryption, you can prevent the request parameters from being modified maliciously. If the parameter is modified, the signature will change as well, so simply modifying the parameters will cause the server authorization validation to fail. Again the parameters are added to the time slice information, if and server time is too large, the request will be discarded.
Interface validation is implemented based on the Beego framework, which can be achieved using the filters provided by it. The filter functions are as follows:
beego.InsertFilter(pattern string, postion int, filter FilterFunc)
Three parameters:
*type FilterFunc func(*context.Context)Routing rules are used to match filters. There are 4 locations to filter. We are here to verify the request parameters, so the call is based on the previous, can reduce the subsequent unnecessary calculation. So use BeforeRouter better. The check function is as follows:
func FilterOauth(ctx *context.Context) {timestamp, err := strconv.ParseInt(ctx.Input.Query("timestamp"), 10, 64)if err != nil {ctx.Abort(http.StatusUnauthorized, "")}timestamp_t := time.Unix(timestamp, 0)now_t := time.Now()if now_t.Sub(timestamp_t).Minutes() > 10 {fmt.Println(timestamp_t, "Duration is too long")ctx.Abort(http.StatusUnauthorized, "")}size := ctx.Input.Query("size")if size == "" {ctx.Abort(http.StatusUnauthorized, "")}sign := ctx.Input.Query("sign")if sign == "" {ctx.Abort(http.StatusUnauthorized, "")}if CheckMAC(size+timestamp_t.String(), sign, "seckey") {fmt.Println("Verify error")ctx.Abort(http.StatusUnauthorized, "")}}
The checksum is based on the parameters passed in size and the timestape incoming sign signature is used for the alignment. The filter function passed in the context object *context.Context . If the incoming time slice and system time differ by more than 10 minutes, it is considered an out-of-date request.
The check function uses the Golang crypto/hmac and crypto/sha1 packet:
func CheckMAC(message, sign, key string) bool {mac := hmac.New(sha1.New, []byte(key))mac.Write([]byte(message))return hex.EncodeToString(mac.Sum(nil)) == sign}
The result of the encryption is the []byte type, which also needs to be converted into a readable 16-encoding, which can be implemented by the package encoding/hex .
Interface encryption can also use HTTPS encryption transmission mode, this I do not understand, later understand and then write.
###### References + "1" Filter-beego development documentation
Original link: interface security mechanism, reproduced please indicate the source!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
