Joke Collection Website - Mood Talk - How much do you know about the signature and authentication of API interfaces?
How much do you know about the signature and authentication of API interfaces?
Recently, I have been doing some work on third-party interface docking. Considering the security of the interaction and to prevent data from "naking" during transmission, signatures and authentication are essential.
2.1. Starting with login verification
This is generally used in interface calls between our internal projects: User login -gt; generate token and save -gt ;The interface requests a verification token. The token can also be made global for single sign-on.
2.2. Let’s talk about using token verification
① But if we want to connect to third-party interfaces or provide interfaces to third parties, this mode is used less often. First of all, the token carried in the request is often a clear text transmission. If you are interested, you can directly extract the data and do some other things (those who have done crawlers should be very skilled).
② When connecting to third-party interfaces, it is mainly in the form of joining or binding. Login is rarely done before the interface is called, and for security reasons, this method is not safe. Sex also needs to be further improved.
2.3. Solution
In fact, this problem already has a relatively complete solution: both parties agree on a public key and a private key and then follow a specific algorithm (MD5, SHA256 ) is encrypted to generate a signature. The user carries the signature and other data when calling the interface. The provider also generates a signature according to the agreement when receiving the call. Finally, the data of the two parties will be compared. If the signatures of the two parties are consistent, the request detection will be initially passed. If it does not meet the requirements, Sometimes he refuses.
3.1. Overall idea
Use a specific signature algorithm and use both parties to generate it (its parameters include public key, timestamp, and carrying parameters). When I receive the request, I first check whether the public key exists in our agreed pool, then verify the signature consistency and validity time, and finally check the parameter validity. If a problem occurs in any of the intermediate steps, the corresponding receipt information will be thrown.
PS: Some parameters can participate in the signature algorithm
3.2. Signature algorithm
The most important thing here is the signature algorithm. The operation steps are as follows:
① Use Map to receive parameters, and then sort the ACCII codes of the non-empty parameter names from small to large
② Use the form of URL key-value pairs (key1=value1amp; key2=value2...) for string splicing
③ Splice the private key on the above generated string to get a new string signStr, and perform SHA256 operation on signStr to get signShsStr
④ Finally, convert signShaStr to uppercase to get the final signature
4.1, signBuildUtil
4.2, SHA256 operation
5.1. You can make some important parts in the signature Parameters to participate
5.2. Using timestamps and participating in signatures not only increases the difficulty of predicting signatures, but also serves as the basis for time validity detection
5.3. It is best to have a Good documentation conventions and good maintenance of public and private keys
- Previous article:Ask for clothing description
- Next article:What are the requirements of China troops for soldiers' internal affairs and gfd?
- Related articles
- Praise mom and dad's beautiful sentences!
- Can't you eat watermelon in autumn?
- Praise her husband for his good copy.
- Photo greetings from winter solstice
- Sometimes I may talk about it easily.
- Talk about couples' daily companionship.
- Humor about eating crayfish
- Who has the reading notes of Morning Flowers and Evening Picks?
- Dialectical relationship between filtering beauty and real beauty
- Work feelings and experiences short sentences