Operation and Maintenance
Safety
What is a simple and secure API authorization mechanism based on signature algorithm?
What is a simple and secure API authorization mechanism based on signature algorithm?
When I was working on an advertising system, I found that the advertising systems of most of the platforms I connected to used tokens to authorize interfaces, and this token remained unchanged and was provided by advertisers. It can be said that this is the streaking interface. However, this interface does not have high security requirements. It can only prevent malicious calls and verify the identity of the channel.
Last year, the author wrote an API unified authorization platform, which provides unified authorization management for internal service open interfaces and third-party system calls. Apart from facilitating management interface authorization, it has no other purpose, but it costs money to deploy. This is probably the most pointless project I've ever done.
The API authorization mechanism introduced today may also be a more widely used API interface authorization mechanism. I remember that when the author used to do the WeChat payment function, the payment interface provided by WeChat also used this method: signature. Advantages: Simple, no impact on performance, no additional cost.
The implementation logic of this authorization method is that the authorizer sets a unique identity (key) and independent key for each access platform, which is actually equivalent to an account password. The accessing system is required to carry three parameters in the request header every time it initiates a request, namely the identity (key), the timestamp of the request, and the signature. The authorizing system verifies the signature when receiving the request. The request will be released only if it passes.
The process of verifying the signature is to obtain the key and timestamp from the request header, then generate a signature using the same algorithm based on the key (the caller and the authorizer use the same signature algorithm), and finally compare the signature obtained from the request header Whether they are equal, if so, the verification is successful, otherwise the verification fails.
The implementation process of the authorization method based on signature algorithm is as follows:
Authorizer:
1. Define the signature algorithm and provide the signature generation algorithm for access Party, and generate a key and identity for the access party;
2. Intercept the interface that needs to verify the signature in the project, obtain the timestamp and identity from the request header, and generate a signature based on the key and signature algorithm , compare the generated signature with the signature obtained from the request header, if they are the same, continue to step 3, otherwise reject the request;
3. Verify the timeliness of the request, use the current system timestamp and the signature obtained from the request header Compare the timestamps received, and if the request is within the valid time range, the request will be released, otherwise it will be rejected and the signature will be expired.
Access party:
1. Obtain the docking document from the authorized party, and ask the authorized party for the key and identity;
2. Encapsulate the signature method according to the signature generation algorithm provided in the document;
3. When initiating a request, write the identity identifier, current timestamp, and signature into the request header.
The signature generation algorithm can be customized. For example, after splicing the identity (key), timestamp (timestamp) and key together, an irreversible algorithm is used to encrypt the string to generate a signature, such as MD5. algorithm. The more complex the rules, the harder they are to crack.
What are the benefits of adding a timestamp to a signature?
The first is to add timeliness to the signature. The authorization system can limit the validity time of the signature to one second or five seconds, using the request timestamp to compare with the current timestamp. However, the system time of both parties must be correct.
The second is security. If a hacker intercepts the request of your system, then modifies the request and then initiates the request, it will definitely take time, so when the system receives the tampered request, the validity period of the signature It has passed. If you change the timestamp passed in the request header, the authorizing system of the request will generate a different signature than the one passed in the request header, so the request will still be invalid.
If you don’t know the key, you cannot generate a valid signature without understanding the signature rules of the authorized party (broiler). Files signed using an asymmetric encryption algorithm make it nearly impossible to crack the key through brute force.
Then why use timestamp instead of formatting time string?
This may be due to consideration of time zone compatibility. If different computer rooms are in different time zones, the time will be different, but the timestamp All the same.
In order to maximize the security of this authorization method, first of all, the rules for generating signatures must be complex enough, then the encryption algorithm of the signature must be irreversible, never use an algorithm like Base64, and finally, the key must be sufficient It is sufficiently complex to ensure that even if the signature generation rules are known, it is impossible to brute force the key.
Signature rules refer to the rules for generating signature strings before encryption. For example, the rules include key, key, and timestamp, where key and key will appear twice. Assume that the key is "app", the secret key is "123", the timestamp is "11111111111111", the pre-encrypted signature generated by splicing is "app1231111111111111app123", and finally the spliced string is encrypted through the encryption algorithm to generate the final signature.
Isn’t it troublesome to write the signature logic for each interface?
No. For the authorizer, the signature verification logic can be completed through filters or interceptors; for the caller, there are different methods using different frameworks, but we can always find a way to only write the signature logic once, right?
The above is the detailed content of What is a simple and secure API authorization mechanism based on signature algorithm?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1386
52
PHP and Manticore Search Development Guide: Quickly Create a Search API
Aug 07, 2023 pm 06:05 PM
PHP and ManticoreSearch Development Guide: Quickly Create a Search API Search is one of the indispensable features in modern web applications. Whether it is an e-commerce website, social media platform or news portal, it needs to provide an efficient and accurate search function to help users find the content they are interested in. As a full-text search engine with excellent performance, ManticoreSearch provides us with a powerful tool to create excellent search APIs. This article will show you how to
How to crawl and process data by calling API interface in PHP project?
Sep 05, 2023 am 08:41 AM
How to crawl and process data by calling API interface in PHP project? 1. Introduction In PHP projects, we often need to crawl data from other websites and process these data. Many websites provide API interfaces, and we can obtain data by calling these interfaces. This article will introduce how to use PHP to call the API interface to crawl and process data. 2. Obtain the URL and parameters of the API interface. Before starting, we need to obtain the URL of the target API interface and the required parameters.
How to deal with Laravel API error problems
Mar 06, 2024 pm 05:18 PM
Title: How to deal with Laravel API error problems, specific code examples are needed. When developing Laravel, API errors are often encountered. These errors may come from various reasons such as program code logic errors, database query problems, or external API request failures. How to handle these error reports is a key issue. This article will use specific code examples to demonstrate how to effectively handle Laravel API error reports. 1. Error handling in Laravel
Save API data to CSV format using Python
Aug 31, 2023 pm 09:09 PM
In the world of data-driven applications and analytics, APIs (Application Programming Interfaces) play a vital role in retrieving data from various sources. When working with API data, you often need to store the data in a format that is easy to access and manipulate. One such format is CSV (Comma Separated Values), which allows tabular data to be organized and stored efficiently. This article will explore the process of saving API data to CSV format using the powerful programming language Python. By following the steps outlined in this guide, we will learn how to retrieve data from the API, extract relevant information, and store it in a CSV file for further analysis and processing. Let’s dive into the world of API data processing with Python and unlock the potential of the CSV format
React API Call Guide: How to interact and transfer data with the backend API
Sep 26, 2023 am 10:19 AM
ReactAPI Call Guide: How to interact with and transfer data to the backend API Overview: In modern web development, interacting with and transferring data to the backend API is a common need. React, as a popular front-end framework, provides some powerful tools and features to simplify this process. This article will introduce how to use React to call the backend API, including basic GET and POST requests, and provide specific code examples. Install the required dependencies: First, make sure Axi is installed in the project
Oracle API Usage Guide: Exploring Data Interface Technology
Mar 07, 2024 am 11:12 AM
Oracle is a world-renowned database management system provider, and its API (Application Programming Interface) is a powerful tool that helps developers easily interact and integrate with Oracle databases. In this article, we will delve into the Oracle API usage guide, show readers how to utilize data interface technology during the development process, and provide specific code examples. 1.Oracle
Oracle API integration strategy analysis: achieving seamless communication between systems
Mar 07, 2024 pm 10:09 PM
OracleAPI integration strategy analysis: To achieve seamless communication between systems, specific code examples are required. In today's digital era, internal enterprise systems need to communicate with each other and share data, and OracleAPI is one of the important tools to help achieve seamless communication between systems. This article will start with the basic concepts and principles of OracleAPI, explore API integration strategies, and finally give specific code examples to help readers better understand and apply OracleAPI. 1. Basic Oracle API
How to develop a simple CRUD API using MongoDB
Sep 19, 2023 pm 12:32 PM
How to use MongoDB to develop a simple CRUD API In modern web application development, CRUD (Create, Delete, Modify, Check) operations are one of the most common and important functions. In this article, we will introduce how to develop a simple CRUD API using MongoDB database and provide specific code examples. MongoDB is an open source NoSQL database that stores data in the form of documents. Unlike traditional relational databases, MongoDB does not have a predefined schema
