Imagine a scene: a good brother who has not seen you for a long time suddenly says to you on WeChat, "Brother, lend me 10000 for emergency". How would you react?
I think most people's first reaction is: Was it stolen? Is it him?
In fact, this is a common communicative behavior in our daily life. The process of calling API and transferring data between systems is no different from the WeChat communication between you and your friends. All data transmission in an open environment may be intercepted or even tampered with. So data transmission is extremely dangerous and must be encrypted.
The encryption core solves two problems:
Ancient people wrote letters, which were delivered by the postman. That's a long way. In order to avoid the discovery of important contents, they decided to write letters in ciphertext. For example, I want to express "800 soldiers go up the north slope". I wrote it in 800north, and the recipient knows how to read this information. Even if people on the road stop peeking, they can't understand what you are saying. At the same time, sign my handwriting at the end of the article and put my token (such as a feather). ) put it in the box, so that the recipient will know that I sent the letter.
This is called "symmetric cipher", that is, the encryptor encrypts in one way and the decryptor decrypts in another. What are the disadvantages?
If you transmit frequently, it is easy to find the password rules. For example, I will soon know that you will bring a feather when you send a letter, so that I can get a feather to pretend to be you in the future. Besides, if I want to send a letter to many people, I must tell everyone my encryption method. Maybe an undercover will sell your encryption method.
Because of the high number and frequency of Internet transmission, it is obviously unsafe to make a symmetric password. Therefore, the concept of "asymmetric cipher" is extended on the basis of symmetric cipher.
Popular explanation: A wants to send a message to B, and B gives A a box first. A After receiving it, put the letter in the box and lock it. After it is locked, A can't open it or take it out, because B has the key, so even if it is intercepted on the road, others can't open the box and see the information inside. Finally, B can receive the letter from A safely, and the information will not be leaked.
Now we have a deep understanding of the working principle of public key and private key in the one-way scenario where A sends messages to B. ..
Summary:
(1) signature can be obtained by anyone, but it is ok to obtain and crack it, because the signature content does not involve the core content.
(2) Important content can only be decrypted by the receiver, and no one can decrypt it after obtaining it.
(3) The receiver B will only execute the next program after verifying the information that the signer is A. The information sent by Tom, Dick and Harry will not be executed.
Possible situations of manipulator c:
(1) He got that the message was sent by A, but he couldn't read the encrypted content.
(2) He can also send a message to the receiver B by using the encryption method C of the receiver B, but he cannot impersonate the signature of the sender A, so B will not accept the request of C. ..
(2) Asymmetric encryption of public key and private key+symmetric encryption of session key
The public and private key encryption explained in the previous section is standard and safe, but because this asymmetric encryption requires a lot of system operations, we still hope to improve the timeliness of program response on the premise of ensuring security. Therefore, another encryption method currently used in the mainstream is asymmetric encryption of public and private keys+symmetric encryption of session keys.
(1) When B sends a temporary and effective encryption method to A, the communication process becomes symmetric encryption;
(2) The core of this encryption method is timeliness, which must be updated in a short time, otherwise the fixed rules can be easily obtained and cracked.
Possible situations of manipulator c:
(1) He got the encrypted file of the session key sent by B, and could not decipher what the session key was. Because the decryption method is in A's hand;
(2) Through various means, C cracked the encryption and decryption method of the session key, but because the time limit has passed and the session key has been updated, C is in vain;
(3)C cracked the session key within the time limit, but could not impersonate A's signature.
The above are two common encryption and decryption methods. Every open platform will introduce the secure encryption and decryption methods of API calls at the beginning of the overview, which is an essential preparation process in each docking process. For example, the WeChat enterprise platform introduces the use of the second method (enterprise WeChat is named access_token) for encryption and decryption transmission in the overview.
The above is the basic principle of API signature verification and encryption and decryption. Next, I will continue to update the request mode of API, and explain the functions supported by various existing platforms with the services of large open platforms such as enterprise WeChat and WeChat open platform.
In summary, the level is limited. If there are any mistakes, please point them out.
Author: just love to sleep; I have worked in the product position of e-commerce and financial industry for 3 years. At present, my business is mainly to B. The article is used to record my thoughts and ideas in product work. I hope friends with ideas can communicate with me.
The title map comes from Unsplash and is based on CC0 protocol.