Recently, I have been doing some work of third-party interface docking. Considering the security of interaction, signature and authentication are essential to prevent data from streaking in transmission.

2. 1, from login verification

This is commonly used in interface calls between our internal projects: user login->; Generate a token and save it-> The interface requests an authentication token, and the token can also be global for single sign-on.

2.2. Talk about using token authentication.

(1) But if we want to interface with or provide interfaces to third parties, this mode is seldom used. First of all, the token carried in the request is often transmitted in clear text. If you are interested, you can directly extract the data and do some other things (anyone who has done reptiles should be very skilled).

② When the third-party interface is docked, it is mainly in the form of joining or binding, and it is rarely logged in before the interface is called. For security reasons, the security of this method needs to be further improved.

2.3. Solution

In fact, there is a relatively complete solution to this problem: both parties agree on a public key and a private key, and then encrypt them according to a specific algorithm (MD5, SHA256) to generate a signature. The user carries the signature and other data when calling the interface, and the provider also generates a signature when receiving the call. Finally, the data of both parties will be compared. If the signatures of both parties are consistent, the test is required to pass initially; if not, the test is rejected.

3. 1, the overall idea

Using a specific signature algorithm, using two-party generation (its parameters include public key, timestamp and carrying parameters). When we receive the request, we should first check whether the public key exists in our designated pool, then check the consistency and validity time of the signature, and finally check the legality of the parameters. If there is a problem in any of the intermediate links, the corresponding receipt information will be thrown.

PS: Some parameters can participate in the signature algorithm.

3.2, signature algorithm

The most important thing here is the signature algorithm, and its operation steps are as follows:

① Use Map to receive parameters, and then sort ACCII codes according to their non-empty parameter names from small to large.

② Use the form of URL key value pair (key1= value1&; Key2 = value 2 ...) is used for string concatenation.

③ Splicing the private key on the generated string to get a new string signStr, and performing SHA256 operation on signStr to get signShsStr.

④ Finally, convert the signShaStr into uppercase to get the final signature.

4. 1, signal construction tool

4.2, SHA256 operation

5. The1.signature may contain some important parameters.

5.2. Using timestamp and participating signature not only increases the difficulty of signature prediction, but also can be used as the basis of time validity detection.

5.3. It is best to have a good document protocol and maintain the public key and private key.