common problem
•You can go to the Support Center to submit new questions
Project consultation
1. The impact of encryption and decryption on calculation
It takes about 0.03ms for a single server to encrypt/decrypt a single piece of data;
Therefore, even for a single server The server's request frequency reaches 1000qps, and the impact on service time is only 3%.
2. What are the fields for encryption and decryption?
In the initial stage, the buyer’s nickname, name, phone number, email address, ID card, license plate number, Alipay account number, user ID, etc. in the order data will be encrypted;
The buyer’s delivery address will not be encrypted for the time being.
3. What specific tasks do users need to do?
You need to confirm Appkey and other related information
Download the encryption and decryption SDK, modify the code and verify compatibility, and then fully migrate the database (all Plain text data is encrypted)
For specific verification scenarios, please refer to the "Data Encryption Access Guide"
4. How to obtain the key? Upgrade regularly
The key is the key to encrypting and decrypting data. The key will not be upgraded regularly, but if there is a risk of leakage of the key, you need to cooperate in upgrading the key.
The key can be obtained through the key-obtaining API in the SDK and by passing in the session parameters and app encryption security code.
5. After the data is encrypted, what should I do if there is a need for fuzzy search?
We provide fuzzy search function for encrypted data. If you have this requirement, you need to make appropriate modifications in the SQL query statement.
6. Is only RDS push encrypted? Will API calls be encrypted?
RDS push and API calls are encrypted.
7. Is there an interface to know which stores have set up API and push library encryption?
Currently not available, the self-service operation platform will enable store whitelist settings.
8. Is there a frequency limit for calling encryption and decryption? Will there be a calling bottleneck during Double 11?
The key of the encryption and decryption function has a local cache policy, and the qps single thread can reach 30,000
9. Called through the Qianniu clientJsSDKYes, will it be encrypted?
Currently there are .net, java, and php SDKs that support encryption/decryption. The Qianniu plug-in does not encrypt
10. Enable store encryption Yes Open it for all users at the same time, or can we open it for a few users first to test?
Encryption is performed according to the store dimension, so you can first open encryption for several users for testing, and you can configure it yourself in the encryption whitelist
Please fill in the seller Nick (not store name) for the encryption whitelist
#11. What is the impact of modifying the field length in RDS? Will the RDS version upgrade cause service interruption?
mysql5.5 version will have table locking phenomenon. It is recommended to upgrade to version 5.6 (self-service upgrade can be done on the console). The version upgrade is transparent to users. It just crashes when switching at the end.
rdswill only modify the buyer_nick fieldin the rds system library: transaction table and refund table.
12. There is a phenomenon of missing orders after turning on encryption
Please confirm that the length of the buyer_nick field of push/business RDS has been modified
13. Can the session still be decrypted after it expires? Should the user actively cancel the authorization?
After expiration or user cancellation of authorization, the Session should still be available for 90 days. This is consistent with the authorization agreement, which requires the service provider to delete user data within 90 days after the authorization ends.
14. Can the encrypted content of the main account be decrypted using the session of the sub-account?
Yes, it will determine the main account to which the sub-account belongs, and then return the corresponding key
15. Whether the data migration needs to terminate the service
During the data migration process, there may be plaintext, ciphertext, old key and new key encrypted data in the database
Consider these factors As long as the code compatibility is ensured, there is no need to terminate the service
16. What work still needs to be done after the key is upgraded?
Key upgrade means that the previously encrypted data is no longer safe, so the previously encrypted data needs to be migrated and re-encrypted with the new key.
17. For users who have expired for more than 90 days and cannot obtain the key, is it not necessary to encrypt and continue to save the original plain text? Will it be encrypted after the user renews?
According to the user authorization agreement, data that has not been authorized for more than 90 days should be cleared. When the user authorization is about to expire, find a way to guide the user to re-authorize. In theory, this part of the data belongs to the user, and the authorization is time-limited.
18. What is the difference between a Taobao account and a self-created account?
Simple application scenario of own account: Your local data may not come from Taobao, for example, it is an order from a JD merchant, but you want to reuse the encryption and decryption SDK. Then you can register Jingdong's account to Taobao's encryption library, so that you can reuse Taobao's encryption and decryption SDK. Encryption and decryption are based on the session key (token) provided by the open platform. By default, session key can only identify Taobao accounts. Please refer to: //open.taobao.com/docs/doc.htm?treeId=1&articleId=106212&docType=1
19. Can you explain the difference between SAAS deployment and independent deployment in detail? ? Thanks!
Criteria for judging whether it is independent or saas. It depends on whether the users of your stand-alone service are multi-user or single-user. If it is a single-user, it is an independent deployment (such as a very large seller), multi-user is a SaaS deployment, or both.
Development Access
∗Code Development
1,
| Question title | defaultTaobaoClient The serverUrl used must be the https protocol. What exactly is the url? |
| Problem description | SecretClient secretClient = new SecretClient (new DefaultTaobaoClient(serverUrl, appkey, appSecret), randomNumber) Note: The serverUrl used by defaultTaobaoClient must be in https protocol Does the https you refer to refer to TOP's https://eco.taobao.com/router/rest? |
| Problem Analysis | |
| Question Answer | The https here refers to TOP’s https://eco.taobao.com/router/rest. For details, please refer to //open.taobao.com/docs/doc.htm?docType=1&articleId =101617&treeId=1 |
##2、
3,
| Question title | What is the specific solution to fuzzy search? Can it be used directly in SQL scripts? |
| Problem Description | None |
| ##Fuzzy query method, you can use the like statement directly in SQL, The results obtained need to be further screened, and there are certain redundant results that need to be screened out in the program. | //Fragments that require fuzzy query String partial = "cdefg"; //Get the fuzzy query ciphertext String search = secretClient.search(partial); //Go to the database to do fuzzy query List // Filter List for(DO object : objects) { if (secretClient.decrypt(object.nick).contains(partial)){ result.add(object); } } |
| Question title | Is it necessary to use a single method to call decryption? Example mode? |
| Problem description | The test found that some fields can be decrypted and some cannot. Is it necessary to use a singleton? model? |
| Problem Analysis | |
| Question Answer | Yes, singleton mode must be used when calling decryption |
4,
| Question title | Does the encryption and decryption interface only support simultaneous encryption and decryption of a single field? |
| Problem description | Does the encryption and decryption interface only support simultaneous encryption and decryption of a single field? Is it possible at the same time? Encrypt and decrypt nicknames and mobile phone numbers? |
| Problem Analysis | |
| Question Answer | Currently, only one type can be selected for the encryption and decryption interface, either phone, nick, or name, and cannot be mixed |
5、
∗RN(Security Token Code)/Key
1,
| Question title | How efficient is the batch encryption interface? Is there no concurrent processing in the source code? |
| Problem description | Batch encryption source code implementation or for loop calling a single encryption interface |
| Problem Analysis | |
| ##Question Answer | Batch calls are similar to single calls. The batch interface also processes a single call in a loop. Unless you want to save network overhead, avoid multiple network requests |
| Question title | Will secret_version change? Will the key change? |
| Problem Description | |
| Problem analysis | secret_version is used to mark the key version, which will only change when the key version changes |
| Question answer | secret_version will only change when the key is upgraded. Which users will be upgraded will change. The key will not be changed regularly. |
2,
| Question title | What is RandomNumber and how to get it? |
| Problem Description | |
| Problem Analysis | |
| Question reply | ##randNum (security token code) is used to initialize encryption and decryption Object's SecurityClient secretClient = new SecurityClient (new DefaultTaobaoClient(serverUrl, appkey, appSecret), Random Number); randomNum in my. Download the corresponding app certificate from open.taobao.com. |
3、
4,
| Question title | Why is there noRandom Numberin my application certificate? |
| Problem Description | |
| Problem Analysis | |
| Question Answer | randomNumber The waiter needs to initialize appkey encryption in the background. |
| Question title | How do you know a ciphertext is a cipher? Was it encrypted before the key was upgraded or after the key was upgraded? |
| Problem Description | |
| Problem Analysis | |
| Question Answer | Encryption The API will automatically use the latest key to encrypt, and the decryption API will automatically obtain the key version |
5 ,
| Question title | After the data is encrypted, will it definitely contain the ~ character? |
| Problem Description | |
| Problem analysis | |
| Question answer | Yes , cipher text format: ~Cipher text~Version number~ |
##6、
7,
| Question title | Can I pass in an entity in Json format and decrypt it in batches? Or is there any other way to batch encryption and decryption. |
| Problem description | |
| Problem Analysis | |
| Batch encryption and decryption supports input list and returns map |
| Question title | What is the length of the field after encryption? |
| Problem Description | |
| Problem Analysis | |
| Question Answer | Based on The encryption scheme you use for each field may have different encryption lengths. Precise query (scenario 1, 2) Fuzzy query (scenario 3) nick/ receiver_namevarchar (32 character length * 4) varchar (32 character length * 8) normal (other scenarios) varchar (32 character length*4)varchar(32 character length*8) Scenario 4 fuzzy query (scenario 5)phonevarchar(16 (number length-8) (24))varchar(20 (character length*4)) |
##∗#Code error
1、
2,
| Related The code call returns isv.permission-denied error/error code 15 | |
 |
|
| a) Encryption of appkey is not enabled in the background | b) Session is not specified, or the specification is wrong (Not in the encryption whitelist)|
| Need to enable encryption or specify the correct session |
| Question title | Call taobao.top.secret. get error code 11 |
| Problem description |  |
| Problem Analysis | Because the app is configured with an IP whitelist and access restrictions |
| Problem Reply | Need to add IP whitelist |
##3,
| Question title | When calling the taobao.top.secret.get interface, "27/invalid session" will be reported Error |
| Problem description | {"error_response": {"code ":27, "msg":"Invalid session", "sub_code":"invalid-sessionkey", "request_id":"13oyvzsl8ud7g"} } |
| Problem Analysis | The error is reported because the session is invalid/expired |
| Pay attention to whether the session is correct |
safety verification
•You can submit new questions to the Support Center
FAQ
- There is no FAQ about this document
| Calling | taobao.top.secret.getError code12(subuser_has-no-permission) |
| code: 12 | subcode: subuser_has-no-permission |
| The sub-account does not have permission to use appkey | |
| It is recommended to check the sub-account configuration permissions, or use the main account |