java - 关于"api接口的sign的设计"的一点点疑惑
阿神
阿神 2017-04-18 09:30:03
0
3
1067

**感谢mcfog和yc8332的回答
按照mcfog的回答
如果sign的算法公开的话, sign不就没有校验功能了吗, 恶意攻击的人也可以根据该算法生成sign了**

刚读了一篇相关的博文, 有一点不明, 请大家解惑,谢谢

文中讲到sign是根据用户"请求的所有参数,包括timestamp还有token", 然后通过加密算法生成的sign.
然后他说在验证sign的时候是通过相同的加密规则生成一个sign, 看是否与请求的sign相同.

我的疑惑来了:

  1. 用户是怎么知道合法的sign是什么, 是在用户登录成功后, 和token一起返回给客户端的吗?

  2. 如果是的话这个token和sign在客户端和服务器端一般是怎么保存的, 是都存放在cookie中和session中?

  3. 每次请求的参数和时间戳一定是不同的, 怎么会能"根据用户请求的url参数, 重现出原来加密出的sign", 加密的原始素材只有token没变, 而其他的都变了, 怎么一样呢.

博文的原文如下:

"将所有用户请求的参数按照字母排序(包括timestamp,token),然后根据MD5加密(可以加点盐),全部大写,生成sign签名,这就是所说的url签名算法。然后登陆后每次调用用户信息时,带上sign,timestamp,token参数。"

"根据用户请求的url参数,服务器端按照同样的规则生成sign签名,对比签名看是否相等,相等则放行。(自然url签名也无法100%保证其安全,也可以通过公钥AES对数据和url加密,但这样如果无法确保公钥丢失,所以签名只是很大程度上保证安全)"

阿神
阿神

闭关修行中......

reply all(3)
黄舟

sign is not saved, is dynamic, and is encrypted based on submitted parameters. It is mainly used to prevent man-in-the-middle attacks or data integrity

阿神

1. The algorithm of sign is publicized by the server. The parameters inside are known by the client. The client calculates the sign by itself every time it requests.
2. There is no need to save the sign every time it is calculated. The context you gave for the token is not enough. Explain what it is. It may be the following two things

  1. Commonly known as "secret" is a private string issued by the server to the client. The client needs to protect this string from leaking and use this string to participate in signatures each time to verify the client's legal identity. The client is usually placed in the configuration, and the server usually has a database to maintain the secret values ​​of different clients

  2. Commonly known as "access token", a string similar to session id obtained by the client through the login interface request, representing the login status

In order to prevent attackers from tampering/forging requests, the elements of sign generally contain at least one element that is difficult for attackers to obtain. The most common one is the secret agreed upon by both parties

In order to prevent replay-attack, it is best to include unique request sequence number/millisecond time and other types of elements in the data packet, and perform deduplication processing on the server side

3. This is about the processing method after the server receives the request. It uses the sign algorithm to calculate the sign value through various parameters in the received request, and compares it with the sign value submitted by the client to check the client. Whether the calculation is correct.

Suggestion: If you have read too much in the title book and done too little, go and connect with several actual API interfaces, especially OAuth, and you will basically understand these things

洪涛

Public means disclosing it to your own people. If you want to worry about this, there is nothing safe in my world. I can’t handle it either

Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template