What is a simple and secure API authorization mechanism based on signature algorithm?

When I was working on an advertising system, I found that the advertising systems of most of the platforms I connected to used tokens to authorize interfaces, and this token remained unchanged and was provided by advertisers. It can be said that this is the streaking interface. However, this interface does not have high security requirements. It can only prevent malicious calls and verify the identity of the channel.

Last year, the author wrote an API unified authorization platform, which provides unified authorization management for internal service open interfaces and third-party system calls. Apart from facilitating management interface authorization, it has no other purpose, but it costs money to deploy. This is probably the most pointless project I've ever done.

The API authorization mechanism introduced today may also be a more widely used API interface authorization mechanism. I remember that when the author used to do the WeChat payment function, the payment interface provided by WeChat also used this method: signature. Advantages: Simple, no impact on performance, no additional cost.

The implementation logic of this authorization method is that the authorizer sets a unique identity (key) and independent key for each access platform, which is actually equivalent to an account password. The accessing system is required to carry three parameters in the request header every time it initiates a request, namely the identity (key), the timestamp of the request, and the signature. The authorizing system verifies the signature when receiving the request. The request will be released only if it passes.

The process of verifying the signature is to obtain the key and timestamp from the request header, then generate a signature using the same algorithm based on the key (the caller and the authorizer use the same signature algorithm), and finally compare the signature obtained from the request header Whether they are equal, if so, the verification is successful, otherwise the verification fails.

The implementation process of the authorization method based on signature algorithm is as follows:

Authorizer:

1. Define the signature algorithm and provide the signature generation algorithm for access Party, and generate a key and identity for the access party;

2. Intercept the interface that needs to verify the signature in the project, obtain the timestamp and identity from the request header, and generate a signature based on the key and signature algorithm , compare the generated signature with the signature obtained from the request header, if they are the same, continue to step 3, otherwise reject the request;

3. Verify the timeliness of the request, use the current system timestamp and the signature obtained from the request header Compare the timestamps received, and if the request is within the valid time range, the request will be released, otherwise it will be rejected and the signature will be expired.

Access party:

1. Obtain the docking document from the authorized party, and ask the authorized party for the key and identity;

2. Encapsulate the signature method according to the signature generation algorithm provided in the document;

3. When initiating a request, write the identity identifier, current timestamp, and signature into the request header.

The signature generation algorithm can be customized. For example, after splicing the identity (key), timestamp (timestamp) and key together, an irreversible algorithm is used to encrypt the string to generate a signature, such as MD5. algorithm. The more complex the rules, the harder they are to crack.

What are the benefits of adding a timestamp to a signature?

The first is to add timeliness to the signature. The authorization system can limit the validity time of the signature to one second or five seconds, using the request timestamp to compare with the current timestamp. However, the system time of both parties must be correct.

The second is security. If a hacker intercepts the request of your system, then modifies the request and then initiates the request, it will definitely take time, so when the system receives the tampered request, the validity period of the signature It has passed. If you change the timestamp passed in the request header, the authorizing system of the request will generate a different signature than the one passed in the request header, so the request will still be invalid.

If you don’t know the key, you cannot generate a valid signature without understanding the signature rules of the authorized party (broiler). Files signed using an asymmetric encryption algorithm make it nearly impossible to crack the key through brute force.

Then why use timestamp instead of formatting time string?

This may be due to consideration of time zone compatibility. If different computer rooms are in different time zones, the time will be different, but the timestamp All the same.

In order to maximize the security of this authorization method, first of all, the rules for generating signatures must be complex enough, then the encryption algorithm of the signature must be irreversible, never use an algorithm like Base64, and finally, the key must be sufficient It is sufficiently complex to ensure that even if the signature generation rules are known, it is impossible to brute force the key.

Signature rules refer to the rules for generating signature strings before encryption. For example, the rules include key, key, and timestamp, where key and key will appear twice. Assume that the key is "app", the secret key is "123", the timestamp is "11111111111111", the pre-encrypted signature generated by splicing is "app1231111111111111app123", and finally the spliced ​​string is encrypted through the encryption algorithm to generate the final signature.

Isn’t it troublesome to write the signature logic for each interface?

No. For the authorizer, the signature verification logic can be completed through filters or interceptors; for the caller, there are different methods using different frameworks, but we can always find a way to only write the signature logic once, right?

The above is the detailed content of What is a simple and secure API authorization mechanism based on signature algorithm?. For more information, please follow other related articles on the PHP Chinese website!