table of Contents
Open API interface security processing!
references:
Public key, private key and digital signature so the best understanding (reprint)
concept
Problems:
- Data theft
- Data tampering
- Data Loss
The corresponding solution:
- Encryption: RSA / DES
- Confusion algorithm: MD5
- Token: TOKEN
encryption
symmetry
OF
AES
Asymmetric (public and private key)
RSA
effect:
- Encryption: Public key encryption -> private key to decrypt
- Signature: private key encryption -> public key to decrypt (private digital signature, public key to verify the identity)
MD5
Message Digest Algorithm
MD5 (Message-Digest algorithm called Chinese Fifth Edition) as a hash function widely used in the field of computer security, to protect the integrity of informants.
MD5 algorithm features:
Compressibility: arbitrary data length, the calculated length of the MD5 value is fixed.
Easily calculated: MD5 value is calculated from the original data easily.
Anti Modifiability: any changes to the original data, even if only a byte modifications, MD5 values obtained are very different.
Strong anti-collision: the known original data and its MD5 value, want to find data (ie, falsified data) is very difficult with the same MD5 values.
In principle not break, irreversible algorithm
However, some numbers can be obtained by the collision rainbow table (data is very large) of
MD5 salt
MD5(""+""+salt)
Scenarios
- The interfaces specified for those fields generated MD5
- Interface to obtain third-party caller parameters to generate MD5 MD5 comparison and corresponding incoming
- Can form data integrity check, tamperproof
Token
Usually get when you log in, to determine whether the user login status
Open api parameters
id to the primary key do not set the self-energizing sequence
Increment sequence would be easy to polls, reptiles
Duplicate submission, malicious call
Scene: transaction type, order type, expiration date, idempotency
- Returns the timestamp server parameters, when an incoming call, compared with the current server time, only by the period of validity
- random number
Journal
Verification code
SMS categories: CAPTCHA
Issued registration message: No user information can not be restricted from the business, only to get a verification code human-computer interaction