Long time did not write a blog, playing word do not know how to summarize text.
First of all, understand that as long as the interface is exposed to the public, there is no absolute security, we use https Ye Hao, jwt or not, for signature worth mentioning are the costs we will be attacked interface protocol greatly increased, so that hackers or people with ulterior motives to measure our service attacks earnings infinitely close to 0, but the difficulty is increased infinitely.
Since it is a little thinking, then there must be a problem?
1. Why do signature, or what his benefits are?
2. Signature how to do?
3. The signature and the difference between the https?
Suppose we expose a query interface to the public network via app or web end is easy to know the parameters to be passed, then the attacker can write a script to create unlimited request this interface ddos attack. Well, we have added jwt certification, the attacker application account or log in normally get jwt token continues to request this token, then we can also sealing of the account and request ip, then others use proxy ip it, others apply for an account of it script ? Of course, this is always a step down have solutions, but is there a way to solve it all?
I will not speak signatures okay, let me say that I think it should be a signature how to do?
First, I have a pair of asymmetric encryption rsa private key and public key, to the client embedded point, time stamp for each client request and the request to generate the signature by the public key of the salt value to asymmetrically encrypted to value value, then the interface need to pass parameters, time stamp, and a symmetric encryption md5 salt such signature generated in a certain order, then the parameter, value and the signature to the service side.
The server private key to decrypt the time stamp and salt, then use them to generate a signature in the same way, and the client's signature comparison, if that is not the same as denial of this request, or even can do to check the time stamp, the time stamp valid only in a minute.
I like this approach can solve the above problem is to attack it, first of all I want to attack an interface, you must generate compliant signature is the attacker must know the value of salt and the order in md5 signature generation, as different strings out of order md5 not be the same value, and our salt by asymmetric encryption solutions rsa out. So to forge the signatures very difficult. As a result, the legitimacy, uniqueness and parameter tampering issue requests will be solved!
And we can also be of the above schemes to improve, such as multi-purpose a few of rsa public key and private key, the client random use of public key encryption pair just need to tell the server with which to line, you can also transfer parameters encryption, transmission parameters allow an attacker to even do not know what is!
So here I do not know if you feel the difference and https signature is valid?
Signature scheme I have described as https and also consult with asymmetric encryption, encrypted data transfer with a symmetrical, formal difference is buried in advance does not require https point, but by the asymmetric negotiations through a third party ca certificate.
Actually, I think is simply to protect the transmission channel is https, the signature is the application layer of protection.
Signature protection is the interface is not abused, there is no signature, even if https request interface may be freely unlimited calls, and https role is to ensure that will not be blocked content acquisition process to request the intermediary transfer request in order to forge the request to spoofing the server.
These are my signature to think a little and https, not very comprehensive, strong subjective, describing some places may not be in place, the exhibitions.
