What is the URL transcoding
Regardless of the manner in which the transfer when url, if url to be passed contains special characters, such as a + want to pass, but this will be + url will be encoded into space, want to pass &, url is processed into a separator .
url especially when the transfer is the result, in the presence of special characters, special characters here once url treatment after Base64 encryption, or RSA encryption, you encrypt it is not the original result.
As shown, the interface to access parameters passed parameters I 1 + 1 results browser displays the results it is clear that 11 '+' is converted into a space.
Before transcoding visit:
If someone calls you an interface parameter passed if there are special characters, then you need to transcode processing, otherwise it will lead to error parameters, as shown above.
solution:
public static void main(String[] args) {
//转码方法
String encode = URLEncoder.encode("1+1");
System.out.println("转码:" + encode);
//解码方法
String decode = URLDecoder.decode(encode);
System.out.println("解码:" + decode);
}
Console Output:
Transcoding: 1% 2B1
decoding: 1 + 1
access after transcoding:
url special symbols and corresponding coding:
| symbol |
Meaning the url |
coding |
| + |
+ Sign indicates a space in the URL |
% 2B |
| Blank |
URL spaces number or may be encoded + |
%20 |
| / |
Separate directories and subdirectories |
% 2F |
| ?
|
And separating the actual URL parameters |
% 3F |
| % |
Designated special characters |
%25 |
| # |
Expressed bookmark |
%23 |
| & |
Between specified in the URL parameter separator |
%26 |
| = |
The value of the specified parameter in the URL |
% 3D |
Symmetric encryption and asymmetric encryption
Symmetrical confidential and decryption use the same key. In the process of encryption and decryption using the same key for encryption and decryption.
Why use data encryption
PRC when remote calls, ensure data security issues for encrypting data.
Prevent others capture analysis Http request to obtain the plaintext data and tampering. Postman can send a request for use fidder capture and analyze data tampering.
Can know from the above results, the parameter I sent a request for xiaoming, after I get caught tampering with the data parameter modification for white, so the data has been tampered with, so when we call interface should avoid such a request occurs .
Unencrypted Flowchart:
Encrypted Flowchart:
Common symmetric encryption technology
DES (Data Encryption Standard) : packet-based encryption algorithm from Lucifer, as a symmetric encryption standard NIST; 64 (valid bit 56, parity 8), grouping algorithm
AES (Advanced Encryption Standard) : DES upgraded version of the algorithm by Rinjindael
3DES: 128 bit grouping algorithm
IDEA (International Data Encryption Algorithm): 128-bit, faster than DES, grouping algorithm
Blowfish: 32-448 bit algorithm publicly, grouping algorithm
RC4: stream cipher, the key variable length
RC5: block cipher, the key length is variable, the maximum 2048
Rijndael: 128 bits / 196/256
Advantage of symmetric ciphers
Users only need to remember one key, it can be used for encryption and decryption;
Compared with the asymmetric encryption method, encryption and decryption calculation amount is small, fast, easy to use, suitable for massive data is encrypted.
The disadvantage of symmetric ciphers
If the key exchange insecurity, security keys will be lost. Especially in e-commerce environment, when a customer is unknown, untrustworthy entity, how to secure access to key customers has become a major problem.
If the user more key management issues in the case. N * (N-1) / 2
如果密钥多个用户被共享,不能提供抗抵赖性
对称加密使用场景:速度非常快。服务器与服务器端之间进行通讯。后台与后台进行通讯。
对称密码案例
假设Alice和Bob是认识的,两人为了保证通信消息不被其它人截取,预先约定了一个密码,用来加密在他们之间传送的消息,这样即使有人截取了消息没有密码也无法知道消息的内容。由此便实现了机密性。
1、密码是不能够使用对称加密的,如果使用对称加密会被反向破解出来的,按照互联网隐私的情况下是不能够反向解密的。
2、密码使用单向加密的,单项加密特征:是不可以被逆向破解的。MD5 单向加密一般都会进行加盐处理。
加盐的目的:防止别人破解的,如果拿不到盐值是无法破解的。
如何保证APP接口安全
使用Https传输、使用令牌、使用非对称加密。Http+Json 方式进行数据传输。
移动App接口是不能使用对称加密的。
因为对称加密,密钥都是相同的,如果黑客反编译破解移动打包apk,就可以得到密钥,然后拿到我们对应的参数,所以移动App不能使用对称加密。
非对称加密(公钥与私钥)
使用一对密钥:一个用于加密信息,另一个则用于解密信息。可以使用第三方工具生成非对称密钥对。
两个密钥之间存在着相互依存关系:即用其中任一个密钥加密的信息只能用另一个密钥进行解密。
其中加密密钥不同于解密密钥,公钥加密私钥解密,反之也可私钥加密公钥解密。
密钥依据性质划分,将其中的一个向外界公开,称为公钥;另一个则自己保留,称为私钥。公钥(Public key)常用于数据加密(用对方公钥加密)或签名验证(用对方公钥解密),私钥(Private key)常用于数据解密(发送方用接收方公钥加密)或数字签名(用自己私钥加密)。
机密性、完整性、抗抵赖性
公钥加密,私密解密(安全)。目前来说是最安全的加密手段,
缺点:效率低。
应用场景:第三方支付对接、核心的金融机构。
使用令牌方式实现参数传递安全方法
