Before and after the end of the separation API interaction how to ensure data security?
I. Introduction
Before and after the end of the separation development approach, our interface is a standard to promote good interface definition, each developed its own function, and finally with adjusted closing. Whether developing or native APP webapp or PC-side software, as long as the front and rear ends of the separation mode, you can not avoid the call interface provided to the back-end business interactions.
Web page or app, just grabbed the package can be clearly aware of this request to obtain data, such an interface for reptiles engineer is a blessing, just to catch your data easy.
Data security is very important, especially information related to the user, the slightest mistake will be hijacked by criminals, so we should attach great importance to this, can not tolerate sloppy.
Second, how to ensure the safety of API calls when data?
1, communication use https
2, the signature request, to prevent tampering parameters
3, identification mechanism, each request must verify the legality
4, APP is used to prevent capture operation ssl pinning
5, all requests and responses for both encryption and decryption operations
6, and so on ...... program.
Third, all requests and responses both encryption and decryption operations
There are many programs, when you do more, which means higher security, today I am with you to introduce all requests and responses for both encryption and decryption operations of the program, even if we can capture, even if I can call interface, but I returned data is encrypted, the encryption algorithm is secure as long as enough, you got my encrypted content have no effect on me.
Like this work best to make a unified process, you can not let go of each development are concerned about this matter, so that if each developer to pay attention to this matter is very troublesome, had encryption manual call return data the method, when data is received at the calling method have decryption.
For this reason, I based Spring Boot encapsulates a Starter, built-in AES encryption algorithm. GitHub at the following address:
https://github.com/yinjihuan/spring-boot-starter-encrypt
Let's look at how to use, you can download the source code, you can then introduced, and then increase @EnableEncrypt comment on the boot open class encryption and decryption operations:
Adds encryption key configuration:
- spring.encrypt.key: encryption key, must be 16
- spring.encrypt.debug: whether to open the debug mode, the default is false, if true is not enabled encryption and decryption operations
In order to be considered universal, it does not perform encryption and decryption for all requests, do the annotation-based control
The response data to be encrypted, then the Controller in a method to add annotations @Encrypt.
When we visit / list interface format of the returned data is base64 encoded after encryption.
Another operational data submitted by the preceding paragraph is divided into two cases, one is get request, this time being no deal, then consider later, post requests currently only processing, submission based json format, that is to say the background @RequestBody need to receive data for the job, we need to decrypt operations plus @Decrypt to comment.
@Decrypt added annotation, the front end of the data submitted in accordance with the AES encryption algorithm requires, are encrypted, and then submitted to a rear end, a rear end side will be automatically decrypted, and then mapped to the parameter object.
Explained above are the back-end code, if we use the front js to explain, of course, you can also use other languages to do, if it is a native Android app is using java code to handle.
* Front-end needs to be done on two things: *
1, unified treatment response data, decrypt operations before rendering the page
2, when a POST request data is sent, the encrypted unified
js file encryption please refer to my GitHub in encrypt the aes.js, crypto-js.js, pad-zeropadding.js
We axios as request data frame, with axios interceptors encryption and decryption operations to the unitary
Js all, to package a class encryption and decryption, it is noted that the encrypted key and the needs of the background, or to each other can not be decrypted, as follows:
axios interceptor unified handling code:
So far, we do for the entire communication before and after the end of the interaction of an encryption operation as long as the encryption key does not leak, others get your data is useless, the question is how to ensure that key does not leak it?
High security server can be stored in the database or configuration file, after all, on our own server, the most dangerous in fact when the front end, app fortunately, can be packaged, but to prevent decompilation and so on.
如果是webapp则可以依赖于js加密来实现,下面我给大家介绍一种动态获取加密key的方式,只不过实现起来比较复杂,我们不上代码,只讲思路:
加密算法有对称加密和非对称加密,AES是对称加密,RSA是非对称加密。之所以用AES加密数据是因为效率高,RSA运行速度慢,可以用于签名操作。
我们可以用这2种算法互补,来保证安全性,用RSA来加密传输AES的秘钥,用AES来加密数据,两者相互结合,优势互补。
其实大家理解了HTTPS的原理的话对于下面的内容应该是一看就懂的,HTTPS比HTTP慢的原因都是因为需要让客户端与服务器端安全地协商出一个对称加密算法。剩下的就是通信时双方使用这个对称加密算法进行加密解密。
1、客户端启动,发送请求到服务端,服务端用RSA算法生成一对公钥和私钥,我们简称为pubkey1,prikey1,将公钥pubkey1返回给客户端。
2、客户端拿到服务端返回的公钥pubkey1后,自己用RSA算法生成一对公钥和私钥,我们简称为pubkey2,prikey2,并将公钥pubkey2通过公钥pubkey1加密,加密之后传输给服务端。
3、此时服务端收到客户端传输的密文,用私钥prikey1进行解密,因为数据是用公钥pubkey1加密的,通过解密就可以得到客户端生成的公钥pubkey2
4、然后自己在生成对称加密,也就是我们的AES,其实也就是相对于我们配置中的那个16的长度的加密key,生成了这个key之后我们就用公钥pubkey2进行加密,返回给客户端,因为只有客户端有pubkey2对应的私钥prikey2,只有客户端才能解密,客户端得到数据之后,用prikey2进行解密操作,得到AES的加密key,最后就用加密key进行数据传输的加密,至此整个流程结束。
四、spring-boot-starter-encrypt原理
Finally, we come to the simple principle of spring-boot-starter-encrypt introduced under the bar, but also so that we can understand why the Spring Boot so easy, simply click on the configuration can achieve a lot of features.
@EnableEncrypt annotations on class is started to enable the function by introducing automatic configuration based @Import
EncryptAutoConfiguration class configuration request and response process, using the Spring and RequestBodyAdvice ResponseBodyAdvice, statistical processing of the request is convenient in Spring. If you have more to package it from the underlying servlet to handle a piece.
By RequestBodyAdvice and ResponseBodyAdvice can do processing in response to the request, and the principle is probably so much.