CN111125655A - Method for secure communication of OSS-API interface - Google Patents

Method for secure communication of OSS-API interface Download PDF

Info

Publication number
CN111125655A
CN111125655A CN201911327826.8A CN201911327826A CN111125655A CN 111125655 A CN111125655 A CN 111125655A CN 201911327826 A CN201911327826 A CN 201911327826A CN 111125655 A CN111125655 A CN 111125655A
Authority
CN
China
Prior art keywords
jwt
api
signature
server
oss
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911327826.8A
Other languages
Chinese (zh)
Inventor
陶杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unicloud Nanjing Digital Technology Co Ltd
Original Assignee
Unicloud Nanjing Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unicloud Nanjing Digital Technology Co Ltd filed Critical Unicloud Nanjing Digital Technology Co Ltd
Priority to CN201911327826.8A priority Critical patent/CN111125655A/en
Publication of CN111125655A publication Critical patent/CN111125655A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a method for OSS-API interface secure communication, which relates to the technical field of OSS-API interface secure communication application, and comprises the following steps of S1, generating a signature from a kong server, wherein the kong server can expand the existing functions through plug-ins, and the plug-ins are executed in the life cycle of an API request response cycle; s2, generating a header JWT, wherein the JWT generally has two application scenarios: authorization, which is the most common JWT usage scenario, once a user logs in, each subsequent request will contain a JWT as a token for the user to access the resource; information exchange, which can securely transmit information between various systems using JWT, whose characteristics allow a receiver to verify whether received contents are tampered; s3, integrating Signature and JWT to directly access the API server; s4, the API server processes the Signature and the JWT, the communication safety of the API interface is guaranteed through four mechanisms, and the JWT is applied to the header of the API, so that the high safety level of the API safety communication is effectively guaranteed.

Description

Method for secure communication of OSS-API interface
Technical Field
The invention relates to the technical field of OSS-API interface secure communication application, in particular to a method for OSS-API interface secure communication.
Background
The API is some predefined functions or conventions for linking different components of a software system, and aims to provide the capability of an application program and a developer to access a set of routines based on certain software or hardware without accessing original codes or understanding details of an internal working mechanism, and how an OSS provides a relevant API interface externally, how to ensure OSS-API secure communication is important.
In order to ensure that data of an interface is not tampered and repeated calling, a Token authorization mechanism, a timestamp timeout mechanism and a signature mechanism are mainly considered, and at present, only one or two mechanisms are generally applied in the existing general technical scheme, and the security level is not high. Therefore, it is necessary to provide a method for secure communication of OSS-API interface for overcoming the disadvantages of the prior art.
Disclosure of Invention
In order to overcome the defects in the prior art, the method for the secure communication of the OSS-API interface has the advantage that the security level of the API secure communication is high.
In order to achieve the above object, the method for secure communication of OSS-API interface of the present invention includes the following steps:
s1, generating a signature from the kong server;
s2, generating a header JWT;
s3, integrating Signature and JWT to directly access the API server;
s4, the API server processes the Signature and the JWT.
Preferably, in S1, API params of the kong server includes AK, AKs, expire, base64(param1), base64(param2), … … base64 (paramN).
Preferably, in S2, the JWT is composed of three parts, Header, Payload and Signature.
Preferably, in S4, the API server mainly performs the following operations on Signature and JW design:
s401, removing the reader to obtain JWT for Decode to judge whether the timestamp and the signature are valid;
s402, confirming whether the Signature is effective or not by the kong removing server;
s403, judging whether AK and AKS are legal or not, wherein when AK and AKS are invalid, the API server can directly respond to AK or AKS invalid;
s404, carrying out base64 decryption on all param parameters;
and S405, responding to the request interface.
The invention has the following beneficial effects:
the communication security of the API interface is ensured through four mechanisms, and the JWT is applied to the header of the API, so that the high security level of the API security communication is effectively ensured.
Drawings
The present invention will be further described and illustrated with reference to the following drawings.
FIG. 1 is a flow diagram of a method for secure communication for an OSS-API interface.
Detailed Description
The technical solution of the present invention will be more clearly and completely explained by the description of the preferred embodiments of the present invention with reference to the accompanying drawings.
Examples
As shown in fig. 1, a method for secure communication for OSS-API interface includes the following steps:
s1, generating signatures from the Kong server, which can extend existing functions through plug-ins, which are executed during the life cycle of the API request response loop, the plug-ins being written in Lua, and Kong having several basic functions as follows: HTTP basic authentication, key authentication, CORS (Cross-domain Resource Sharing), TCP, UDP, file logging, API request throttling, request forwarding, and nginx monitoring;
s2, generating a header JWT, wherein the JWT generally has two application scenarios: authorization, which is the most common JWT usage scenario, once a user logs in, each subsequent request will contain a JWT as a token for the user to access the resource; information exchange, which can securely transmit information between various systems using JWT, whose characteristics allow a receiver to verify whether received contents are tampered;
s3, integrating Signature and JWT to directly access the API server;
s4, the API server processes the Signature and the JWT.
In S1, the API params of the kong server includes AK, AKs, expire, base64(param1), base64(param2), … … base64 (paramN).
By adopting the technical scheme, the OSS verifies the identity of a certain request sender by using an AK and AKS symmetric encryption method, wherein the AK is used for identifying a user; AKS is a key used by a user to encrypt a signature string and used by OSS to verify the signature string, and must be kept secret; expire is a time stamp, the survival time of one key can be set by using an expire command, and redis can automatically delete the expire command after the time; base64 is one of the most common encoding methods for transmitting 8-Bit byte codes on a network, and base64 is a method for representing binary data based on 64 printable characters, and can be used for encryption.
In S2, the JWT is composed of a Header, Payload, and Signature as a technical optimization scheme of the present invention.
By adopting the technical scheme, the first part is a Header and generally comprises two parts: the type of token and the encryption algorithm used, parameters are exemplified as follows:
{
"alg":"HS256",
"typ":"JWT"
},
wherein the Header uses base encryption;
the second part is Payload, which is a carrier in which custom information can be placed, as well as expiration time, publisher, etc., and examples of parameters are as follows:
{
"timeStamp":"1572861099530"
},
wherein the carrier parameter is timeStamp, which is accurate to ms, and the effective time is 5 m;
the third part is Signature, and four parts of information are needed for calculating the Signature: algorithm information in the Header, Payload and a custom key are received by the JWT, a signature is calculated again by using the same information, and the signature is compared with the signature in the JWT, if the signature is different, the content in the JWT is tampered, and the parameters are as follows: HMACSHA256(
base64UrlEncode(header)+"."+
base64UrlEncode(payload),
UnicloudSmaug
)。
As a technical optimization scheme of the present invention, in S4, the main operations of the API server on Signature and JW design include:
s401, removing the reader to obtain JWT for Decode to judge whether the timestamp and the signature are valid;
s402, confirming whether the Signature is effective or not by the kong removing server;
s403, judging whether AK and AKS are legal or not, wherein when AK and AKS are invalid, the API server can directly respond to AK or AKS invalid;
s404, carrying out base64 decryption on all param parameters;
and S405, responding to the request interface.
The working principle of the invention is as follows:
1. access key mechanism (AK and AKS)
Access Key (AK) refers to access key id and access key secret used in access authentication. The OSS verifies the identity of the sender of a request by using a symmetric encryption method using AccessKeyId and AccessKeySecret. The Access KeyId is used for identifying the user; AccessKeySecret is a key used by the user to encrypt the signature string and used by the OSS to verify the signature string, and must be kept secret.
2. Parameter encryption mechanism
Of the request parameters (get signature and access API server), all except AK, AKs and expiration parameters (expire) need to be encrypted via Base 64.
The kong server does not decrypt the parameters. When the integrated Signature and JWT directly access the API server, the API server decrypts all the parameters.
3. Parameter third party plug-in signature mechanism (kong server signature authentication)
Kong is an API gateway that forwards API communications between clients and (micro) services, and functions can be extended by plug-ins to implement signature functions.
The AK, AKS parameters and expire parameters of the user, as well as all other parameters encrypted by Base64, are used together to a Kong server for signature authentication, and a signature is generated.
When the Signature and JWT are integrated to directly access the API server, the API server goes to the kong server to confirm whether the Signature is valid. When the Signature is invalid, the API server directly responds to the invalidation of the Signature.
4. The Header token mechanism: JWT token authentication (timestamp included in authentication parameters) is used.
JSON Web Token (JWT) is a secure, lightweight, complete way to transfer data between parties, using a JSON object format.
The term "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJ0aW1lU3RhbXAiIxNyODYxMDk5N TMwIn0. svtXizpE522Et7vZmDgZZyWORh _ XXcJVxTeXZAvebw" is the JWT finally generated by the above parameter example.
"Bearer" + JWT generates a header.
When the Signature and the JWT are integrated to directly access the API server, the API server takes the header to remove the 'beer' and takes the JWT to carry out Decode to judge whether the timestamp is valid or not and the Signature is valid. When the timestamp or signature is invalid, the API server will directly influence the invalidation of Authorization.
The above detailed description merely describes preferred embodiments of the present invention and does not limit the scope of the invention. Without departing from the spirit and scope of the present invention, it should be understood that various changes, substitutions and alterations can be made herein by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims and their equivalents. The scope of the invention is defined by the claims.

Claims (4)

1. A method for secure communication for OSS-API interface, comprising the steps of:
s1, generating a signature from the kong server;
s2, generating a header JWT;
s3, integrating Signature and JWT to directly access the API server;
s4, the API server processes the Signature and the JWT.
2. The method of claim 1 for secure communication for OSS-API interface, characterized by: in the S1, API params of the kong server includes AK, AKs, expire, base64(param1), base64(param2), … … base64 (paramN).
3. The method of claim 1 for secure communication for OSS-API interface, characterized by: in the S2, the JWT is composed of three parts, i.e., a Header, Payload, and Signature.
4. The method of claim 1 for secure communication for OSS-API interface, characterized by: in S4, the API server mainly performs Signature and JW design operations including:
s401, removing the reader to obtain JWT for Decode to judge whether the timestamp and the signature are valid;
s402, confirming whether the Signature is effective or not by the kong removing server;
s403, judging whether AK and AKS are legal or not, wherein when AK and AKS are invalid, the API server can directly respond to AK or AKS invalid;
s404, carrying out base64 decryption on all param parameters;
and S405, responding to the request interface.
CN201911327826.8A 2019-12-20 2019-12-20 Method for secure communication of OSS-API interface Pending CN111125655A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911327826.8A CN111125655A (en) 2019-12-20 2019-12-20 Method for secure communication of OSS-API interface

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911327826.8A CN111125655A (en) 2019-12-20 2019-12-20 Method for secure communication of OSS-API interface

Publications (1)

Publication Number Publication Date
CN111125655A true CN111125655A (en) 2020-05-08

Family

ID=70500749

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911327826.8A Pending CN111125655A (en) 2019-12-20 2019-12-20 Method for secure communication of OSS-API interface

Country Status (1)

Country Link
CN (1) CN111125655A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113032749A (en) * 2021-03-03 2021-06-25 北京读我网络技术有限公司 Synchronous authentication method and device
CN115473860A (en) * 2022-09-05 2022-12-13 北京京东振世信息技术有限公司 Multi-interface joint data distribution method and device based on online flow and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108901022A (en) * 2018-06-28 2018-11-27 深圳云之家网络有限公司 A kind of micro services universal retrieval method and gateway
CN108965230A (en) * 2018-05-09 2018-12-07 深圳市中信网安认证有限公司 A kind of safety communicating method, system and terminal device
CN109450865A (en) * 2018-10-18 2019-03-08 弘成科技发展有限公司 API user authen method based on JWT verifying

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965230A (en) * 2018-05-09 2018-12-07 深圳市中信网安认证有限公司 A kind of safety communicating method, system and terminal device
CN108901022A (en) * 2018-06-28 2018-11-27 深圳云之家网络有限公司 A kind of micro services universal retrieval method and gateway
CN109450865A (en) * 2018-10-18 2019-03-08 弘成科技发展有限公司 API user authen method based on JWT verifying

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113032749A (en) * 2021-03-03 2021-06-25 北京读我网络技术有限公司 Synchronous authentication method and device
CN115473860A (en) * 2022-09-05 2022-12-13 北京京东振世信息技术有限公司 Multi-interface joint data distribution method and device based on online flow and electronic equipment
CN115473860B (en) * 2022-09-05 2023-12-05 北京京东振世信息技术有限公司 Multi-interface joint data distribution method and device based on online traffic and electronic equipment

Similar Documents

Publication Publication Date Title
CN101247407B (en) Network authentication service system and method
CN106685973B (en) Remember method and device, log-in control method and the device of log-on message
CN101299753B (en) Web service security control mechanism based on proxy server
CN105306211B (en) A kind of identity identifying method of client software
CN113508563A (en) Block chain based secure email system
EP1913728B1 (en) Total exchange session security
KR20060100920A (en) Trusted third party authentication for web services
US20110320359A1 (en) secure communication method and device based on application layer for mobile financial service
Tiburski et al. The role of lightweight approaches towards the standardization of a security architecture for IoT middleware systems
US10419212B2 (en) Methods, systems, apparatuses, and devices for securing network communications using multiple security protocols
CN113904809A (en) Communication method, communication device, electronic equipment and storage medium
US9047449B2 (en) Method and system for entity authentication in resource-limited network
CN111125655A (en) Method for secure communication of OSS-API interface
CN112929166A (en) Master station, slave station and data transmission system based on Modbus-TCP protocol
CN113591109B (en) Method and system for communication between trusted execution environment and cloud
CN106909826A (en) Password is for action and system
CN108206738A (en) A kind of quantum key output method and system
CN111756698B (en) Message transmission method, device, equipment and computer readable storage medium
CN110351086B (en) Method and system for processing and transmitting encrypted information in robot group
CN114928503B (en) Method for realizing secure channel and data transmission method
CN115150067A (en) TLS protocol construction method and system based on network covert channel
JP4977060B2 (en) Trail management system, transmission device, and reception device
CN108174344A (en) GIS location informations transmission encryption method and device in a kind of cluster communication
CN107864123A (en) A kind of network talkback machine safe transmission method and system
CN113765900A (en) Protocol interaction information output transmission method, adapter device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20200508