3 - [API open platform security design] - 3 interface secure encrypted transmission

1.1 what is URL transcoding

Especially when the transmitted url is encrypted by Base64 or RSA, and there are special characters, once the special characters are processed by the url, they will not be the result of your original encryption.

url special symbols and corresponding codes:

1.2 URLEncode and URLDecode

Accept parameter case tranIndex:

@RestController public class TranController { // Accept client parameters @RequestMapping("/tranIndex") public String tranIndex(String name) { System.out.println("name:" + name); return name; } }

Client access results:

The passed in + parameter becomes a space.

Solution: change + to% 2B:

1.3 Java code processing transcoding

URLEncoder.encode and decode:

String encode = URLEncoder.encode("1+1", "UTF-8"); String decode = URLDecoder.decode(encode, "UTF-8"); System.out.println("encode:" + encode + ",decode:" + decode);

Http interface parameter coding processing:

String url = "http://127.0.0.1:8080/tranIndex?"; // Parameter transcoding String strParam = "name=" + URLEncoder.encode("1+1", "utf-8"); String newUrl = url + strParam; String result = HttpClientUtils.httpGet(newUrl); System.out.println("result:" + result);

The main use is to store passwords

Hash is the extraction of information. Usually, its length is much smaller than that of information, and it is a fixed length. The hash with strong encryption must be irreversible, which means that no part of the original information can be deduced through the hash result. Any change in input information, even if only one bit, will lead to significant changes in hash results, which is called avalanche effect. Hashing should also be conflict proof, that is, two pieces of information with the same hash result cannot be found. Hash results with these characteristics can be used to verify whether the information has been modified.

One way hash function is generally used to generate message digest, key encryption, etc. common are:

1. MD5 (Message Digest Algorithm 5): it is a one-way hash algorithm developed by RSA data security company. It is non reversible. The same plaintext generates the same ciphertext.
2. SHA (Secure Hash Algorithm): it can generate a 160 bit value for data of any length;

Comparison between SHA-1 and MD5:
Because both are derived from MD4, SHA-1 and MD5 are very similar to each other. Accordingly, their strength and other characteristics are similar, but there are the following differences:

1. Security against forced provisioning: the most significant and important difference is that the SHA-1 digest is 32 bits longer than the MD5 digest. Using the forced technology, the difficulty of generating any message so that its summary is equal to the given message summary is 2128 for MD5 and 2160 for SHA-1. In this way, SHA-1 has greater strength against forced attacks.
2. Security of Cryptanalysis: due to the design of MD5, SHA-1 is vulnerable to cryptanalysis attacks.
3. Speed: on the same hardware, SHA-1 runs slower than MD5.

1. Features: avalanche effect, fixed length output and irreversible.
2. The function is to ensure the integrity of data.
3. Encryption algorithms: md5 (standard key length 128 bits), sha1 (standard key length 160 bits), md4, CRC-32
4. Encryption tools: md5sum, sha1sum, OpenSSL, dgst.
5. Calculate the hash value of a file, for example: md5sum / shalsum filename, OpenSSL, dgst – md5/-sha

1.1 MD5 encryption

1.1.1 online MD5 decryption and encryption

http://www.cmd5.com/

1.1.2 Java operation MD5 encryption

1.1.3 realization mode of MD5 salt addition

Commonly used salt addition:
md5(Password+UserName), that is, add the user name and password string and then MD5. Such MD5 summary can not be checked back.

However, sometimes the user name may change, and the password will not be available after the change (verifying the password is actually the process of recalculating the summary).

Therefore, we have made a very simple salt adding algorithm. Every time we save the password to the database, we generate a random 16 bit number, add the 16 bit number and the password, and then calculate the MD5 summary, and then add the 16 bit number into the summary according to the rules to form a 48 bit character string.

When verifying the password, 16 digits are extracted from the 48 bit string according to the rules, added with the password entered by the user, and then added to MD5. The result formed by this method must not be directly anti checked, and the summary formed each time the same password is saved is also different.

The code is as follows:

/** * MD5 Salt encryption */ public class PasswordUtil { /** * Generate password with random salt */ public static String generate(String password) { Random r = new Random(); StringBuilder sb = new StringBuilder(16); sb.append(r.nextInt(99999999)).append(r.nextInt(99999999)); int len = sb.length(); if (len < 16) { for (int i = 0; i < 16 - len; i++) { sb.append("0"); } } String salt = sb.toString(); password = md5Hex(password + salt); char[] cs = new char[48]; for (int i = 0; i < 48; i += 3) { cs[i] = password.charAt(i / 3 * 2); char c = salt.charAt(i / 3); cs[i + 1] = c; cs[i + 2] = password.charAt(i / 3 * 2 + 1); } return new String(cs); } /** * Verify that the password is correct */ public static boolean verify(String password, String md5) { char[] cs1 = new char[32]; char[] cs2 = new char[16]; for (int i = 0; i < 48; i += 3) { cs1[i / 3 * 2] = md5.charAt(i); cs1[i / 3 * 2 + 1] = md5.charAt(i + 2); cs2[i / 3] = md5.charAt(i + 1); } String salt = new String(cs2); return md5Hex(password + salt).equals(new String(cs1)); } /** * Gets the MD5 digest as a hexadecimal string */ public static String md5Hex(String src) { try { MessageDigest md5 = MessageDigest.getInstance("MD5"); byte[] bs = md5.digest(src.getBytes()); return new String(new Hex().encode(bs)); } catch (Exception e) { return null; } } public static void main(String[] args) { // Encryption + salt addition String password1 = generate("admin"); System.out.println("result:" + password1 + " Length:" + password1.length()); // decode System.out.println(verify("admin", password1)); // Encryption + salt addition String password2 = generate("admin"); System.out.println("result:" + password2 + " Length:" + password2.length()); // decode System.out.println(verify("admin", password2)); } }

Purpose: to prevent packet capture tampering requests

3.1 symmetric encryption

Symmetric cryptography: the sender and the recipient use a single key jointly owned by them. This key is used for both encryption and decryption. It is called a secret key (also known as symmetric key or session key).

It can provide information confidentiality (information cannot be decrypted without a key) and integrity (changed information cannot be decrypted).

Symmetric cryptography is also known as single key cryptography, secret key cryptography, session key cryptography, private key cryptography and shared secret key cryptography

3.1.1 common symmetric encryption technology

• DES (data encryption standard): block encryption, algorithm derived from Lucifer, as NIST symmetric encryption standard; 64 bits (56 significant bits, 8 check bits), grouping algorithm
• 3DES: 128 bit, grouping algorithm
• IDEA (international data encryption algorithm): 128 bits, faster than DES, grouping algorithm
• Blowfish: 32-448 bits, algorithm disclosure, grouping algorithm
• RC4: stream cipher with variable key length
• RC5: block cipher, with variable key length, up to 2048 bits
• Rijndael: 128 bit / 196 bit / 256 bit
• AES (Advanced Encryption Standard): DES upgraded version, algorithm from Rinjindael

3.1.2 advantages of symmetric password

Users only need to memorize a key, which can be used for encryption and decryption;

Compared with asymmetric encryption method, encryption and decryption has the advantages of small amount of calculation, fast speed, simple and easy to use, and is suitable for encrypting massive data.

3.1.3 disadvantages of symmetric password

If the key exchange is not secure, the security of the key will be lost. Especially in the e-commerce environment, when the customer is an unknown and untrusted entity, how to make the customer obtain the key safely has become a big problem.

If there are many users, the key management problem. N*(N-1)/2

If the key is shared by multiple users, non repudiation cannot be provided

3.1.4 symmetric password cases

Suppose Alice and Bob know each other. In order to ensure that the communication message is not intercepted by others, they agree on a password in advance to encrypt the message transmitted between them. In this way, even if someone intercepts the message, they can't know the content of the message without a password. Confidentiality is thus achieved.

3.1.5 encryption and decryption based on DES

import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.DESKeySpec; import java.security.SecureRandom; /** * @author : yang-windows * @Title : E8 * @Package : com.snow.utils * @Description : DES Encryption and decryption tool class * DES Encryption DES is a symmetric encryption algorithm. The so-called symmetric encryption algorithm is an algorithm that uses the same key for encryption and decryption. DES encryption algorithm comes from IBM's research, * Later, it was officially adopted by the U.S. government, and then it began to spread widely, but it has been less and less used in recent years, because DES uses 56 bit key to modern computing power, * 24 It can be cracked within hours. Nevertheless, in some simple applications, we can still use DES encryption algorithm. This paper briefly explains the JAVA implementation of Des. * Note: during DES encryption and decryption, the key length must be a multiple of 8 * @date : 2020/4/16 23:56 */ public class DESUtil { /** * encryption * * @param datasource : byte[] * @param password : String * @return : byte[] */ public static byte[] encrypt(byte[] datasource, String password) { try { SecureRandom random = new SecureRandom(); DESKeySpec desKey = new DESKeySpec(password.getBytes()); // Create a key factory and use it to convert DESKeySpec to SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES"); SecretKey securekey = keyFactory.generateSecret(desKey); // Cipher object actually completes the encryption operation Cipher cipher = Cipher.getInstance("DES"); // Initialize Cipher object with key, ENCRYPT_MODE is a constant used to initialize Cipher to encryption mode cipher.init(Cipher.ENCRYPT_MODE, securekey, random); // Now get the data and encrypt it // Formal encryption operation return cipher.doFinal(datasource); // Encrypt or decrypt data as a single part operation, or end a multi part operation } catch (Throwable e) { e.printStackTrace(); } return null; } /** * decrypt * * @param src : byte[] * @param password : String * @return : byte[] * @throws Exception */ public static byte[] decrypt(byte[] src, String password) throws Exception { // DES algorithm requires a trusted random number source SecureRandom random = new SecureRandom(); // Create a DESKeySpec object DESKeySpec desKey = new DESKeySpec(password.getBytes()); // Create a key factory SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");// Returns the that implements the specified transformation // Cipher // object // Convert the DESKeySpec object to a SecretKey object SecretKey securekey = keyFactory.generateSecret(desKey); // The Cipher object actually completes the decryption operation Cipher cipher = Cipher.getInstance("DES"); // Initializing Cipher objects with keys cipher.init(Cipher.DECRYPT_MODE, securekey, random); // Really start decryption operation return cipher.doFinal(src); } }

public class Main { // 1. Configure key private static String PASSWORD = "95880288"; public static void main(String[] args) throws Exception { // 2. Content to be encrypted String content = "yangshuo"; // 3. Use DES encryption byte[] encryptContent = DESUtil.encrypt(content.getBytes(), PASSWORD); System.out.println("Encrypted content:" + new String(encryptContent)); // 4. Decrypt with DES byte[] decrypt = DESUtil.decrypt(encryptContent, PASSWORD); System.out.println("Decrypted content:" + new String(decrypt)); } }

Console printing:

Encrypted content:j!�l��`i<�|fzQ& Decrypted content:yangshuo

3.3 mobile APP interface security design

• HTTPS transmission
• Use Token
• Use asymmetric encryption

Symmetric encryption cannot be used

The APK will be decompiled to get the key

3.4 asymmetric encryption

Use a pair of keys: one for encrypting information and the other for decrypting information.

There is an interdependence between the two keys: that is, the information encrypted with either key can only be decrypted with the other key.

The encryption key is different from the decryption key. The public key is encrypted and the private key is decrypted. On the contrary, the private key can also be encrypted and the public key can be decrypted.

The key is divided according to its nature, and one of them is disclosed to the outside world, which is called public key; The other is kept by itself, called the private key. The public key is often used for data encryption (encrypted with the other party's Public key) or signature verification (decrypted with the other party's Public key), and the private key is often used for data decryption (encrypted by the sender with the receiver's Public key) or digital signature (encrypted with its own Private key).

• Confidentiality
• Integrity
• Non repudiation

1. Use process:
   Party B generates two keys (public key and private key)
   Party A obtains Party B's public key and uses it to encrypt the information.
   Party B obtains the encrypted information and decrypts it with the private key. Party B can also encrypt the string with the private key
   Party A obtains the encrypted data from Party B's private key and decrypts it with the public key

• Advantages: hard to crack
• Disadvantages: slow encryption speed

Common algorithms:

• RSA
• Elgamal
• Knapsack algorithm
• Rabin
• D-H
• ECC (elliptic curve encryption algorithm)

Application scenario:

• Third party payment docking
• Core financial institutions

3.4.1 RSA tools

package com.weavernorth.sa.utils; import org.apache.commons.net.util.Base64; import javax.crypto.Cipher; import java.security.*; import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; /** * @author : yang-windows * @Title : E8 * @Package : com.weavernorth.sa.utils * @Description : RSA Encryption and decryption tool class * @date : 2020/4/17 0:22 */ public class RSAUtil { public static String publicKey; // Public key public static String privateKey; // Private key /** * Generate public and private keys */ public static void generateKey() { // 1. Initialization key KeyPairGenerator keyPairGenerator; try { keyPairGenerator = KeyPairGenerator.getInstance("RSA"); SecureRandom sr = new SecureRandom(); // Random number generator keyPairGenerator.initialize(512, sr); // Set 512 bit long secret key KeyPair keyPair = keyPairGenerator.generateKeyPair(); // Start creating RSAPublicKey rsaPublicKey = (RSAPublicKey) keyPair.getPublic(); RSAPrivateKey rsaPrivateKey = (RSAPrivateKey) keyPair.getPrivate(); // Transcoding publicKey = Base64.encodeBase64String(rsaPublicKey.getEncoded()); // Transcoding privateKey = Base64.encodeBase64String(rsaPrivateKey.getEncoded()); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); } } /** * Private key encryption or decryption * * @param content * @param privateKeyStr * @return */ public static String encryptByprivateKey(String content, String privateKeyStr, int opmode) { // The private key should be processed with PKCS8 PKCS8EncodedKeySpec pkcs8EncodedKeySpec = new PKCS8EncodedKeySpec(Base64.decodeBase64(privateKeyStr)); KeyFactory keyFactory; PrivateKey privateKey; Cipher cipher; byte[] result; String text = null; try { keyFactory = KeyFactory.getInstance("RSA"); // Restore Key object privateKey = keyFactory.generatePrivate(pkcs8EncodedKeySpec); cipher = Cipher.getInstance("RSA"); cipher.init(opmode, privateKey); if (opmode == Cipher.ENCRYPT_MODE) { // encryption result = cipher.doFinal(content.getBytes()); text = Base64.encodeBase64String(result); } else if (opmode == Cipher.DECRYPT_MODE) { // decrypt result = cipher.doFinal(Base64.decodeBase64(content)); text = new String(result, "UTF-8"); } } catch (Exception e) { e.printStackTrace(); } return text; } /** * Public key encryption or decryption * * @param content * @param publicKeyStr * @return */ public static String encryptByPublicKey(String content, String publicKeyStr, int opmode) { // The public key should be processed with X509 X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(Base64.decodeBase64(publicKeyStr)); KeyFactory keyFactory; PublicKey publicKey; Cipher cipher; byte[] result; String text = null; try { keyFactory = KeyFactory.getInstance("RSA"); // Restore Key object publicKey = keyFactory.generatePublic(x509EncodedKeySpec); cipher = Cipher.getInstance("RSA"); cipher.init(opmode, publicKey); if (opmode == Cipher.ENCRYPT_MODE) { // encryption result = cipher.doFinal(content.getBytes()); text = Base64.encodeBase64String(result); } else if (opmode == Cipher.DECRYPT_MODE) { // decrypt result = cipher.doFinal(Base64.decodeBase64(content)); text = new String(result, "UTF-8"); } } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); } return text; } }

3.5.2 cases of using public key encryption and private key decryption

package com.weavernorth.sa.utils; import org.apache.commons.net.util.Base64; import javax.crypto.Cipher; import java.security.*; import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; /** * @author : yang-windows * @Title : E8 * @Package : com.weavernorth.sa.utils * @Description : RSA Encryption and decryption tool class * @date : 2020/4/17 0:22 */ public class RSAUtil { public static String publicKey; // Public key public static String privateKey; // Private key /** * Generate public and private keys */ public static void generateKey() { // 1. Initialization key KeyPairGenerator keyPairGenerator; try { keyPairGenerator = KeyPairGenerator.getInstance("RSA"); SecureRandom sr = new SecureRandom(); // Random number generator keyPairGenerator.initialize(512, sr); // Set 512 bit long secret key KeyPair keyPair = keyPairGenerator.generateKeyPair(); // Start creating RSAPublicKey rsaPublicKey = (RSAPublicKey) keyPair.getPublic(); RSAPrivateKey rsaPrivateKey = (RSAPrivateKey) keyPair.getPrivate(); // Transcoding publicKey = Base64.encodeBase64String(rsaPublicKey.getEncoded()); // Transcoding privateKey = Base64.encodeBase64String(rsaPrivateKey.getEncoded()); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); } } /** * Private key encryption or decryption * * @param content * @param privateKeyStr * @return */ public static String encryptByprivateKey(String content, String privateKeyStr, int opmode) { // The private key should be processed with PKCS8 PKCS8EncodedKeySpec pkcs8EncodedKeySpec = new PKCS8EncodedKeySpec(Base64.decodeBase64(privateKeyStr)); KeyFactory keyFactory; PrivateKey privateKey; Cipher cipher; byte[] result; String text = null; try { keyFactory = KeyFactory.getInstance("RSA"); // Restore Key object privateKey = keyFactory.generatePrivate(pkcs8EncodedKeySpec); cipher = Cipher.getInstance("RSA"); cipher.init(opmode, privateKey); if (opmode == Cipher.ENCRYPT_MODE) { // encryption result = cipher.doFinal(content.getBytes()); text = Base64.encodeBase64String(result); } else if (opmode == Cipher.DECRYPT_MODE) { // decrypt result = cipher.doFinal(Base64.decodeBase64(content)); text = new String(result, "UTF-8"); } } catch (Exception e) { e.printStackTrace(); } return text; } /** * Public key encryption or decryption * * @param content * @param publicKeyStr * @return */ public static String encryptByPublicKey(String content, String publicKeyStr, int opmode) { // The public key should be processed with X509 X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(Base64.decodeBase64(publicKeyStr)); KeyFactory keyFactory; PublicKey publicKey; Cipher cipher; byte[] result; String text = null; try { keyFactory = KeyFactory.getInstance("RSA"); // Restore Key object publicKey = keyFactory.generatePublic(x509EncodedKeySpec); cipher = Cipher.getInstance("RSA"); cipher.init(opmode, publicKey); if (opmode == Cipher.ENCRYPT_MODE) { // encryption result = cipher.doFinal(content.getBytes()); text = Base64.encodeBase64String(result); } else if (opmode == Cipher.DECRYPT_MODE) { // decrypt result = cipher.doFinal(Base64.decodeBase64(content)); text = new String(result, "UTF-8"); } } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); } return text; } }

3.5.3 cases of using private key encryption and public key decryption

import javax.crypto.Cipher; public class Main { public static void main(String[] args) throws Exception { /** * Note: private key encryption must be decrypted by public key encryption must be decrypted by private key */ System.out.println("-------------Two pairs of secret keys are generated and kept by the sender and receiver respectively-------------"); RSAUtil.generateKey(); System.out.println("Public key to receiver:" + RSAUtil.publicKey); System.out.println("Private key to sender:" + RSAUtil.privateKey); System.out.println("-------------The first chestnut, private key encryption, public key decryption-------------"); String textsr = "Good morning. Have you had breakfast? O(∩_∩)O~"; // Private key encryption String cipherText = RSAUtil.encryptByprivateKey(textsr, RSAUtil.privateKey, Cipher.ENCRYPT_MODE); System.out.println("After the sender encrypts with the private key:" + cipherText); // Public key decryption String text = RSAUtil.encryptByPublicKey(cipherText, RSAUtil.publicKey, Cipher.DECRYPT_MODE); System.out.println("After the receiver decrypts with the public key:" + text); System.out.println("-------------The second chestnut is public key encryption and private key decryption-------------"); // Public key encryption String textsr1 = "Yes! Have you? O(∩_∩)O~"; String cipherText1 = RSAUtil.encryptByPublicKey(textsr1, RSAUtil.publicKey, Cipher.ENCRYPT_MODE); System.out.println("After the receiver encrypts with public key:" + cipherText1); // Private key decryption String text1 = RSAUtil.encryptByprivateKey(cipherText1, RSAUtil.privateKey, Cipher.DECRYPT_MODE); System.out.print("After the sender decrypts with the private key:" + text1); } }

Console printing:

-------------Two pairs of secret keys are generated and kept by the sender and receiver respectively------------- Public key to receiver:MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ82+6q5mGQEeQVDf7QU4CEuUbaNLQsxfHDUIllav7Hq OyujKtnFgOjr6zTXirz0YIItkBNNWb+XiU4L3Iv9kO0CAwEAAQ== Private key to sender:MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAnzb7qrmYZAR5BUN/tBTgIS5Rto0t CzF8cNQiWVq/seo7K6Mq2cWA6OvrNNeKvPRggi2QE01Zv5eJTgvci/2Q7QIDAQABAkADV8Qw8XSh pPZlheVIgqeyCqbsjkpD0eYq+ElAVwdvVNMuXGipnGlEsi0TXVfqBQF4ziF4W6lByQNsA7MFuNaB AiEAzn/5V2DC2fGw1CdKNV/rsfViRCiZXO/o8OQaYv5Yxm8CIQDFYVIxm8mO8h/4QTHuyMUONorf i/shAd1BJyFILC5sYwIgbwMdaHv8RG5KQcNdgZQvgVwJl9q7l9rhv57hEJbr4sECIFZo48XqENRu tYZGbGjAJlyxjhyNuLRbj5RdYBmrletHAiAiIQBxA8gN1FMT4gvoQlL0xiBFtAE/+VWIeedrOebS 8Q== -------------The first chestnut, private key encryption, public key decryption------------- After the sender encrypts with the private key: hPaOOVQvFZ0/S29I11kaZHQAFf56lifWeUHZJUaw9UFd45iuYX6y7hYqIr1uA74R3pOdQvX8n5xf lYRLrHni0A== After the receiver decrypted with the public key: morning, have you had breakfast? O(∩_∩)O~ -------------The second chestnut is public key encryption and private key decryption------------- After the receiver encrypts with public key: KJTRJrn3cNcxQUtPRB9bwqDg/99XSyV9z1aJFXJ48r+O+2iC2XCXJcyUFEiiI5CYvhC4e3sW6XV/ YiSx7/faVQ== After decrypting with the private key, the sender: Yes! Have you eaten? O(∩_∩)O~ Process finished with exit code 0

3.5 hiding parameters based on token

@RestController public class PayController extends BaseApiService { @Autowired private BaseRedisService baseRedisService; private static long timeToken = 15 * 60l; @RequestMapping("/pay") public ResponseBase pay(String token) { // Get the submission parameters and save them in the database, if (StringUtils.isEmpty(token)) { return setResultError("token Cannot be empty!"); } String reuslt = (String) baseRedisService.getString(token); if (StringUtils.isEmpty(reuslt)) { return setResultError("Parameter cannot be empty!"); } System.out.println("Get submitted parameters reuslt: " + reuslt); return setResultSuccess("Get submitted parameters reuslt: " + reuslt); } @RequestMapping("/getPayToken") public String pay(Long userId, Long money) { String payToken = UUID.randomUUID().toString(); baseRedisService.setString(payToken, userId + "-" + money, timeToken); return payToken; } }

Add new comment

0 comments