Android Network Request Setting Mode of sign Parameters

Recently do project, touch a strange request, the background said in the interface before the need to verify the signature and effective time, on the spot, to generate an sign signature, let's talk about how to do it

First of all, let's talk about the general idea: the generation of sign: according to the rules, it is in the form of key-value pairs (key=value), and when splicing, it is in accordance with key=value & key=value (Note: key: The parameter name required by the background, value: The value obtained by the foreground) & time = time acquired by the system & salt = fangzhou (this parameter is in accordance with background requirements), then urlencode encoding (there is a method in Java), and MD5 encryption is carried out in the next step. If all encrypted values need to be converted into uppercase (lowercase), there is a method in Java that can be called directly;

Next, let's talk about how to achieve it:

1. Splicing of requested values (key=value & key=value):

String name = " Song Xiaobao ";
String address = " Northeast ";
String panameter = "name="+ name + "& address = "+address;

2. Add a timestamp and a specific value after the spliced string of the request value (according to the background requirements)

// Get the system timestamp 
Date dt= new Date();
Long timeStamp= dt.getTime();
String signText = panameter +"&time="+timeStamp + "&salt=fangzhou";

3. Carry out urlencode coding on signText after splicing

try {
 String urlencoderText = URLEncoder.encode(signText,"utf-8");
} catch (UnsupportedEncodingException e) {
 e.printStackTrace();
}

Note: Here will throw an exception, direct try is OK, this is just a direct call to Java method is finished

4. Then perform md5 encryption

//MD5 Encryption
String md5Text = md5(urlencoderText);

md5 encryption method, online, direct c, v on ok;

If you want to encrypt the value, all letters are converted to uppercase (lowercase) just like this:

//MD5 Encryption
String md5Text = md5(urlencoderText).trim().toUpperCase();

Note: This is the method of converting to uppercase (lowercase method: just add it directly after the string

.trim().toLowerCase();

That's enough; But you think it's over? Dude, what you think is too simple; The following is the most pit..., how to describe it, directly on the code!

First of all, explain the xutils request framework I used (I won't say how to use it specifically, I believe everyone will use it-China's Cheng Xuyuan is the best);

// Set the request address 
params = new RequestParams(url);

// Add request parameters 
params.addBodyParameter("name",name);
params.addBodyParameter("address",address);
//--- Add a timestamp ---
params.addBodyParameter("time",timeStamp+"");

// Encrypted parameters -sign
params.addBodyParameter("sign",md5Text );

See, there is no request parameter for transcoding, so add it, one can't be less, but there is another parameter with one timestamp, but note that I encrypted salt request parameter above, and there is no addition here! ! The transcoded and encrypted request parameter-sign is added at the back

Then just use the normal process of sending requests,,,, that's it-perfect

In a word, one sentence-splice first-transcode later-encrypt again-send the request again

Supplementary knowledge: Talking about sign signature authentication of URL parameters

The following content is to refer to other people's blog content. If there are any shortcomings, please correct me. . .

Let's think about one question first: How do you ensure the security of data when writing the open API interface?

Let's take a look at what security problems exist first. In the open api interface, when we request the server through http Post or Get, we will face many security problems, such as:

1. Is the source (identity) of the request legal?

2. Request parameters tampered with?

3. Request uniqueness (non-replicable)

Solution: In order to ensure the security of data in communication, we can use parameter signature to verify the data.

Case analysis

We analyze the case of writing [background interface (api)] to a [mobile terminal (app)]:

Client: Hereinafter referred to as app

Background interface: hereinafter referred to as api

We use app to query the product list for analysis:

Click Query Button in app = = "Call api to Query = =" Return Query Result== > Displayed in app

1. Ways of not validating

api query interface:

app call: http://api.test.com/getproducts? Parameter 1=value1......

As mentioned above, this method is simple and rude, and the product list information can be obtained by calling getproducts method. However, this method will have serious security problems, and without any verification, everyone can obtain the product list through this method, resulting in product information leakage.

So, how do you verify the caller's identity? How to prevent parameters from being tampered with?

2. How MD5 parameters are signed

We optimized the api query product interface:

1. Assign corresponding key and secret to app

2. Sign signature. When calling API, you need to verify the signature of the request parameters. The signature method is as follows:

a. Sort all request parameters in alphabetical order according to request parameter names to obtain: keyvaluekeyvalue... keyvalue string such as: Sort arong=1, mrong=2, crong=3 to: arong=1, crong=3, mrong=2 and then splice parameter names and parameter values to obtain parameter string: arong1crong3mrong2.

b. Add secret to the header of the parameter string for MD5 encryption. The encrypted string needs to be uppercase. The signature Sign is obtained

New api interface code:

app call: http://api.test.com/getproducts? key=app_key & sign=BCC7C71CF93F9CDBDB88671B701D8A35 & Parameter 1=value1 & Parameter 2=value2......

Note: secret is used for encryption only. Please do not use it in request parameters to ensure data security.

As above, the optimized request has more key and sign parameters, so that legal key and correct signature sign are needed to obtain product data. This solves the problem of authentication and parameter tampering. If the request parameter is taken away, it's okay. They will never get secret because secret is not passed. You can no longer forge a legitimate request.

But... Is that enough? Careful students may find that if I get your complete link, I can get data normally by using your key and sign and 1 parameters ..-_-! Yes, the above optimization is not enough. . . . . .

Uniqueness of request:

In order to prevent others from using the request parameters repeatedly, we need to ensure the uniqueness of the request, that is, the corresponding request can only be used once, so that even if others take away the complete link of the request, it is invalid.

Realization of uniqueness: In the above request parameters, we add a timestamp: timestamp (yyyyMMddHHmmss). Similarly, as one of the request parameters, timestamp is also added to sign algorithm for encryption.

New api interface:

app calls:

http://api.test.com/getproducts?key=app_key & sign=BCC7C71CF93F9CDBDB88671B701D8A35 & timestamp=201603261407 & Parameter 1=value1 & Parameter 2=value2......

As above, we use timestamp timestamp to verify whether the request has expired. In this way, even if someone takes away the complete request link, it is invalid.

Security Analysis of Sign Signature;

Through the above case, we can see that the key to security lies in secret participating in signature, and secret does not participate in communication in the whole process, so as long as secret is not leaked, the request will not be forged.

Summarize