堆栈内存溢出
  简体   繁体   English

公钥和私钥API

[英]Public and private API keys

 原文  2012-06-11 01:25:18       api/ hash/ hmac/ api-key

问题描述

I'm developing an API system which requires this type of authentication. 我正在开发一个需要这种身份验证的API系统。 The user will send an HTTP request with its id, the data, and a hash (the data hashed with the private key) and then in the server I check if the hash matches with the same procees here. 用户将使用其id,数据和散列(使用私钥散列的数据)发送HTTP请求,然后在服务器中检查散列是否与此处的相同过程匹配。
Is it like the implementation must be? 是否必须实施?
And I'm going to use as public key the id of the client but what is the best method to generate the private key, sha256 of the id, of a randon number? 而且我将使用客户端的id作为公钥,但是生成私钥的最佳方法是什么,id的sha256,randon数?

2 个解决方案

解决方案1
 1  2012-06-11 03:47:37

This is not Private/Public-key cryptography. 这不是私有/公钥加密。 In such a system, the client would encrypt the whole data and you would then decrypt it using your private key. 在这样的系统中,客户端将加密整个数据 ,然后您将使用您的私钥解密它。 You would never give your private key to the client. 您永远不会将您的私钥提供给客户。

What you are doing is request signature. 您正在做的是请求签名。 You give a "secret" (what you are calling "private key"), then they use this to generate a hash. 你给出一个“秘密”(你称之为“私钥”),然后他们用它来生成一个哈希。 You can then check the hash on your server since you also know the secret. 然后,您可以检查服务器上的哈希,因为您也知道密码。

There would not be a public key in this kind of system. 在这种系统中不会有公钥。 You normally identify the client using a session key or token, so the client needs to authenticate first (which means you need some authentication method). 您通常使用会话密钥或令牌来标识客户端,因此客户端需要首先进行身份验证(这意味着您需要一些身份验证方法)。 Essentially, what you are trying to implement is OAuth. 从本质上讲,您要实现的是OAuth。 Perhaps have a look at the library and see if you can use it directly - http://oauth.net/documentation/getting-started/ 也许看看图书馆,看看你是否可以直接使用它 - http://oauth.net/documentation/getting-started/

解决方案2
 1 已采纳  2012-06-11 04:17:12

checking out what amazon s3 is doing for the authentication might be a good start 检查亚马逊s3正在做什么进行身份验证可能是一个好的开始

basically they are doing the same thing as you proposed, and they use RFC 2104HMAC-SHA1 for the hashing. 基本上他们做的和你提出的一样,他们使用RFC 2104HMAC-SHA1进行散列。 The implementation depends on your choice of languages. 实施取决于您选择的语言。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用私钥和公钥进行API身份验证 - API authentication using private and public keys Shrimpy API 不接受公钥/私钥 - Shrimpy API does not Accept Public/Private Keys 为了安全起见,是否应该/可以定期更改其公共和私有API密钥? - Should/can one change their Public and Private API keys on a regular basis for security purposes? 私有和公共端的API安全性 - API security on private and public side Python中带有私有元素的公共API - Public API with Private Elements in Python 如何处理公共 API 密钥? - How to handle public API Keys? 是否可以保护公共api密钥? - Is it possible to secure public api keys? 创建供个人和公共使用的Rails API - Creating a Rails API for private and public use api用于公共和私人使用的正确头 - api proper headers for public and private usage 如何将公共 Web 服务 API 设为私有? - How to make a public web service API private?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM