基于Request Body的Open API安全认证机制
|
摘要
为解决当前Open API面临的身份伪造钓鱼攻击、账户与业务信息泄露和API平台恶意攻击等问题,提出了一种基于Request Body(请求体)的API安全认证机制。该机制由双重签名验证、请求体加密、URI验证、接口权限认证和异常侦测五部分组成,用于防范钓鱼网站诱骗、加固用户数据传输安全和提升API平台抵御攻击的能力。通过在线测试和实际项目验证,表明该机制能够在保证API认证速度的同时保证用户和接口的安全。
Aiming at the problems of identity forgery phishing attacks,account and business information leakage and API platform malicious attacks,an API security authentication mechanism based on Request Body was proposed. The mechanism consists of five parts: double signature verification,request body encryption,URI verification,interface authority authentication and exception detection. It is used to prevent phishing scams,strengthen user data transmission security and improve the ability of the API platform to resist attacks. Through online testing and actual project verification,it shows that the mechanism can ensure the security of users and interfaces while ensuring the speed of API authentication.
Aiming at the problems of identity forgery phishing attacks,account and business information leakage and API platform malicious attacks,an API security authentication mechanism based on Request Body was proposed. The mechanism consists of five parts: double signature verification,request body encryption,URI verification,interface authority authentication and exception detection. It is used to prevent phishing scams,strengthen user data transmission security and improve the ability of the API platform to resist attacks. Through online testing and actual project verification,it shows that the mechanism can ensure the security of users and interfaces while ensuring the speed of API authentication.
引文
1欧阳璟.把握互联网的下一次趋势---“中国互联网的OpenA-PI”研讨会选录[J].程序员,2008(7):42-44Ouyang Yu.Grasping the next trend of the internet-“opening the internet of China”seminar selection[J].Programmer,2008(7):42-44
2韩冷.面向OpenAPI的开放能力管理平台[D].天津:天津大学,2010Han Leng.Open capability management platform for OpenAPI[D].Tianjin:Tianjin University,2010
3李斌.面向室内地图信息服务的OpenAPI的设计和实现[D].北京:北京邮电大学,2013Li Bin.Design and implementation of OpenAPI for indoor map information service[D].Beijing:Beijing University of Posts and Telecommunications,2013
4刘武,王永科,孙东红,等.开源智能终端认证漏洞挖掘及登录认证改进[J].清华大学学报(自然科学版),2017,57(9):897-902Liu Wu,Wang Yongke,Sun Donghong,et al.Open source intelligent terminal authentication vulnerability mining and login authentication improvement[J].Journal of Tsinghua University(Science and Technology),2017,57(9):897-902
5 Mariantonietta L P,Febio M,Daniele S.A survey on security for mobile devices[J].IEEE Communications Surveys&Tutorials,2013,15(1):446-471
6 William E,Machigar O,Patrick M.Understanding Android security[J].IEEE Security and Privacy,2009,7(1):50-57
7 saf S,Yuval F,Uri K,et al.Google android:a comprehensive security assessment[J].IEEE Security and Privacy,2010,8(2):35-44
8雷蕾,蔡权伟,荆继武,等.支持策略隐藏的加密云存储访问控制机制[J].软件学报,2016,27(6):1432-1450Lei Lei,Cai Quanwei,Jing Jiwu,et al.Encrypted cloud storage access control mechanism supporting policy hiding[J].Journal of Software,2016,27(6):1432-1450
9刘俊.软件开发开放API接口的安全处理[J].信息与电脑(理论版),2017(8):201-203Liu Jun.Security Processing of open API interface for software development[J].Information and Computer(Theoretical Edition),2017(8):201-203
10刘树凯,颜学雄,王清贤,等.一种Web应用中轻量级的Java S-cript API保护机制[J].信息工程大学学报,2018(2):220-225Liu Shukai,Yan Xuexiong,Wang Qingxian,et al.A lightweight Java Script API protection mechanism in Web applications[J].Journal of Information Engineering University,2018(2):220-225
11王玉,宁可新,朱蕾蕾.基于TLS和JWT远程救助系统安全的API[J].吉林大学学报(信息科学版),2017,35(6):656-661Wang Yu,Ning Kexin,Zhu Leilei.API based on TLS and JWT remote rescue system security[J].Journal of Jilin University(Information Science Edition),2017,35(6):656-661
12郑志学.基于防伪二维码技术的农产品溯源系统研究与开发[D].株洲:湖南工业大学,2016Zheng Zhixue.Research and development of agricultural product traceability system based on anti-counterfeiting two-dimensional code technology[D].Zhuzhou:Hunan University of Technology,2016
13郑雪.基于SOA的面向商户第三方支付系统的设计与实现[D].上海:上海交通大学,2014Zheng Xue.Design and implementation of a third-party payment system for merchants based on SOA[D].Shanghai:Shanghai Jiaotong University,2014
14周满元.电子支付系统中双重签名的研究与应用[J].四川大学学报(工程科学版),2007(增刊1):196-199Zhou Manyuan.Research and application of double signature in electronic payment system[J].Journal of Sichuan University(Engineering Science Edition),2007(S1):196-199
15姜建武,李景文,陆妍玲,等.基于RESTful API的智慧旅游系统设计与实现[J].测绘与空间地理信息,2017,40(7):57-61Jiang Jianwu,Li Jingwen,Lu Yiling,et al.Design and implementation of smart tourism system based on RESTful API[J].Surveying and Spatial Geography Information,2017,40(7):57-61
2韩冷.面向OpenAPI的开放能力管理平台[D].天津:天津大学,2010Han Leng.Open capability management platform for OpenAPI[D].Tianjin:Tianjin University,2010
3李斌.面向室内地图信息服务的OpenAPI的设计和实现[D].北京:北京邮电大学,2013Li Bin.Design and implementation of OpenAPI for indoor map information service[D].Beijing:Beijing University of Posts and Telecommunications,2013
4刘武,王永科,孙东红,等.开源智能终端认证漏洞挖掘及登录认证改进[J].清华大学学报(自然科学版),2017,57(9):897-902Liu Wu,Wang Yongke,Sun Donghong,et al.Open source intelligent terminal authentication vulnerability mining and login authentication improvement[J].Journal of Tsinghua University(Science and Technology),2017,57(9):897-902
5 Mariantonietta L P,Febio M,Daniele S.A survey on security for mobile devices[J].IEEE Communications Surveys&Tutorials,2013,15(1):446-471
6 William E,Machigar O,Patrick M.Understanding Android security[J].IEEE Security and Privacy,2009,7(1):50-57
7 saf S,Yuval F,Uri K,et al.Google android:a comprehensive security assessment[J].IEEE Security and Privacy,2010,8(2):35-44
8雷蕾,蔡权伟,荆继武,等.支持策略隐藏的加密云存储访问控制机制[J].软件学报,2016,27(6):1432-1450Lei Lei,Cai Quanwei,Jing Jiwu,et al.Encrypted cloud storage access control mechanism supporting policy hiding[J].Journal of Software,2016,27(6):1432-1450
9刘俊.软件开发开放API接口的安全处理[J].信息与电脑(理论版),2017(8):201-203Liu Jun.Security Processing of open API interface for software development[J].Information and Computer(Theoretical Edition),2017(8):201-203
10刘树凯,颜学雄,王清贤,等.一种Web应用中轻量级的Java S-cript API保护机制[J].信息工程大学学报,2018(2):220-225Liu Shukai,Yan Xuexiong,Wang Qingxian,et al.A lightweight Java Script API protection mechanism in Web applications[J].Journal of Information Engineering University,2018(2):220-225
11王玉,宁可新,朱蕾蕾.基于TLS和JWT远程救助系统安全的API[J].吉林大学学报(信息科学版),2017,35(6):656-661Wang Yu,Ning Kexin,Zhu Leilei.API based on TLS and JWT remote rescue system security[J].Journal of Jilin University(Information Science Edition),2017,35(6):656-661
12郑志学.基于防伪二维码技术的农产品溯源系统研究与开发[D].株洲:湖南工业大学,2016Zheng Zhixue.Research and development of agricultural product traceability system based on anti-counterfeiting two-dimensional code technology[D].Zhuzhou:Hunan University of Technology,2016
13郑雪.基于SOA的面向商户第三方支付系统的设计与实现[D].上海:上海交通大学,2014Zheng Xue.Design and implementation of a third-party payment system for merchants based on SOA[D].Shanghai:Shanghai Jiaotong University,2014
14周满元.电子支付系统中双重签名的研究与应用[J].四川大学学报(工程科学版),2007(增刊1):196-199Zhou Manyuan.Research and application of double signature in electronic payment system[J].Journal of Sichuan University(Engineering Science Edition),2007(S1):196-199
15姜建武,李景文,陆妍玲,等.基于RESTful API的智慧旅游系统设计与实现[J].测绘与空间地理信息,2017,40(7):57-61Jiang Jianwu,Li Jingwen,Lu Yiling,et al.Design and implementation of smart tourism system based on RESTful API[J].Surveying and Spatial Geography Information,2017,40(7):57-61