dongzhan5943 2014-07-21 18:08
浏览 49
已采纳

CI REST服务器API密钥

I am a newbie to API development, but have successfully managed to implement CI REST Server by Phil Sturgeon and Chris Kacerguis by reading all articles I could find, but there is one answer that eludes me, from the following question: CodeIgniter REST API Library Ajax PUT throwing 403 Forbidden and How can I generate an API Key in My own Controller in Codeigniter.

I have added the "boguskey" to the database as suggested in the first question's accepted answer, but I am confused about security here. If I need to have a hard-coded API key to generate new keys, and someone can view the header to see this bogus API key, how do I secure my API then from someone who then use this API key to generate tons of API keys for us within my API? If I do not add the boguskey, then I get "Invalid API key" regardless of which function I call.

My apologies if this is a stupid question, but if someone has an example of how I can generate keys securely (or at least inform me if I am misinterpreting the situation) I will greatly appreciate it.

  • 写回答

1条回答 默认 最新

  • dstwfcz1377 2017-05-07 22:40
    关注

    To ensure the max security you should encrypt all the sent data, then if the API could decrypt it correctly you should be fine, you can use RSA encryption, so if any one intercept the request he cant decrypt or clone it, But RSA is not designed to be used on long blocks of plain text, so you can use hybrid encryption. Namely, this involves using RSA to asymmetrically encrypt a symmetric key.

    Randomly generate a symmetric encryption (say AES) key and encrypt the plain text message with it. Then, encrypt the symmetric key with RSA. Transmit both the symmetrically encrypted text as well as the asymmetrically encrypted symmetric key.

    The API can then decrypt the RSA block, which will yield the symmetric key, allowing the symmetrically encrypted text to be decrypted.

    To implement RSA on CodeIgniter you can use this class, call the file on your controller require_once("RSA.php");.

    On the API consumer controller make an array which will contain the data and the the asymmetrically encrypted symmetric key 

    $request_data = array();
$request_data["username"] = "taghouti";
$request_data["project"] = "Secured_API";
$serialized_request_data = serialize($request_data);
$enc = new RSAEnc($serialized_request_data,'public_key');
$encrypted = $enc->result();
$request_data = array(
    "data" => base64_encode($encrypted->result), 
    "key" => base64_encode($encrypted->key)
);

    And on the API controller you should try to decrypt the symmetric key using your private key, if the decryption done successfully you should be fine

    if ($_POST["key"]) {
  $key = base64_decode($_POST["key"]);
  $_POST["key"] = null;
  if (isset($_POST["data"])) {
    $data = base64_decode($_POST["data"]);
    $dec = new RSADec($data, 'private_key', $key);
    $decrypted = $dec->result();
    if($decrypted->success !== true) die("Decryption failed");
    $decrypted = @unserialize($decrypted->result);
    $_POST = is_array($decrypted) ? $decrypted : array();
    $this->_post_args = $_POST;
  }
} 

if($this->input->post('project') && $this->input->post('username')) {
  //Enjoy
} else {
  die('data parsing error');
}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
  • ¥500 火焰左右视图、视差(基于双目相机)
  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)