dongzhan5943 2014-07-21 18:08
浏览 49
已采纳

CI REST服务器API密钥

I am a newbie to API development, but have successfully managed to implement CI REST Server by Phil Sturgeon and Chris Kacerguis by reading all articles I could find, but there is one answer that eludes me, from the following question: CodeIgniter REST API Library Ajax PUT throwing 403 Forbidden and How can I generate an API Key in My own Controller in Codeigniter.

I have added the "boguskey" to the database as suggested in the first question's accepted answer, but I am confused about security here. If I need to have a hard-coded API key to generate new keys, and someone can view the header to see this bogus API key, how do I secure my API then from someone who then use this API key to generate tons of API keys for us within my API? If I do not add the boguskey, then I get "Invalid API key" regardless of which function I call.

My apologies if this is a stupid question, but if someone has an example of how I can generate keys securely (or at least inform me if I am misinterpreting the situation) I will greatly appreciate it.

  • 写回答

1条回答 默认 最新

  • dstwfcz1377 2017-05-07 22:40
    关注

    To ensure the max security you should encrypt all the sent data, then if the API could decrypt it correctly you should be fine, you can use RSA encryption, so if any one intercept the request he cant decrypt or clone it, But RSA is not designed to be used on long blocks of plain text, so you can use hybrid encryption. Namely, this involves using RSA to asymmetrically encrypt a symmetric key.

    Randomly generate a symmetric encryption (say AES) key and encrypt the plain text message with it. Then, encrypt the symmetric key with RSA. Transmit both the symmetrically encrypted text as well as the asymmetrically encrypted symmetric key.

    The API can then decrypt the RSA block, which will yield the symmetric key, allowing the symmetrically encrypted text to be decrypted.

    To implement RSA on CodeIgniter you can use this class, call the file on your controller require_once("RSA.php");.

    On the API consumer controller make an array which will contain the data and the the asymmetrically encrypted symmetric key 

    $request_data = array();
$request_data["username"] = "taghouti";
$request_data["project"] = "Secured_API";
$serialized_request_data = serialize($request_data);
$enc = new RSAEnc($serialized_request_data,'public_key');
$encrypted = $enc->result();
$request_data = array(
    "data" => base64_encode($encrypted->result), 
    "key" => base64_encode($encrypted->key)
);

    And on the API controller you should try to decrypt the symmetric key using your private key, if the decryption done successfully you should be fine

    if ($_POST["key"]) {
  $key = base64_decode($_POST["key"]);
  $_POST["key"] = null;
  if (isset($_POST["data"])) {
    $data = base64_decode($_POST["data"]);
    $dec = new RSADec($data, 'private_key', $key);
    $decrypted = $dec->result();
    if($decrypted->success !== true) die("Decryption failed");
    $decrypted = @unserialize($decrypted->result);
    $_POST = is_array($decrypted) ? $decrypted : array();
    $this->_post_args = $_POST;
  }
} 

if($this->input->post('project') && $this->input->post('username')) {
  //Enjoy
} else {
  die('data parsing error');
}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示
  • ¥15 求三国群英传pl国战时间的修改方法
  • ¥15 matlab代码代写,需写出详细代码,代价私