The title is relatively vague, but this article is to introduce how to use python to encrypt the api interface of http to prevent illegal use of criminals. Here are a few premise that need to be explained. First of all, we have to implement http encryption authentication, so we do not consider https. Secondly, the purpose of authentication is to allow an http api interface to be used by the correct (authenticated) person, rather than any.
Understand the purpose of http api authentication, then come to design!
I have written several API interfaces before, mainly used to transfer some database data. Because the data is sensitive, I use authentication. At that time, in order to be lazy, the authentication method was particularly simple and simple, that is, an auth field was added to the api interface, and the content of the field was verified on the server side, but the content was a string of written md5. Although this is also a way of authentication (friends who don’t know the contents of the auth field can’t get the data of the api interface), if the traffic on the LAN is monitored, then this kind of scheme will be ineffective.
A better design solution is to implement a set of encryption algorithms on the client side and the server side. The algorithm can be customized but is more complicated. If the parameters and content of the request are arranged in a certain way, you can add a timestamp and do a hash operation as a whole. The server will also get the parameters of the hash, and compare it with the hash passed by the client. Because of the timestamp, even if traffic is being monitored, traffic replay cannot be successfully authenticated. (because of differences in timestamps)
- Explain: This article describes an authentication method for api, which is different from the authentication of the website. Mainly depends on the application scenario of the api. If it is called to internal personnel, and there are not many users called, the above authentication scheme is sufficient. Because the key used for encryption can be sent to the user in other secure ways (even on paper, 2333), instead of using asymmetric encryption + symmetric encryption, and using digital certificates, etc., like the https protocol. A series of complex encryption authentication methods. *
Ok, the previous article introduced some api authentication schemes, then write something later? I am not going to introduce how to develop a code for a certification scheme. I mainly want to recommend an open source project —hawk, because it is used to implement http encryption authentication, and it has a python implementation module (mohawk), recommended It is because it is simple and practical.
Because I have studied the mohawk module for 2 hours (really 2 hours), this article mainly introduces the usage of mohawk. In the enterprise, the api encryption authentication scheme is generally designed by itself (generally, a token ciphertext is generated, and a strict two-factor authentication is performed). Therefore, this module is suitable for beginners to practice hands, and can also provide for friends who intend to design their own authentication schemes. An idea. The following is some of the basic usages of my review of the mohawk documentation. For more details, please refer to the official website documentation.
Here I use python’s falcon framework to build an api webserver. If you are unfamiliar with the falcon framework, you can read it first: https://thief.one/2017/11/27/1/
After building the webserver, we naturally need to build the http request to verify whether the request has gone through the authentication process, and the result of the authentication is correct. Here we use the requests package to build.
Mohawk is the python python implementation, there are several main methods: Sender, Receiver, etc., you can read the source code in detail.
The Sender method is used to generate the password required for http request authentication. This method needs to pass several parameters, such as: url, method, content(post_data), content_type, credentials (certified dictionary, including id, key, encryption method). ), this method will generate a ciphertext password based on the passed parameter values, and then we can pass it to the server in the headers.
The Receiver method is used to receive the request sent by the client on the server, and calculate a new cipher text password according to the content of the obtained parameter, and compare it with the ciphertext transmitted by the client to achieve the authentication effect.