How to effectively prevent API replay attacks? Frequently Asked Questions about INVOKING API products _API Gateway – Ali Cloud Request Signature Documentation _ User Guide (Invoking API) _API gateway – Ali Cloud

Replay Attacks API Replay Attacks, also known as Replay Attacks, are malicious or fraudulent attempts to repeatedly repeat a valid API request. Attackers steal API requests by network monitoring or other means, process them, and then re-send them to the authentication server, which is one of the common attack methods used by hackers.

Does HTTPS data encryption protect against replay attacks?

No, encryption effectively prevents plain-text data from being monitored, but it does not prevent replay attacks.

Use signatures to prevent replay attacks

With the signature, the request can be authenticated. However, the replay attack is not prevented, that is, the attacker intercepts the request and does not adjust the request. Rerun the request at high frequency directly using the intercepted content.

The API gateway provides a set of effective ways to prevent replay attacks. To enable the playback function of the API gateway, you need to use the aliyun APP authentication mode. With this signature authentication, each request can only be used once to prevent replay.

Ali Cloud APP: it is a digital signature calculated based on the requested content and used by API gateway to identify the user’s identity. When the client invokes the API, it needs to add the calculated signature to the request. After receiving the request, the API gateway uses the same method to calculate the signature. If the request is identical with the signature calculated by the user, the authentication succeeds; if the request is different, the authentication fails. For the signature mode of this authentication, see Request Signature

In the SIGNATURE of the API gateway, two optional headers, X-CA-timestamp and X-ca-nonce, are provided. The two parameters can be used together when the client invokes the API to prevent replay attacks.

The principle of

  1. All contents of the request are added to the signature calculation, so any changes to the request will cause the signature to fail.
  2. Do not modify the content
    • X-ca-timestamp: Time at which the request was originated, which can be taken from the machine’s local implementation. When the API gateway receives a request, it verifies the validity of this parameter within 15 minutes.
    • X-ca-nonce: This is the unique identifier of the request, usually identified by the UUID. After receiving this parameter, the API gateway verifies the validity of this parameter. The same value is used once every 15 minutes.

So for example, the following request:

A.com? Uid = 123 x tamp = 1480556543 & nonce = 43 f34f33 & sign b886d71449cb33355d017893720666 = 80

Sign = md5({secret}key1=val1&key2=val2&key3=val3…

The server receives this request:

  1. Verify that the sign signature is reasonable and that the request parameters have not been tampered with.
  2. Then verify whether timestamp is expired to prove that the request was sent in the last 60s.
  3. Finally, verify whether the nonce has been created to prove that the request is not a replay request within 60 seconds.