为什么要使用API密钥和机密? [英] Why use an API key and secret?
问题描述
我遇到了许多API,这些API为用户提供了API 密钥和秘密.但是我的问题是:两者之间有什么区别?
I came across many APIs that give the user both an API key and a secret. But my question is: what is the difference between both?
在我眼中,一把钥匙就足够了.说我有一把钥匙,只有我和服务器知道.我使用此密钥创建HMAC哈希并进行API调用.在服务器上,我们再次创建HMAC哈希并将其与发送的哈希进行比较.如果相同,则对呼叫进行身份验证.
In my eyes, one key can be enough. Say I have a key and only I and the server know it. I create a HMAC hash with this key and do an API call. On the server, we create the HMAC hash again and compare it with the sent hash. If it's the same, the call is authenticated.
那为什么要用两个键呢?
So why use two keys?
还是该API密钥用于查找API机密?
or is that API key used to lookup the API secret?
推荐答案
秘密密钥加密技术依赖于使用相同的密钥进行编码,然后再对消息进行解码.因此,只有知道秘密"的人才能阅读邮件.
Secret key cryptography relies on using the same key to encode and then later decode a message. Thus, only those who know the "secret" can read the message.
RSA安全性基于2个匹配的密钥.每个用户都有一个公共密钥,每个人都可以(应该)知道它.还有一个只有用户应该知道的私钥.用公钥加密的消息只能用私钥解密,反之亦然.
RSA security is based on 2 matching keys. There is a public key for each user, and everybody can (should) know it. There is also a private key that only the user should know. A message encrypted by the public key can only be decrypted by the private key, and visa versa.
因此,如果我想向您发送一条只有您可以阅读的消息,我会(从网络中)获得您的公共密钥,并使用该密钥对消息进行加密,您是唯一可以解密它的人.
Thus, if I want to send you a message that only you can read, I get (from the network) your public key, encrypt the message with that key and you are the only person who can decrypt it.
或者,如果我想向您证明我已发送消息,则可以使用私钥对消息进行加密,然后(以公开文本或其他消息的形式)告诉您消息是如何加密的.然后,您可以使用我的公共密钥解密该消息,如果该消息可读,那么您就知道它来自我.
Or, if I want to prove to you that I sent a message, I can encrypt the message with my private key, tell you (in open text or in another message) how it was encrypted. Then you could decrypt the message with my public key, and if it becomes readable, you know it came from me.
这种加密形式相当耗费计算机资源,因此有时要做的是使用RSA技术加密一次性的秘密密钥",然后使用秘密密钥加密消息的其余部分,然后在第二种时尚.然后,您可以逆转此过程,以便如果邮件和签名可读,则只有您自己可以阅读,并且可以确保我发送了邮件.
This form of encryption is fairly computer intensive, so what sometimes is done is to encrypt a one-time "secret key" with RSA technology, then encrypt the rest of the message with the secret key, then encrypt my signature in the second fashion. You then reverse this process so if the message and the signature are readable, you and only you can read it and you are ensured that I sent the message.
或
您可以访问此链接以获取更详细的说明.
you can visit this link for more detailed explanation.
这篇关于为什么要使用API密钥和机密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
