为什么要使用 API 密钥和秘密? [英] Why use an API key and secret?
问题描述
我遇到过许多 API,它们同时为用户提供 API 密钥和秘密.但我的问题是:两者有什么区别?
I came across many APIs that give the user both an API key and a secret. But my question is: what is the difference between both?
在我看来,一把钥匙就够了.假设我有一个密钥,只有我和服务器知道它.我用这个密钥创建了一个 HMAC 哈希并进行了一个 API 调用.在服务器上,我们再次创建 HMAC 哈希并将其与发送的哈希进行比较.如果相同,则呼叫通过身份验证.
In my eyes, one key can be enough. Say I have a key and only I and the server know it. I create a HMAC hash with this key and do an API call. On the server, we create the HMAC hash again and compare it with the sent hash. If it's the same, the call is authenticated.
那为什么要使用两个键呢?
So why use two keys?
或者该 API 密钥是否用于查找 API 密钥?
or is that API key used to lookup the API secret?
推荐答案
秘密密钥加密依赖于使用相同的密钥对消息进行编码,然后再解码.因此,只有那些知道秘密"的人可以阅读邮件.
Secret key cryptography relies on using the same key to encode and then later decode a message. Thus, only those who know the "secret" can read the message.
RSA 安全性基于 2 个匹配的密钥.每个用户都有一个公钥,每个人都可以(应该)知道它.还有一个只有用户应该知道的私钥.用公钥加密的消息只能用私钥解密,反之亦然.
RSA security is based on 2 matching keys. There is a public key for each user, and everybody can (should) know it. There is also a private key that only the user should know. A message encrypted by the public key can only be decrypted by the private key, and visa versa.
因此,如果我想向您发送只有您可以阅读的消息,我会(从网络中)获取您的公钥,使用该密钥对消息进行加密,而您是唯一可以解密的人.
Thus, if I want to send you a message that only you can read, I get (from the network) your public key, encrypt the message with that key and you are the only person who can decrypt it.
或者,如果我想向您证明我发送了一条消息,我可以用我的私钥加密该消息,告诉您(在公开文本或另一条消息中)它是如何加密的.然后你可以用我的公钥解密消息,如果它变得可读,你就知道它来自我.
Or, if I want to prove to you that I sent a message, I can encrypt the message with my private key, tell you (in open text or in another message) how it was encrypted. Then you could decrypt the message with my public key, and if it becomes readable, you know it came from me.
这种形式的加密是相当计算机密集型的,所以有时所做的是加密一次性秘密密钥".使用 RSA 技术,然后用密钥加密消息的其余部分,然后以第二种方式加密我的签名.然后反转这个过程,所以如果消息和签名是可读的,你并且只有你可以阅读它,并且你可以确保我发送了消息.
This form of encryption is fairly computer intensive, so what sometimes done is, to encrypt a one-time "secret key" with RSA technology is used, then encrypt the rest of the message with the secret key, then encrypt my signature in the second fashion. You then reverse this process, so if the message and the signature are readable, you and only you can read it and you are ensured that I sent the message.
或
您可以访问此链接以获取更详细的说明.
you can visit this link for more detailed explanation.
这篇关于为什么要使用 API 密钥和秘密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
