Questions about adding signatures to prevent attacks

see a solution on the Internet: "after the client sorts the parameters and encrypts them with MD5, they get sign." The server once again encrypts your parameters by MD5, and compares the values obtained twice, and the same verification is successful. In order to prevent packet grabbing, and then keep sending attacking packets "

"

how can this prevent attacks?
attackers can also encrypt the parameter MD5 and send it to the server.

Mar.12,2021

if you only do md5, you usually add something like appkey when you md5, or salt, is not passed through parameters (both front and back know the value), so as to prevent others from tampering and constructing the request.

if you do md5 and encryption at the same time, it's OK, just don't pass the key.


add the answer upstairs, focusing on the replay attack.

it is possible to request to be caught by someone else and use it to repeat the request.
so the design idea is as follows:

first of all, all schemes should have an agreed secret key when encrypting. Ensure that attackers cannot calculate sign by themselves

scenario A: verify whether md5 has been requested

so that each request has a unique md5, server that writes the md5 to the cache after the request is completed for the first time.
check whether there is a md5, before processing the request next time. If so, it means that the request is repeated.

but did you think that there is a disadvantage here:
every request has to write a md5 into the cache. If the number of requests is relatively large, it takes up a lot of cache

.

scenario B: add a timestamp to the parameter

if the time difference is more than 60s, it means that the request was grabbed by someone else and used as a repeat request attack.

this scheme also has its drawbacks:
client-side and server-side time consistency requirements are relatively high.

Ultimate solution: combine the two.

timestamp + md5
1. Time difference of more than 120s represents repeat request
2 and md5 write cache. Cache duration is 120s (greater than or equal to the above value). Judge if md5 represents repeat request

this solves the problem of repeated requests relatively well.


actually I am concerned about the effect of the non-sorting of parameters. It is not more convenient to use the submitted data directly. After all, security is reflected on appkey

.
MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e45981-430f9.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e45981-430f9.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?