API Security Protection

In API services, X-Timestamp, X-Nonce, X-AccessKey, and X-Signature are common core components of API request signature mechanisms, primarily used for authentication, data integrity verification, and preventing replay attacks.

Core Components Analysis

1. X-Timestamp (Timestamp)

Function

• Records the request initiation time (usually Unix timestamp), used by the server to verify request timeliness.

Problems Solved

• Prevents Replay Attacks: The server sets a timestamp validity period (e.g., 5 minutes), directly rejecting expired requests, preventing attackers from replaying intercepted legitimate requests after timeout.
• Synchronization Check: Ensures the time difference between client and server is within a reasonable range, avoiding time tampering affecting request validity.

2. X-Nonce (One-time Random Number)

Function

• Generates a unique random string (such as UUID), ensuring the uniqueness of the same request.

Problems Solved

• Prevents Duplicate Requests: The server caches Nonce values (or combines with timestamps), rejecting already processed duplicate requests.
• Enhances Signature Dynamicity: Even requests with the same parameters will have different signature results due to different Nonce values, preventing signature reuse.

3. X-AccessKey (Access Key)

Function

• Identifies the client identity (such as user, application, or service), usually paired with a server-preassigned SecretKey.

Problems Solved

• Identity Authentication: Verifies whether the requester is a legally registered client.

4. X-Signature (Request Signature)

Function

• The client uses SecretKey to generate a signature for the request content (parameters, path, timestamp, Nonce, etc.), and the server verifies the signature using the same algorithm.

Problems Solved

• Data Integrity: Ensures the request has not been tampered with during transmission (parameter modifications will cause signature verification failure).
• Prevents Identity Forgery: Attackers cannot generate correct signatures without the SecretKey, preventing forgery of legitimate requests.
• Binds Critical Parameters: The signature algorithm typically includes request method, path, parameters, etc., ensuring request content consistency with the signature.

Overall Process Example

Client Signature Generation Steps

1. Concatenate request data
2. Use SecretKey to generate signature through encryption algorithm, store in X-Signature header.
3. Add X-Timestamp, X-Nonce, X-AccessKey, and X-Signature to the request headers and send.

Server Verification Process

1. Verify timestamp: Check if it's within the validity period (e.g., ±5 minutes).
2. Verify Nonce: Check if it already exists (prevent duplicate requests, can be combined with timestamp caching).
3. Verify signature: Find the corresponding SecretKey through AccessKey, regenerate signature using the same algorithm, compare with X-Signature.
4. Result processing: If all pass, execute request logic; otherwise return 401 Unauthorized or 403 Forbidden error.

Mechanism Advantages Summary

Function	Implementation Method
Authentication	AccessKey identifies client identity, Signature verifies client holds legitimate SecretKey.
Data Tamper Prevention	Signature binds request content (method, path, parameters, etc.), any modification causes signature verification failure.
Replay Attack Prevention	Timestamp ensures timeliness, Nonce ensures request uniqueness, dual mechanism rejects duplicate/timeout requests.
Non-repudiation	Signature can trace request source, client cannot deny initiated legitimate requests.