Answer the question
In order to leave comments, you need to log in
API for the site and application, how to do?
Hey! I have an application that needs to be activated with a key. And a site with a directory where these keys are stored. I myself add the keys to this directory, and in the program this key is checked against the uuid of the computer. And I need to make it so that when entering the key, the program would make a request to the .php file, which will check for the presence of this key and display a message, "this key is already registered, etc" (I already did this). but the fact is that if I make a get request in the program to this file (for example , http://site.ru/api.php?key=key that needs to be checked for existence), then each person can track this request and check having a key through a .php file, on your own. Can I make it so that only my program can do this action?
Answer the question
In order to leave comments, you need to log in
I would not complicate and would make an additional checksum check in the transmitted key hash.
- I would not betray the key in clear text, but would encrypt it into something like
key = md5(key + salt)
- Then I would generate an additional string based on the data available to both sides of the request, for example:
check = md5(external ip)
- Further, according to a special algorithm that only I and both software know about, I would mix the value of key and check. For example, the first 5 characters in check would be added through the letter in key. For special paranoia, you can make the encryption method based on the software version or in general by a preliminary request to the server
- On the server, I would again restore the key and the check part, and compare it with the generated check on the server.
- If the check matched, then it would check the key with its base
. Even in the case of an interception, it will be difficult to choose an algorithm. And brute force on a server can be tracked. Of course, this will not save you from disassembling .. but someone who can afford to understand the encryption algorithm from the assembler source code (i.e. figure out how check is generated and what is used for the salt) is unlikely to be able to simply cut down the request to the server or restrictions ..
.- _
Firstly, https, not http at all.
Secondly, if you want to be helped, be clearer what exactly confuses you.
How will the villains trace the request?
Firstly, you can use https, in addition you can ssl pinning
Secondly, what's wrong with finding out the address where you can check the key?
If the key is of the form 1234-5678-9012-3456-7890, then it will not work to sort through all the options, plus you can limit the frequency of checks and / or the total number of checks from one IP.
Or are you worried about something else - about replacing your server (through hosts) and activating the program with any key?
I support Vitaly Orlov. In your case, the easiest and fastest solution is implicit passing.
Send the hash of the key with a salt, and on the server look for a file whose name + the same salt = the received key.
You can break everything and always, the question is whether it is worth fencing in a particular case an incredible garden of excessively complicated actions. :)
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question