API Security Protection

In API services, X-Timestamp, X-Nonce, X-AccessKey, and X-Signature are common core components of API request signature mechanisms, primarily used for authentication, data integrity verification, and preventing replay attacks.

Core Component Analysis

1. X-Timestamp (Timestamp)

Functions

• Records the request initiation time (usually Unix timestamp) for server-side validation of request timeliness.

Problems Solved

• Prevent Replay Attacks: The server sets a timestamp validity period (e.g., 5 minutes), directly rejecting expired requests. Attackers cannot replay intercepted legitimate requests after they expire.
• Synchronization Check: Ensures the time deviation between client and server is within a reasonable range, preventing time tampering from affecting request validity.

2. X-Nonce (One-time Random Number)

Functions

• Generates a unique random string (e.g., UUID) to ensure the uniqueness of each request.

Problems Solved

• Prevent Duplicate Requests: The server caches Nonce values (or combines with timestamps) to reject duplicate requests that have already been processed.
• Enhance Signature Dynamicity: Even for requests with the same parameters, the signature result differs due to different Nonces, preventing signature reuse.

3. X-AccessKey (Access Key)

Functions

• Identifies client identity (e.g., user, application, or service), usually paired with a server-preassigned SecretKey.

Problems Solved

• Authentication: Verifies whether the requester is a legally registered client.

4. X-Signature (Request Signature)

Functions

• The client uses SecretKey to generate a signature for the request content (parameters, path, timestamp, Nonce, etc.), and the server verifies the signature using the same algorithm.

Problems Solved

• Data Integrity: Ensures the request is not tampered with during transmission (parameter modifications will cause signature verification to fail).
• Prevent Identity Forgery: Attackers without the SecretKey cannot generate correct signatures and cannot forge legitimate requests.
• Bind Critical Parameters: Signature algorithms typically include request methods, paths, parameters, etc., ensuring consistency between request content and signature.

Overall Process Example

Client Signature Generation Steps

1. Concatenate request data
2. Use SecretKey to generate a signature via encryption algorithm and store it in the X-Signature header.
3. Add X-Timestamp, X-Nonce, X-AccessKey, and X-Signature to the request headers and send.

Server-side Verification Process

1. Verify Timestamp: Check if it is within the validity period (e.g., ±5 minutes).
2. Verify Nonce: Check if it already exists (to prevent duplicate requests, can be cached with timestamps).
3. Verify Signature: Find the corresponding SecretKey via AccessKey, regenerate the signature using the same algorithm, and compare it with X-Signature.
4. Result Handling: If all verifications pass, execute the request logic; otherwise, return 401 Unauthorized or 403 Forbidden errors.

Mechanism Advantage Summary

Function	Implementation Method
Authentication	AccessKey identifies client identity, Signature verifies that the client holds a valid SecretKey.
Data Tamper-proof	Signature binds to request content (method, path, parameters, etc.), any modification will cause signature verification to fail.
Anti-replay Attack	Timestamp ensures timeliness, Nonce ensures request uniqueness, dual mechanisms reject duplicate/expired requests.
Non-repudiation	Signature can trace request source, clients cannot deny initiating legitimate requests.