# Weixin Mini Program Encrypted network channel
# I. Function introduction
In front-end development tuning, developers often use proxy software to forward requests for their own project services to facilitate switching development environments and testing.
The proxy software can transfer data between the client and the real server.
At this point, the proxy software can decrypt and view the data encrypted by SSL, and then re-encrypt the data to the original site. For customers and servers, they still think they are in a secure encrypted connection, when in fact the security of the data has been compromised.
In addition to listening, because proxy software can decrypt SSL-encrypted communications, it also supports modifying data in transit and even inserting malicious content. The above-mentioned intermediary agent can also be maliciously used by criminals to arbitrarily listen to all requests in their own devices.
They run "Weixin Mini Program," "WEB pages" or "native apps" by other developers on their devices.The intermediate agent then obtains and tampers the "request package" and "response package" of the normal request, and replays the target request for malicious purposes (such as refreshing experience, modifying game results, creating a 1 cents order, etc.).
To prevent man-in-the-middle proxy attacks, we need to encrypt the plaintext of the request and response packets once more on top of SSL encryption, which provides an additional layer of security and ensures that data remains secure even after being decrypted by proxy software.
The WeChat team currently offers two solutions for encrypted network channels:
- API self-implementation: WeChat the platform maintains a reliable user-level key, which developers can obtain through the Weixin Mini Program front-end API and the service-side interface provided by WeChat backend, and implement the encryption of request packages themselves.
- WeChat Gateway solution: The WeChat team has launched the [WeChat Gateway with the accumulated security protection experience of many years, and has a systematic and multi-level security protection capability.After the developer accesses, the communication link from "Weixin Mini Program" to "developer service" will automatically switch from the public network link to the WeChat channel link, and the request content will be encrypted in two layers during the whole process, effectively preventing middleman agent attacks.
Obtaining the encrypted key information requires sending a request to the WeChat platform, which is time consuming and therefore a burden on business performance. If developers want to secure encryption while reducing business-independent time, they can use WeChat gateway solutions.
# II. API Self-Realization Program
To avoid data being intercepted and tampered with when communicating with the developer's background, the WeChat platform maintains a user-level reliable key for encryption and signature when communicated with Mini Programs and the background.
The developer can obtain the user encryption key through the front-end API and the service interface provided by the backend.
WeChat platform only provides a reliable encryption key, developers need to implement their own encryption methods, to the server interface request data endpoint encryption and decryption.
In Weixin Mini Program developers can use UserCryptoManager.getLatestUserKey to get the user's latest encryption key information.
# 2.1 Example of front-end call
const somedata = 'xxxxx'
const userCryptoManager = wx.getUserCryptoManager()
userCryptoManager.getLatestUserKey({
success({encryptKey, iv, version, expireTime}) {
const encryptedData = someAESEncryptMethod(encryptKey, iv, somedata)
wx.request({
data: encryptedData,
success(res) {
const decryptedData = someAESDEcryptMethod(encryptKey, iv, res.data)
console.log(decryptedData)
}
})
}
})
Some AESEncryptMethod and someAESDEcryptMethod are encryption and decryption functions, which are implemented by the developers themselves by introducing the encryption and decryption library, and the basic library does not provide encryption and decryption capabilities for the time being.
Developers can refer to open source cryptographic libraries: https://github.com/flash1293/aes-wasm https://github.com/ricmoo/aes-js
Find the right encryption method based on your business:
- Asymmetric Encryption: The client and server maintain two sets of public and private encryption keys. Each time the interface requests, the plaintext data is first encrypted, and the other party receives the ciphertext and decrypts it with the corresponding reverse key.The common asymmetric encryption has RSA, DSA, ECC, asymmetric encryption security is high, but the encryption and decryption speed is slow, not suitable for the request body or response body is too large.
- Symmetric Encryption: The client and the server maintain a set of keys that encrypt the plaintext data each time the interface requests it and decrypt it with the same key when the other party receives it.Common symmetric encryption DES, 3DES, IDEA, RC5, RC6, Blowfish, symmetric encryption encryption and decryption speed is fast, suitable for large data encryption and decryption processing, security has declined.
- Integration scheme: When requested, the client encrypts the plaintext with symmetric encryption, the symmetric key is randomly generated, the former symmetric key encrypted with asymmetric encryptions, and finally the ciphertext and the encrypted symmetric key contained in a combination.When received by the server, the decryption process follows the reverse process, and the response package is also the same processing process.
At the developer's disposal, you can call getUserEncryptKey The background interface gets the user's last three keys. While getting the key, the interface will carry version information, and the developer can compare the version to choose the corresponding key to encrypt and decrypt the data.
# 2.2 Example of a server call
curl -X POST "https://api.weixin.qq.com/wxa/business/getuserencryptkey?access_token=ACCESS_TOKEN&openid=OPENID&signature=SIGNATURE&sig_method=hmac_sha256"
# III. WeChat gateway scheme
You can refer to this document to access WeChat gateway: Weixin Mini Program One-click access to WeChat gateway