URL authentication

Last Updated: Nov 26, 2017

Introduction

The URL authentication function protects user’s site resources from illegal download and misuse. Leeching issues are only partially solved by adding the referer blacklist or whitelist. Because the referer content may be forged, this method cannot protect site resources completely. Applying URL authentication is recommended to protect the security of origin site resources.

Concept

The URL authentication function uses Alibaba Cloud CDN nodes in combination with client resource sites to provide a more secure anti-theft protection for origin site resources. The CDN client site provides a user with an encrypted URL (including permission verification information) and the user uses it to initiate a request to the CDN node. The CDN node verifies the permission information in the encrypted URL to determine the legality of the request. Legal requests will receive a normal response and illegal requests will be rejected. This protects CDN client site resources.

URL authentication methods

Alibaba Cloud CDN supports authentication Method A, Method B and Method C. You can select an appropriate method to protect origin site resources based on your business requirements.

Authentication method A

Concept

Structure of users’ encrypted URLs

  1. http://DomainName/Filename?auth_key=timestamp-rand-uid-md5hash

Authentication field descriptions

  • The PrivateKey field can be set by the user.

    Field Description
    timestamp The expiration time. It is a positive integer with a fixed length of 10 and a time in seconds from January 1, 1970. This 10-digit integer is used to control the expiration time.
    rand Random number. It is typically set to 0.
    uid Temporarily unused (set to 0).
    md5hash The verification string is calculated using the MD5 algorithm. It is comprised of digits and lowercase English letters (0-9, a-z) with a fixed length of 32.

    After the CDN server receives the request, it first determines whether the request timestamp is less than the current time. If so, it determines that the request has expired and returns an HTTP 403 error. If the timestamp is greater than the current time, it constructs an equivalent string (see the following string construction method). Then, it uses the MD5 algorithm to calculate the HashValue and compares it with the md5hash contained in the request. If they are consistent, the request passes the authentication and the file is returned. Otherwise, the request authentication fails and an HTTP 403 error is returned.

  • The HashValue is calculated according to the following method:

    1. sstring = "URI-Timestamp-rand-uid-PrivateKey" (URI is the relative address of a user's request object. It does not contain parameters such as "/Filename")
    2. HashValue = md5sum(sstring)

Example

  1. Request an object through req_auth.

    1. http:// cdn.example.com/video/standard/1K.html
  2. Set the access key to aliyuncdnexp1234 (set by the user).

  3. The expiration date of the authentication configuration file is 2015-10-10 00:00:00, and the calculated number of seconds is 1,444,435,200.
  4. The CDN server constructs a signature string used to calculate the HashValue.

    1. /video/standard/1K.html-1444435200-0-0-aliyuncdnexp1234"
  5. The CDN server calculates the HashValue according to the signature string.

    1. HashValue = md5sum("/video/standard/1K.html-1444435200-0-0-aliyuncdnexp1234") = 80cd3862d699b7118eed99103f2a3a4f
  6. The request URL is as follows.

    1. http://cdn.example.com/video/standard/1K.html?auth_key=1444435200-0-0-80cd3862d699b7118eed99103f2a3a4f

The calculated HashValue is the same as the md5hash = 80cd3862d699b7118eed99103f2a3a4f value in the user request, so the request passes the authentication.

Authentication method B

Concept

Format of users’ encrypted URLs

The user access URL is as follows.

  1. http://DomainName/timestamp/md5hash/FileName

Encrypted URL structure: domain name/URL generation time (accurate to minutes) (timestamp)/md5 value (md5hash)/real path of the source server (FileName). The URL validity period is 1,800 s.

When the request passes the authentication, the back-to-source URL is as follows.

  1. http://DomainName/FileName

Authentication field descriptions

Note:

  • The PrivateKey field can be set by the CDN user.

  • The validity period 1,800 s indicates that the authentication fails when the user fails to access the client source server 1,800 s after the preset access time. For example, if the preset access time is 2020-08-15 15:00:00, the actual link expiration time is 2020-08-15 15:30:00.

Field Description
DomainName The domain name of the CDN client site.
timestamp The time designated for when the user accesses the client source server. This is part of the URL as well as a factor used to calculate the md5hash. The format is YYYYMMDDHHMM and the validity period is 1,800 s.
md5hash The timestamp, FileName, and preset PrivateKey are used in the MD5 algorithm to get this string, namely md5 (PrivateKey + timestamp + FileName).
FileName The actual back-to-source access URL (Note: during authentication, the FileName begins with /).

Example

  1. Back-to-source request object.

    1. http://cdn.example.com/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3
  2. Set the access key to aliyuncdnexp1234 (set by the user).

  3. The time format for when the user accesses the client source server is 201508150800 (the format is YYYYMMDDHHMM).

  4. The CDN server constructs a signature string used to calculate the md5hash.

    1. aliyuncdnexp1234201508150800/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3
  5. The CDN server calculates the md5hash according to the signature string.

    1. md5hash = md5sum("aliyuncdnexp1234201508150800/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3") = 9044548ef1527deadafa49a890a377f0
  6. The request URL is as follows.

    1. http://cdn.example.com/201508150800/9044548ef1527deadafa49a890a377f0/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3

The calculated md5hash is the same as the md5hash = 9044548ef1527deadafa49a890a377f0 value in the user request, so the request passes the authentication.

Authentication method C

Principle

Format of users’ encrypted URLs

  • Format 1:

    http://DomainName/{<md5hash>/<timestamp>}/FileName

  • Format 2:

    http://DomainName/FileName{&KEY1=<md5hash>&KEY2=<timestamp>}

Where:

  • Content in brackets indicates the encryption information added to the standard URL.

  • <md5hash> is the authentication information string after MD5 encryption.

  • <timestamp> is a non-encrypted string expressed in plaintext. It is a hexadecimal value with a fixed length of 10, indicating the time in seconds from January 1, 1970.

  • Format 1 is used to encrypt the URL, as shown below.

    1. http://cdn.example.com/a37fa50a5fb8f71214b1e7c95ec7a1bd/55CE8100/test.flv

    The <md5hash> value is a37fa50a5fb8f71214b1e7c95ec7a1bd. The<timestamp> value is 55CE8100.

Authentication field descriptions

<md5hash> field descriptions:

Field Description
PrivateKey An interference string. Different users use different interference strings.
FileName The back-to-source access URL (Note: during authentication, the path begins with /).
time The time when the user accesses the source server. It is UNIX time expressed as a hexadecimal value.
  • PrivateKey is set to aliyuncdnexp1234.
  • FileName is set to /test.flv.
  • time is set to 55CE8100.
  • So the md5hash value is as follows.

    1. md5hash = md5sum(aliyuncdnexp1234/test.flv55CE8100) = a37fa50a5fb8f71214b1e7c95ec7a1bd
  • Plaintext: timestamp = 55CE8100.

  • The URL is generated as so:

    Format 1:

    1. http://cdn.example.com/a37fa50a5fb8f71214b1e7c95ec7a1bd/55CE8100/test.flv

    Format 2:

    1. http://cdn.example.com/test.flv&KEY1=a37fa50a5fb8f71214b1e7c95ec7a1bd&KEY2=55CE8100

Example

When the user uses an encrypted URL to access a CDN node, the CDN server extracts encrypted string 1 and obtains the <FileName> of the original URL. After this process, the CDN server authenticates the URL.

  1. The CDN server uses the <FileName> of the original URL and the request time and PrivateKey to perform MD5 encryption and obtain encrypted string 2.

  2. The CDN server compares encrypted string 2 with encrypted string 1. If the strings are not the same, the request is rejected.

  3. The current time on the CDN server is used to subtract the plaintext time in the access URL to determine whether the preset time limit t expires (the time limit t is set to 1,800 s by default).

  4. The validity period 1,800 s means that the authentication fails when the user fails to access the client source server 1,800 s after the preset access time. For example, if the preset access time is 2020-08-15 15:00:00, the actual link expiration time is 2020-08-15 15:30:00.

  5. The request is valid if the time difference is less than the preset time limit. The CDN server will send a normal response. Any aberration from this means the request is rejected and an HTTP 403 error is returned.

Sample authentication code

Refer to the Sample Authentication Code document in CDN Utilities.

Operation procedure

  1. Log on to the CDN console.

  2. On the left-side navigation pane, click Domain Names.

  3. Select a domain to enter the management page and find Authentication Configurations77

Thank you! We've received your feedback.