This document describes how to use the DES and AES encryption algorithms. They can be used to encrypt the request parameters and decrypt the response data so as to prevent requests in plaintext from being maliciously altered during transfer.
Note:If you make a query with an HTTPS request method, the transferred data will be protected through encryption because of the TLS channel, so you don't need to encrypt the data passed in.
Step 1. Determine the encryption method. Currently, HTTP requests to HTTPDNS can be encrypted with DES or AES.
Note:
- If you make a query with an HTTPS request method, see Querying with HTTPS Request Methods.
- Encrypt the domain to be resolved with the corresponding key and algorithm (if you want to use the
ip
parameter, you also need to encrypt it) and use the encrypted result and ID (which does not need to be encrypted) as the request parameters.
Step 2. Send an encrypted request.
Step 3. Receive an encrypted response.
Step 4. Decrypt the result.
Note:For encryption and decryption with DES, the key is 8 characters in length, the block cipher mode is
ECB
, and the padding algorithm isPKCS5Padding
.
The encrypted data is encoded by using Hex(Base16)
to convert the binary data into a visible hexadecimal ID, and the length of the encoded data will double. The detailed process is as shown below:
Decryption of the response data involves decoding the data to binary data with Hex(Base16)
first and then decrypting the binary data with the DES algorithm into plaintext data. The detailed process is as shown below:
For example, if your domain is www.dnspod.cn
and the encryption key is dnspodpass
, the process will be as follows:
DES-ECB-PKCS5
and DES encryption key dnspodpass
, and you will get the encrypted string 87ae992c1321f299da3c0210a9900ae7
.curl "http://43.132.55.55/d?dn=87ae992c1321f299da3c0210a9900ae7&id={authorization ID}"
API to request the A record. You will get an encrypted string with a doubled length, such as 55915a682ea20840ff74aa6e7bebf11454ed0f4050a63e93e6e89521553a01a8
.DES-ECB-PKCS5
and DES encryption key dnspodpass
, and you will get the plaintext data 121.12.53.35;106.227.19.35
.Note:The above strings are used as an example only and cannot be used for normal requests.
Note:For encryption and decryption with AES, the key is 16 characters in length, the block cipher mode is
CBC
, and the padding algorithm isPKCS7
.
The CBC mode requires a random IV
as the initial input for encryption and decryption, so the IV
will also be carried in the request and response. The encrypted data along with the IV
is encoded by using Hex
and converted into a visible hexadecimal ID. The detailed process is as shown below:
During decryption, the data is decoded to binary data by using Hex
, where the first 16 bytes is the IV
value, and the bytes after IV
is the data to be decrypted with the AES algorithm. The plaintext data will be obtained after decryption. The detailed process is as shown below:
Was this page helpful?