As internet technology rapidly progresses, network-side servers opening the cloud platform to the third party developers has become a trend in information construction. The network-side servers provide the third party developers with an application programming interface (API) for requesting resource. The third party developers execute API calls to the servers when requesting resources, and use the servers API to process the related data.
To ensure the security of API calls, prior to calling API, the network-side server must authenticate the identity of the third party developer. Only after the authentication is successful, the server will allow the third party developer to call API. In general, prior to calling API, the server will assign an access identity (access ID) and an encryption key to an authorized third party developer. When calling API, the calling request from the third party developer carrying the access ID and a digital signature generated according to the encryption key will be transmitted to the server. During identity authentication, the server executes the replay attack, calling frequency and digital signature on the calling request of the third party developer. The server will only provide API to the third party developer after passing all the above verifications. Specifically, after receiving API calling request, the server visits a storage system to verify whether the request is a replay attack. If the request is not a replay attack, the server further verifies whether the calling frequency of the request. After passing calling frequency verification, the server transmits the API data involved in the request to an API audit system for auditing and updates the calling frequency record in a frequency control system. In digital signature verification, the server visits the storage system to retrieve the encryption key corresponding to the access ID, generates a server-side digital signature according to the encryption key, and compares the generated server-side digital signature against the digital signature carried by the API calling request. If the same, the server provides the API to the third party developer.
In realizing the above identity authentication process, the known technique shows the following disadvantage. The server must visit API audit system, frequency control system and storage system during authentication process. If an unauthorized third party developer or a malicious hacker creates a large number of invalid access IDs to attack the server, the server will visit the above three system frequently, which leads to system performance bottleneck or even denial of service (DoS) to cause the system breakdown.