UserSig is a security signature designed by Tencent Cloud to prevent attackers from accessing your Tencent Cloud account.
Currently, Tencent Cloud services including MLVB, TRTC, and IM all use this security mechanism. Whenever you want to use these services, you must provide three key pieces of information, i.e.,
UserSig in the initialization or login function of the corresponding SDK.
SDKAppID is used to identify your application, and
UserID your user.
UserSig is a security signature calculated based on the two parameters using the HMAC SHA256 encryption algorithm. Attackers cannot use your Tencent Cloud traffic without authorization as long as they cannot forge a
See below for how
UserSig is calculated. Basically, it involves hashing crucial information including
// UserSig formula, in which `secretkey` is the key used to calculate UserSig usersig = hmacsha256(secretkey, (userid + sdkappid + currtime + expire + base64(userid + sdkappid + currtime + expire)))
Log in to the CSS console and go to Application Management to view the key required to calculate
We provide an open-source module called
GenerateTestUserSig in the MLVB SDK sample code. Set the three member variables of
SECRETKEY, and call
genTestUserSig() to generate a
UserSig and get started quickly with the SDK.
This method is only applicable for debugging. It’s not recommended for official launch because
SECRETKEYof the client code (especially on the web) may be easily decompiled and reversed. If your key is leaked, attackers can steal your Tencent Cloud traffic.
The correct method is to deploy the
UserSigcalculation code on your project server so that your application can request from your server a
UserSigthat is calculated whenever one is needed.
Using the server to calculate
UserSig offers the utmost protection against key leakage, for it is more difficult to hack a server than it is to reverse engineer an application. See below for the specific method.
UserSigfrom your server.
UserSigbased on the
UserID. The calculation source code is provided above.
UserSigto your application.
UserSigto the SDK through a specific API.
SDKAppID + UserID + UserSigto the Tencent Cloud server for verification.
UserSigis valid, real time audio/video services will be provided to the TRTC SDK.
To simplify your implementation process, we provide
UserSig calculation source code in multiple languages.
|Programming Language||Signature Algorithm||Key Function||Download Link|
To simplify signature calculation and facilitate your use of Tencent Cloud services, on August 6, 2019, IM switched from the legacy algorithm ECDSA-SHA256 to the new algorithm HMAC-SHA256. This means that all applications created on and after August 6, 2019 will use the HMAC-SHA256 algorithm.
If your application was created before July 19, 2019, you can continue to use the old signature algorithm, whose source code can be downloaded at the links below.
|Programming Language||Signature Algorithm||Download Link|