rest - API Authentication Method - am I doing it correctly? -


i'm incredibly new building api authentication - wanted ensure i'm going correct way there major security flaws i'm not aware of.

it's based on secret/private key pair, both client , server know secret key, it's never passed along wire.

any feedback, insights or holes in method appreciated.


step 1:

the client wants make request api, asks nonce server - passing public key.



step 2:

the server lookups users private key (using provided public key) , hashes (sha256) random 32 character string (the nonce).

the hashed nonce , public key stored local array.

the server responds client un-hashed version of nonce.



step 3:

the client takes nonce response , hashes it's private key (which client has locally).

it makes request server (along api task wants perform) , sends version of hashed nonce , public key.



step 4:

the server takes clients public key , hashed nonce, checks local array see if public key/nonce pair exist.

if pair exist; authentication passed, request allowed , public key/nonce pair removed local array.

let me start saying don't have credentials in security world. please take grain of salt.

a couple of general thoughts

it seems want roll own a bad idea in security-related area. more when there several alternatives in wild have been battle-tested.

off top of head, can name 3 ways api authentication in wide use:

  1. basic authentication. github provides fall-back: “intended used scripts or testing (i.e., cases full oauth overkill).”

  2. oauth. github, twitter, facebook, linkedin, google use this. protocol well-specified might overkill smaller projects. widespread client library, it's easy implement.

  3. hash-based message authentication code (hmac). amazon webservices use this. might under-appreciated solution since it's conceptually easier oauth: client uses private key sign requests , send signature + public key in request. server looks private key using public key sent client , in turn creates signature of request. if signatures match, request valid. public , private keys have exchanged beforehand (aws lets download private key once).

from describe, hmac closest candidate want.

a couple of thoughts specific suggested

  1. your algorithm requires keep state on server (cue “local array”). fine single server, do when scale? when step #2 hits 1 server , step #3 another, state has shared. can of course use shared db (or cache) or whatever, have think this.

  2. roundtrips. requiring 2-step authentication suggested, every client has either send additional request (to nonce) each (payload) request or have think when invalidate pairs on server. hmac same thing without request overhead.

  3. possible attack: can flood servers client requests nonces. depending on public key length, might come valid public keys , can tie resources never used second request. depending on how handle (see point #1), might bring server down.


Comments

Post a Comment

Popular posts from this blog

php - failed to open stream: HTTP request failed! HTTP/1.0 400 Bad Request -

this code i'm using find latitude , longitude of place: function coords($address){ echo $url="http://maps.googleapis.com/maps/api/geocode/json?address=".$address; $json = file_get_contents(urlencode($url)); $data = json_decode($json, true); print_r($data['results'][0]['geometry']['location']['lat']); print_r($data['results'][0]['geometry']['location']['lng']); } however returns warning: failed open stream: http request failed! http/1.0 400 bad request if use above code in simple procedure works fine not in function. note: have tried curl_init()... method produced same result? instead of encoding whole url encode address part. following code work fine $add='jamshoro phase 2'; $url="http://maps.googleapis.com/maps/api/geocode/json?address=".urlencode($add); $json = file_get_contents($url); $data = json_decode($json, true); print_r($data['r
Read more

java - How to filter a backspace keyboard input -

i have code gives message when key number pressed: txtvalueofclause.addeventfilter(keyevent.key_typed, new eventhandler<keyevent>() { @override public void handle(keyevent t) { char ar[] = t.getcharacter().tochararray(); char ch = ar[t.getcharacter().tochararray().length - 1]; if (!(ch >= '0' && ch <= '9')) { system.out.println("the char entered not number"); t.consume(); } } }); now if press on wrong button , press backspace remove it, error message. how can add backspace input if statement? i have found answer: txtvalueofclause.addeventfilter(keyevent.key_typed, new eventhandler<keyevent>() { @override public void handle(keyevent t) { char ar[] = t.getcharacter().tochararray(); char ch = ar[t.getcharacter().tochar
Read more

java - Show Soft Keyboard when EditText Appears -

i have code in android app, alert dialog , keyboard, , when dialog shown want keyboard appear. not , not sure why? here code: final alertdialog.builder alert = new alertdialog.builder(this); alert.settitle("title"); alert.setmessage("message"); final edittext input = new edittext(this); input.setinputtype(inputtype.type_class_number); alert.setview(input); input.setonfocuschangelistener(new view.onfocuschangelistener() { @override public void onfocuschange(view v, boolean hasfocus) { if (hasfocus) { log.i(tag, "in focus"); inputmethodmanager inputmethodmanager = (inputmethodmanager) getsystemservice(context.input_method_service); inputmethodmanager.showsoftinput(input, inputmethodmanager.show_implicit); } } }); but keyboard not appear though edit text in focus, , tell appear why, doesn't come up? thanks in advance.
Read more