How to authenticate a user using HMAC?

U

unsafePtr2017-05-01 15:41:43

Algorithms

unsafePtr, 2017-05-01 15:41:43

Hello. There is no way to come up with meaningful authentication on the web. Everything depends on the private key. It must be known to both the client and the server, moreover, the encryption algorithm must also be known. The question is how to securely transfer the key to the client from the server, in addition, the client must store this key somewhere safely. How can this be done on the web? After all, the client should already know the secret key, and if you provide him with this key after authentication, then the need for HMAC simply disappears. Please provide an example of using HMAC.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Sergey Sokolov, 2017-05-01
@unsafePtr

An example of use is VKontakte and its iFrame application. When the user launches the application by clicking the link in VK, the iframe of the developer's server opens. VK sends a user there with some parameters - among them the user id of VKontakte and others. And the signature (parameter auth_key), calculated as an md5 hash of parameters that are important to protect against forgery by the user, and the "secret" of the application.
Those. the scheme is acceptable when there are three parties : the VC server, the application server and an “unreliable” user who may want to fake the parameters transmitted from the VC to the application. The "secret" is known only to the VK server and the application server. The hash calculated on its basis guarantees the integrity and authenticity of the data.
In your case, HMAC would make sense in a scheme like authenticating a user on one server to work on another. The secret key does not need to be disclosed to the user, of course.