Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
C
C
ChemAli2013-10-07 10:51:13
Information Security
ChemAli, 2013-10-07 10:51:13

Signing http requests

There is some kind of API for mobile applications that needs to be protected. I would like to sign requests in order to discard unsigned requests or requests from blocked clients when accessing the backend.

Are there ready-made practices, cases for such tasks?

Now the following scheme is emerging, but due to the peculiarities of thinking it is difficult for me to assess its sufficiency:

The application receives an api-key when it first accesses the backend. In addition, a secret string is hardwired into the application, which is known only to the client and the backend and which is not passed between them.

After receiving the api-key, the application signs each request with a string generated from the api-key + secret + something else.

sign = hmac-sha1( api-key + secret + md5(request data) )

That is, the api-key is transmitted in the request (the device / user is identified by it) and sign. The backend, knowing sign and secret, can check the signature for validity.

Is that enough or complete bullshit? Maybe it's enough just to establish a connection via HTTPS and that's it?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
S
stnw, 2013-10-07
@stnw

I used a similar solution for myself, I just added the creation date:
ApiKey="iphone_key", Signature="a048d4fb029cc191874ebb787893e708", Created="2013-08-28T17:43:09+04:00"
By the creation date, you can cut out obsolete requests ( for example, which were created earlier than 5 minutes ago). Otherwise, by intercepting the request, it can be used at least a year later.
Well, all important operations (billing, passwords) are of course via https.

Report
D
deadkrolik, 2013-10-07
@deadkrolik

There is no protection. You can always hack apk or ipa and see what's what. We also made signing and https, but this is more likely from those who want to figure us out in five minutes. Who needs it - will open it. We are ready for this.
OAuth is not about anything at all.

Report
S
Sergey Belov, 2013-12-26
@BeLove

The salt on the left is bad :)
I can sign any request without knowing the key using the length extension attack.

Report
N
Nazar Mokrinsky, 2013-10-07
@nazarpc

You can read the OAuth 2.0 RFC 6749 standard .
There, by the way, it is written that the secret cannot be stored on the client, it is used for northern interaction.

Report
K
KEKSOV, 2013-10-07
@KEKSOV

I had a similar solution - all AJAX requests were encrypted by blowfish using the user's password, which he specified during login

Report
S
Sergey, 2013-10-07
@bondbig

If there are no contraindications against HTTPS with mutual authentication, then this is the most correct option.
When amateurs (from the point of view of cryptography) start to reinvent the wheel, this usually does not lead to good.

Similar questions
R
regular person2018-08-17 18:51:38
How to protect ajax data? 2Reply
I
Ilya bow2016-03-27 16:03:38
Guys, is it possible to pull out a certificate from someone else's site and put it on your site? 3Reply
7
700ghz2016-04-01 08:17:09
Two-factor authentication: password + email? 3Reply
M
maximw2016-04-02 11:58:13
What to read about MiTM? 1Reply
S
SergeyDeryabin2020-08-04 03:29:31
How can an ISP cache traffic? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question