How to accept authentication on a web API without SSL?
I\'m building a web API very similar to what StackOverflow provide.
However in my case security is importance since data is private.
- I must use HTTP.
-
First of all, I suggest you read this excellent article: http://piwik.org/blog/2008/01/how-to-design-an-api-best-practises-concepts-technical-aspects/
The solution is very simple. It is a combination of Flickr like API (token based) and authentication method used by the paiement gateway I use (highly secure), but with a private password/salt instead.
To prevent unauthorized users from using the API without having to send the password in the request (in my case, in clear since there is no SSL), they must add a signature that will consist of a MD5 hashing of a concatenation of both private and public values:
- Well know values, such as username or even API route
- A user pass phrase
- A unique code generated by the user (can be used only once)
If we request /api/route/ and the pass phrase is kdf8*s@, the signature be the following:
string uniqueCode = Guid.NewGuid().ToString(); string signature = MD5.Compute("/api/route/kdf8*s@" + ticks);The URL of the HTTP request will then be:
string requestUrl = string.Format("http://example.org/api/route/?code={0}&sign={1}", uniqueCode, signature);Server side, you will have to prevent any new requests with the same unique code. Preventing any attacker to simply reuse the same URL to his advantage. Which was the situation I wanted to avoid.
Since I didn't want to store code that were used by API consumer, I decided to replace it by a ticks. Ticks represents the number of 100-nanosecond intervals that have elapsed since 12:00:00 midnight, January 1, 0001.
On server side, I only accept ticks (timestamp) with a tolerance of +-3 minutes (in case client & server are not time synchronized). Meaning that potential attacker will be able to use that window to reuse the URL but not permanently. Security is reduced a little, but still good enough for my case.
加载中...
- 热议问题