REST authentication and HMAC/private key (when do I set it?)

Question

I\'ve been toying around with a simple application idea the last couple of days as I\'m trying to teach myself the basic of REST authentication.

So far I\'ve gathered th

Answer 1

I think you need to provide more details about your application and how it will be used. There are many ways you can do REST authentication. Some of them are standard, some not. These are just some examples:

1. Basic authentication over SSL
2. Digest authentication
3. Various kinds of token authentication (OAuth 2, SPNEGO, various STS)
4. HMAC
5. Client SSL Certificates
6. Signed/encrypted cookies.

In case of Amazon S3, they give you "AWS secret access key" when you register. Later your application code needs to know secret key to be able to compute signatures (or it needs to know signed request/url) So ultimately "secret access key" is transmitted over the wire at least once initially during registration.

If you use public key cryptography (like client SSL certificates) - you can avoid transmitting private key altogether

1. you generate public/private key on client
2. Submit public key to the server (or certificate signed by trusted authority)
3. Sign requests(or nonces) with private key and server validates the signature using public key.

If your goal is to just authenticate AJAX requests made to your site after user has authenticated on login page - you can simply use server signed cookies.