Authenticity and Integrity of HTTP Requests

江枫思渺然 提交于 2019-12-05 16:00:24

Both HMAC and Digital signature provides integrity and authentication:

  • integrity - because both of them based on hash. HMAC is hash-based message authentication code. Digital signature is encrypted hash of some message.
  • authentication - because HMAC uses symmetric secret key, and digital signature uses assymetric private key. Secret/private keys can be used only with person who knows it = authentication. Checking secret/private keys on recipient side in HMAC - recipient also knows secret that's why we call it symmetric. Checking secret/private keys on recipient side in digital signature - recipient also gets public certificate which can be checked on trusted third party.

Main difference - HMAC message can't be checked/validated by third party, only person who knows secret can validate/authenticate message. Digital signed message has public certificate and any person can check message owner by deciphering message with attached public key, computing hash, and checking public key in special trusted side.

Conclusion - use HMAC if you don't need anybody to be able to check is some message really belongs to sender.

Similarly, would hashing the request and verifying it on my server be enough?

No. Man-in-the-middle can modify your message and attach hash of modified message. Hashing provides integrity which means that message modification will also change the hash but hacker don't worry about hash equality beacuse he simply totally replace message with contents and hash! Some secret usage as in HMAC prevents such message replacements: man-in-the-middle still can change message but he couldn't recompute hash because he doesn't know secret.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!