Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

API authentication using timestamp : What to do when the client's time setting is changed?

Tags:

rest

security

authentication

api

I am implementing an REST API authentication system.

I am basically using the method explained in this site:

http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/

Basically it uses the request body to create a hash, sends it to the server along with the actual request, the server recreates and compares it, and what not...

I won't bother explaining the details. The important part is that I am using a timestamp in order to prevent "replay attacks".

Quoting from the site, it explains:

Compare the current server’s timestamp to the timestamp the client sent. Make sure the difference between the two timestamps it within an acceptable time limit (5-15mins maybe) to hinder replay attacks.

The problem I am facing now is that if the client's clock setting is modified, it may cause unexpected API authentication failures, since the timestamp varies between the client and the server.

Is there no way around this? Do I have to give up on using the timestamp?

I would highly appreciate it if anyone can help me out with a solution for this timestamp problem, or with any other way which I can prevent replay attacks.

Note: I am aware that issuing a nonce to the client is an excellent way to prevent "replay attacks", but I want to make that my last resort, since the implementation cost of creating a nonce-issuing-API and the backend to manage the nonce is too large.

like image 503
ashiina Avatar asked Oct 17 '13 15:10

ashiina

2 Answers

When comparing the server's time stamp with the client sent timestamp, it does not have to be THE client timestamp, but the previuously timestamp sent by the server to the client. You can never rely on client's own timestamp as it could be anything or it could be in the other side of the world.

When the client connects to the server the first time, the server can reply a timestamp from itself and stored on the client, the next time the client must send the last timestamp received.

like image 176
Daniel Luyo Avatar answered Nov 12 '22 01:11

Daniel Luyo

I think you want your timestamp to be UTC time as the updated article indicates.

like image 30
PaulR Avatar answered Nov 12 '22 00:11

PaulR
Sign in to Comment

Related questions

What is a good map api for a commercial application?
Retrieve check-ins of my friends from facebook api
How do I find the retweet count with Twitter4J?
Facebook API - Invalid signed request. (Invalid signature.)
Why can't I login to test Facebook user accounts from the Android native app?
Write a custom formatter for Google Charts Api
Is there a Python API for drawing diagrams (that use lines to connect corresponding values between two lists) [closed]
How to generate client key & secret for application registering on my site & how to use OAuth to implement provider
how to use the google maps api with greasemonkey to read a table of addresses and trace the route?
Is it possible to do a fragment caching in a rabl view?
tastypie posting and full example
REST API design - querying mail data - which poison to choose? [closed]
API Design: Separate or combine internal with external functions?
Payment Gateway process
Make my own api with oauth
Trello token security issue?
Desire2Learn Valence API logout
Node.js proxy with ability to change response headers and inject additional request data
Routing REST requests without framework?
Django Tastypie slow POST response

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!