Menu
We are working on a new project, we are two lead developers and got on a cross road on how to use a token to secure the communication between the server and the client :
Step one) the client requests a primary token, by sending the username and password and the current_time (this variable will be saved in the server's database and the client side too) to the api, the server interprets the input, and renders a hashed token (e.g. : 58f52c075aca5d3e07869598c4d66648) saves it in the database and returns it to the client.
Step Two) The client now saves the primary token, and creates new hashed token using the primary token + the current_time variable sent in the authentication request (lets call this new token, main_token) also the server does the same and create the same token using the same algorithm.
Step Three) Each time the client queries the server API, it sends the main_token to the server, now the server compares the token generated in it, with the main_token sent by the client, if it matches, it means the user is real
Step One) The client generates two random keys ($key1 = rand(10000,90000); $key2 = rand(10000,90000);) On each request on the API, the client creates a hash using the query type, and the two keys with a complex algorithm, and sends these two keys + the hash to the server
Step Two) The server, using the same Algorithm used in the client, creates a hash, and compares is to the one sent by the client, if it matches, the server proceeds to deal with the query
Now, the question is, Which one is the most logical, and secure way to use for securing the api requests
Best Regards
284
OAuth (specifically, OAuth 2.0) is considered a gold standard when it comes to REST API authentication, especially in enterprise scenarios involving sophisticated web and mobile applications. OAuth 2.0 can support dynamic collections of users, permission levels, scope parameters and data types.
The API authentication process validates the identity of the client attempting to make a connection by using an authentication protocol. The protocol sends the credentials from the remote client requesting the connection to the remote access server in either plain text or encrypted form.
Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.
You can protect your API using strategies like generating SSL certificates, configuring a web application firewall, setting throttling targets, and only allowing access to your API from a Virtual Private Cloud (VPC).
Neither of the solutions has any benefit to security.
Once I have main_token, I can compute any hash(main_token + timestamp). All I need to access the API is the main_token, so why bother with the timestamp business?
If you send the two random numbers with each request and the query type, then what is stopping me from doing the same and using your APIs? The algorithm? The rule with cryptography algorithms is if you roll your own, someone will crack it. Second rule is security by obscurity doesn't work.
First, normalize the request. This might mean extracting the important parameters including method (post,get,action,timestamp) and putting them in order. Then running that string through HMAC algorithm which takes the Secret_token as a parameter.
The Secret_token is only transferred over the wire one time when the authentication happens. It's assumed the authentication process is very secure (as the password is transferred during this process, it's a safe assumption).
Note: still not safe to send over plaintext, use SSL.
HMAC is a well known solution. See:
121
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
