Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Transmit user password for a rest api

Tags:

rest

security

php

web

I'm designing a REST API and I have some problems in terms of security for authenticating the user. For authentication I don't want the password to be send across the network in plain text.

To bypass this problem I could send a SHA-256 hash of the password (with the username as salt), so the password is never sent in plain text. In my database I will be storing the following hashes: SHA256(password + salt) and I'll compare if both of the hashes match.

The problem with this option is that I'll have a hash computed with a fast hash algorithm and the salt is not random.

In security the best practice is to use a slow signature algorithm, with a random salt (like bcrypt).

The slow algorithm is not a problem, i could use bcrypt on the client side, but for the salt i don't know what to do:

  • Bcrypt need a salt with a defined size so i can't put the username
  • If i'm using a random salt, how the client will know the value of this salt before computing the password's hash?

So i can see 3 options, but none are sastisfying:

  • I send the password in plain text (I'm using SSL) and i store bcrypt in the db => still vulnerable to man in the middle
  • I use SHA256 and send the hash where the salt is the username (still using SSL) => the hash in the db are less secure
  • I use bcrypt and I have a two step process: i ask for the saltfor a given user and then send the hash of this user (still using ssl) => by trying to log in with an other username i can obtain his salt, not awesome

Is anybody has a better solution or some advices?

like image 283
darkheir Avatar asked Oct 24 '12 15:10

darkheir

People also ask

How do I pass username and password to a REST API?

The client must create a POST call and pass the user name, password, and authString in the Request headers using the /x-www-form-urlencoded content type. The AR System server then performs the normal authentication mechanisms to validate the credentials.

How do I pass a username and password in REST API in Postman?

Enter the postman for the Username and password for the Password field. Then, click on Send. The Response code obtained is now 200 OK, which means that our request has been sent successfully. We can also carry out Basic Authentication using the request Header.

How do I pass a username and password in HTTP GET request?

We can do HTTP basic authentication URL with @ in password. We have to pass the credentials appended with the URL. The username and password must be added with the format − https://username:password@URL.

How does REST API validate username and password?

1) Configure the API Request URL and Authorization header as 'Basic Auth, then mention FortiAuthenticator admin name and password as 'REST API' key received by mail. 2) Configure the POST data in JSON format.

1 Answers

I think you might be conflating/confusing a few issues here:

  • If you're storing the hash(password + username) on the server, and authentication involves sending hash(password + username), you haven't really achieved anything better than just storing the password on the server. The goal of only storing hashes long-term is that if you have a data breach (i.e., an attacker gains access to the database) they still can't produce the correct value to authenticate. But if you're doing a simple comparison, this is still an issue.
  • The correct use of hashing+salting is: (1) Server stores tuples of (Salt, hash(Password + Salt); (2) User sends (claimed Password); (3) Server computes hash(claimed Password + Salt); (4) if hash(claimed Password + Salt) == hash(Password + Salt), then they're authentic. In this way, even if an attacker gets access to the database, they can't produce a claimed password that such that hash(claimed Password + Salt) is valid.
  • Sending a plaintext password via SSL is not "in the clear". Per @NullUserException's comment, unless the attacker has broken SSL. Only the server will be able to obtain the value of the password (assuming the server's public key is valid, which is a whole 'nother story).

Hope this helps!

like image 174
mfsiega Avatar answered Oct 15 '22 03:10

mfsiega
Sign in to Comment

Related questions

PHP-How To Pair Up items in Array based on condition
Where does the default mb_internal_encoding() value come from?
How to get the original path of a symbolic link in PHP?
Symfony2 Subdomain Routing - Different Bundles
How to generate client PHP code for SOAP using SOAP UI?
How to detect MIME type of plain text files: CSS, Javascript, ini, sql?
How to securely store files on a server
Is there an IPC transport implementation for Thrift ? or low latency SOA solutions
PHP Red Bean ORM Performance issue
MySQL server at 'reading initial communication packet', system error: 111 [closed]
Cron on AWS (or distributed systems in general)
'Socket connection error' when debugging PHP/JS on Aptana 3
nginx.conf for a restful api
Using PHP sessions with my android application to login
PHP strtotime for June returns July
jQuery FileManager Recommendations [closed]
json_decode returns string type instead of object
What is correct way to use Pagerfanta for pagination in Symfony2
Paypal's Token ID Unique?
How to Archive a Dynamic (PHP) Website as Static HTML? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!