2

I am trying to implement an authentication for an API with private & public key.

What I want to do is provide a private key, hash some data with it and send the hash in a header, then rehash the same data again on the server for comparison.

What I'm having trouble with it is, what kind of data should I hash, the request URI, the content type and maybe the content itself, but what when the request is GET and there is no content.

Will hashing any data with the private key will be secure enough, or do I need to do something special?

Improve this question
3
  • 4
    When you hash, you don't need/want a public-private key pair, since that's of no use in reproducing the hash. Public-private key pairs are used with asymmetric cryptographic algorithms, which in turn are of no real use here. So, no P/P keys; you really only want one shared secret, a token. Commented Oct 29, 2015 at 13:39
  • And only send that token for authentication? Commented Oct 29, 2015 at 13:52
  • If you need a private/public key pair, you don't want a hash, you want a digital signature. openssl_sign(), for example. Commented Oct 29, 2015 at 14:00

1 Answer 1

Reset to default
2

  1. As stated in the comment, you don't want public/private key pairs here. What you want is a proof of identity. The client will give you their username/id (they'll claim an identity), and you need additional proof that it's really them. For this purpose they send a secret which only they are supposed to know. That's a simple token.

  2. You want to avoid sending this token over the wire back and forth. Remember it's a secret and should stay as secret as possible. Instead what you ask the client to send is an indirect proof; you ask them to sign the request.

  3. Signing a request means they simply hash the contents of the request with a MAC algorithm, their secret token being the key to the hash.

    • What parts of the request to hash you decide; everything that's included in the hash is unspoofable by 3rd parties, but you should refrain from requiring everything to be hashed since HTTP headers may be added or removed at various stages of the request.
    • To avoid replay attacks, hash the date of the request (and require the date be sent with the request). Don't accept requests past a certain expiry date. Alternatively include an ever changing token, if that's feasible.
    • Make sure the hash is easily reproducible, e.g. require sorting of the data to be hashed.
    • You should include the URL in the hash; if you do, it doesn't matter whether there's body data or not. The URL + the date/token from above is perfectly sufficient already to form a MAC.
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.