HMAC Implementation for Web Service Authentication in PHP -


I am trying to implement a web service and some (very) simple to restrict access to the service Authentication is required.

I came to know about HMAC and I think how I implement it. But there are some questions in my mind.

Say I have this HTML form on the consumer side. When making a GET / POST request on your server.

  1. Enough to create hash: public_key using secret_key ?
  2. Or, do I need to create a hash of the whole POST variables / array?

    I am thinking that this will be enough to send a hash of public_key , but only want to make sure and ask you.

    I am planning to do this:

    1. public_key
    2. one Create hash in a public field or a public URL (or client_id) with a hash in the URL as the ultimate post / gate variable.
    3. Confirm the hash against the database by retrieving the hash using the code of secret_key and get the code of public_key on your server.
    4. If the hash matches, I accept the POST / GET request.

      Your thoughts?

      Explanation: Public_key is like that client unique ID , where I say to generate a hash on the server Use to identify secret key to use.

      There is an alternative method of PB to identify the user. This can also be a user email, since you do not want to expose your user data to make your programmer (or potential snippers) a unique identifier for every user. All this means that then you need a private key to sign your hash.

      Of course, to make it worth your is , to sign all the unique request data, otherwise someone can change your request body and you are not able to find out Will (MITM attack).

      You should also take care of creating a timestamp that should be included in HMCAC, then pass along with the request. In this way you can make the signature ending and therefore you want to play again (someone responded against the server without stealing the request and modifying it, sometimes operating a single action ... That this is a problem if it is requested to pay for your service, your user will be very angry with you).

      In addition to this, remember (none) to encrypt the Request-URI inside HMAC and HTTP method (alias verb) also if you are using a powerful webservice, otherwise the malicious user Other URIs will be able to send requests or (using undoubtedly services) can change the meaning of your request, so a valid GET can become potential daily. An example might be: The user wants to see all his data, a GET requests, a man reads the request in the middle and changes with DELETE. You are not given a chance to find out that if your HMAC is not inside, you can change something so that you get Daily Request and Boom! You destroy all user data

      So always remember: Everything is necessary for your request, should be valid and if you rely on any HMAC, then you need to rely on the request All things have to be encrypted.

      Always remember to start designing your system by denying all requests, then you can always validate the requested actions, in this way you always come back to the rejected requests. This a user email tells you that he can not do anything that has promoted your user data on the net.

Comments

Post a Comment

Popular posts from this blog

Python SQLAlchemy:AttributeError: Neither 'Column' object nor 'Comparator' object has an attribute 'schema' -

I tried to create a new database in my project, but when I run the script, I get this error, I have another project, this type of definition worked before, but now it gets a single error. I am using Python 2.7.8 and the version of SQLAlchemy module is 0.9.8. By the way, using a project flask- SQLAlchemy, it works well, I'm confused. Traceback information is as follows: Traceback (most recent call final): File "D: / Projects / IOM / db_create.py", line 4, & lt; Module & gt; From the models the base file "D: \ Projects \ OO-IM \ models.py", in line 15, in the & lt; Module & gt; Column ( 'followed_id', int (), ForeignKey ( 'user.id')) file "C: \ Python27 \ lib \ site-packages \ SQLAlchemy \ SQL \ schema.py", line 369, __new__ schema = metadata. Schema file "C: \ Python27 \ lib \ site-packages \ SQLAlchemy \ SQL \ elements.py", line 662, AttributeError in __getattr__ key): Neither 'column' object nor ...
Read more

java - How not to audit a join table and related entities using Hibernate Envers? -

I use Eners to be hibernate to audit my institutions. I have an audit entity, Foo , which includes a list & lt; Bars & gt; However, I do not want to audit the bar institutions, in the form of properties, I have written that: @inti @edicated public class Foo {@JoinTable (name = "T_FOO_BAR", joinColumns = @JoinColumn (name = "FOO_ID"), inverseJoinColumns = @JoinColumn (Name = "BAR_ID")) @ManyToMany (Cascade = Persist) @ Indited (targetAuditMode = RelationTargetAuditMode.NOT_AUDITED ) Public listing & lt; Bars & gt; GetBars () {Return bars; }} Now, I want to retrieve an amendment of foo : AuditReader reader = AuditReaderFactory.get (GetEntityManager ()); FU modification = (FU) reader.CreativeTeA () .entensEtrevision (Foo Class, 42) .getSingleResult (); Unfortunately, when I want to retrieve all the data (i.e. when it loads lazy times ), error me ORA-00942: table or view is not present , because Tried to query this: Sel...
Read more

mongodb - CakePHP paginator ignoring order, but only for certain values -

While pagging my user model in kppp, I can sort with some values, but not others. For example, I can order results from created or email , for example, but username or reputation seems to come back order by arbitrary command for example with a list of users: $ this-> paginate = array ('condition' => array ( 'User.is_active' = & gt; true), 'border' => 24, 'order' => array ('User.created' => DESC)); Works as expected, but $ this - & gt; Paged = array ('conditions' = & gt; array (' user.isIactive '= & gt; true),' border '= & gt; 24,' command '= & gt; array (' user repeats' = ' & Gt; DESC ')); No, no. I first thought that this could be a database issue, but when I search the database directly, sorted as expected. Note: I am using Mangodebi with the Mongo DB plugin of Ichikawa for the KPPHP; Pagnetizing users are used to work properl...
Read more