SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Evangelist
    Join Date
    Aug 2005
    Location
    Winnipeg
    Posts
    498
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Simple nonce web service

    I need to expose some JSON data to a remote application (both of which we maintain) and keeping things secure is important.

    My idea was to query the web service by simply invoking a URL like:

    Code:
    fetch.php?module=users&something=else
    However, I am not totally sure on how to proceed with the guarantee that both the client and server web applications share a private key of some sorts. Basically my requirement isn't so much to ensure the data transfers secure, but that the requesting application can actually make the request and expect valid results.

    My in-head solution goes something like:

    1. Create a private key shared by both apps
    2. Send request to server with url like

    index.php?ts=736377469876&nonce=NJM9hjHJND7S66tndjydes5

    The nonce is generated on the requesting server by sha256 hashing of the timestamp (ts) of the current system using some privat key (ie: TEST) as a salt???

    Problem is, the receiving server can take it's secret key and generate a hash on timestamp and compare the two hash for equality, hoever there is no way to prevent this same set of values from from being captured and replayed. Unless I exper the request after a few seconds, the problem with this approach is two distinct physical servers could have wildly different timestamps for current time.

    Any other ideas for achieiving a simple one time (semi-secure) HTTP request/response???

    Cheers,
    Alex
    The only constant in software is change itself

  2. #2
    SitePoint Evangelist
    Join Date
    Aug 2005
    Location
    Winnipeg
    Posts
    498
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A little googling tells me that OTP is pretty close to what I need, though some implementations seem to require storing the hashkey to prevent relay attacks, I was really hoping to address this step using some fancy math algorithm, none of which I understand.

    Cheers,
    Alex
    The only constant in software is change itself

  3. #3
    SitePoint Addict
    Join Date
    Jan 2005
    Location
    United Kingdom
    Posts
    208
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think a prerequisite for generating this kind of thing would be (mostly) synchronized clocks. A poor mans alternative could perhaps be a sha1_file on something which changes consitently on both servers?

  4. #4
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can use https. Either using certificates to authenticate or you can simply use ssl for the encryption and then add basic http auth on top, for authentication. Both are plenty secure. If ssl is not an option, digest http authentication is fairly good as well.

  5. #5
    SitePoint Addict
    Join Date
    Jan 2005
    Location
    United Kingdom
    Posts
    208
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kyberfabrikken View Post
    You can use https. Either using certificates to authenticate or you can simply use ssl for the encryption and then add basic http auth on top, for authentication. Both are plenty secure. If ssl is not an option, digest http authentication is fairly good as well.
    I understood the requirement as preventing replay attacks, not sure if SSL really covers this? Maybe with client authentication...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •