Simple nonce web service

PHP
1

I need to expose some JSON data to a remote application (both of which we maintain) and keeping things secure is important.

My idea was to query the web service by simply invoking a URL like:

fetch.php?module=users&something=else

However, I am not totally sure on how to proceed with the guarantee that both the client and server web applications share a private key of some sorts. Basically my requirement isn’t so much to ensure the data transfers secure, but that the requesting application can actually make the request and expect valid results.

My in-head solution goes something like:

  1. Create a private key shared by both apps
  2. Send request to server with url like

index.php?ts=736377469876&nonce=NJM9hjHJND7S66tndjydes5

The nonce is generated on the requesting server by sha256 hashing of the timestamp (ts) of the current system using some privat key (ie: TEST) as a salt???

Problem is, the receiving server can take it’s secret key and generate a hash on timestamp and compare the two hash for equality, hoever there is no way to prevent this same set of values from from being captured and replayed. Unless I exper the request after a few seconds, the problem with this approach is two distinct physical servers could have wildly different timestamps for current time.

Any other ideas for achieiving a simple one time (semi-secure) HTTP request/response???

Cheers,
Alex

2

You can use https. Either using certificates to authenticate or you can simply use ssl for the encryption and then add basic http auth on top, for authentication. Both are plenty secure. If ssl is not an option, digest http authentication is fairly good as well.

3

I understood the requirement as preventing replay attacks, not sure if SSL really covers this? Maybe with client authentication…

4

A little googling tells me that OTP is pretty close to what I need, though some implementations seem to require storing the hashkey to prevent relay attacks, I was really hoping to address this step using some fancy math algorithm, none of which I understand. :slight_smile:

Cheers,
Alex

5

I think a prerequisite for generating this kind of thing would be (mostly) synchronized clocks. A poor mans alternative could perhaps be a sha1_file on something which changes consitently on both servers?