I have an open API in my application that I’d like to provide access key’s for. The incoming info will be a user id, resource id and a value to update with. I’d like one API key per resource.
Preferably I would like to be able to validate the authenticity of an incoming request using only the supplied data and not checking against any sort of database (very simple, very fast!)
If I used md5 to generate the API key from the resource ID, user id and a salt it might look something like this …
authentic_request = md5(user_id + resource_id + salt) == api_key
My question is really one on how paranoid I should be. Would something like the above with just plain old md5 suffice? Another option would be to use openssl generate the key against a pem and then maybe md5 the result to keep it concise, does that sound overly paranoid or even add a layer of security in reality?
Any ideas or even alternataaives gratefully received!
Thanks
This is effectively a simplistic implementation of a hash-based message authentication code.
Assuming you’re going to give out these keys on the basis of the
(user_id, resource_id)pair and keep the value you’re callingsaltsecret, and you’re not expecting a serious attempt at an attack, this should work. However, best practice dictates that you should use a more secure algorithm than mere concatenation to combine the key and data, and a stronger digest algorithm such as SHA-1; there is a standard HMAC-SHA1 combination algorithm which would work nicely for this.The third value is actually a key, not a salt; possession of this key is what allows for both generation and validation of the authentication code.