I know it as secure-token URL, maby there is another name out there. But I think you all know it.

Its a teqniuque mostly applied if you want to restrict content delivery to a certain client, that you have handed a specific url in advance.

You take a secret token, concatenate it with the resource you want to protect, has it and when the client requests the this URL on one of your server, the hash is re-constructed from the information gathered from the request and the hash is compared. If its the same, the content is delivered, else the user gets redirected to your webseite or something else.

You can also put a timestamp in the has to put a time to live on the url, or include the users ip adress to restrict the delivere to his connection.

This teqnique is used by Amazon (S3 and Cloudfront),Level 3 CDN, Rapidshare and many others. Its also a basic part of http digest authentication, altough there is it taken a step further with link invalidation and other stuff.

Here is a link to the Amazon docs if you want to know more.

Now my concerns with this method is that if one person cracks one token of your links, the attacker gets your token plain-text and can sign any URL in your name himself.

Or worse, in the case of amazon, access your services on an administrative scope.

Granted, the string hashed here is usually pretty long. And you can include a lot of stuff or even force the data to have a minimum length by adding some unnecessary data to the request. Maby some pseudo variable in the URL that is not used, and fill it up with random data.

Therefore brute force attacks to crack the sha1/md5 or whatever you use hash are pretty hard. But protocol is open, so you only have to fill in the gap where the secret token is and fill up the rest with the data known from the requst. AND today hardware is awesome and can calculate md5s at a rate of multiple tens of megabytes per second. This sort of attack can be distributed to a computing cloud and you are not limited to something like “10 tries per minute by a login server or so” which makes hashing approaches usually quite secure. And now with amazon EC2 you can even rent the hardware for short time (beat them with their own weapons haha!)

So what do you think? Do my concerns have a basis or am I paranoic?

However,

I am currently designing an object storage cloud for special needs (integrated media trans coding and special delivery methods like streaming and so on).

Now level3 introduced an alternative approach to secure token urls. Its currently beta and only open to clients who specifically request it. They call it “Proxy authentication”.

What happens is that the content-delivery server makes a HEAD request to a server specified in your (the client’s) settings and mimics the users request. So the same GET path and IP Address (as x_forwarder) is passed. You respond with a HTTP status code that tells the server to go a head with the content delivery or not.

You also can introduce some secure-token process into this and you can also put more restrictions on it. Like let a URL only be requested 10 times or so.

It obviously comes with a lot of overhead because additional request and calculations take place, but I think its reasonable and I don’t see any caveats with it. Do you?