I work on ASP.NET and was just reading this from the amazon directory http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html where it states
Informally, we call this process “signing the request,” and we call
the output of the HMAC algorithm the “signature” because it simulates
the security properties of a real signature. Finally, you add this
signature as a parameter of the request, using the syntax described in
this section.When the system receives an authenticated request, it fetches the AWS
Secret Access Key that you claim to have, and uses it in the same way
to compute a “signature” for the message it received. It then compares
the signature it calculated against the signature presented by the
requester.
But i presume both the requests wont be same right. Request is signed (great!!) but HMAC of the response from the client browser is going to be different since it contains extra data Right? so how come requests can validate even though they are valid
You need to read the whole of the paragraphs you quoted from. Right before the piece you quoted it says:
So you calculate your HMAC from those selected elements, and when you submit the request, the server calculates an HMAC from those same elements, and then they are compared.