I’ve implemented a webservice authentication which works pretty much the same like amazon s3.
The authentication is session-less. It works like this:
- send a
DateHTTP Header in each request - send a HMAC_SHA1 of secretKey+contents of date-header+some-parts-of-the-body (pseudo code:
hmac_sha1(secretKey+dateHeader+substr(body,0,100))) - The backend also knows the secretKey (20 char random key).
- The backend checks the request by also doing the same HMAC_SHA1 and if the value is equal, the request is “proven” and will be executed.
So. I think thats pretty much was amazon does.
But what about the idea of doing not a symmetric (HMAC_SHA1) instead doing a asymmetric encryption (RSA) of the “parts of the request”?
I would like to avoid having the secretKey on my backend. Better only place the public key on the backend side.
- Do you think this is a good idea?
- Would it make the system “stronger”?
- What’s a good max size for encrypting with RSA? 1000bytes?
Thanks
Doing this with RSA you will have the public key on the client-side and the private key on the server-side (a.k.a. backend). You will always end up with some secret key somewhere…
IF you are worried about security:
THEN go ahead and take care of the most problematic points (i.e. highest “cost” and/or “highest” probability).