Questions tagged [hmac]
11 questions
20
votes
2 answers
REST API security: HMAC/key hashing vs JWT
I just read this article that is a few years old but describes a clever way of securing your REST APIs. Essentially:
Each client has a unique public/private key pair
Only the client and the server know the private key; it is never sent over the…
smeeb
- 4,820
- 10
- 30
- 49
11
votes
6 answers
Is CRC pointless if I'm doing truncated HMAC?
I am currently designing a communication protocol for an embedded system. I've decided that authentication (but not encryption) is important, so I decided to add 4 bytes of truncated HMAC signature to every packet. At the same time, I also want to…
9a3eedi
- 2,101
- 3
- 23
- 29
3
votes
0 answers
Securing a REST API based on authentication with external site
I have a website with an already-established authentication system. Once a user logs on to it, one of the features is a statistics application based on AngularJS.
The app communicates with an external REST API (built on Spring) that basically just…
ctrlz
- 31
- 1
1
vote
1 answer
HTTP(S) API authentication: why not many services require signing (HMAC)?
I am currently researching existing authentication/authorization solution that are used for REST APIs. More specifically I'm interested in backend-to-backend interactions but client-to-backend is relevant too.
I looked at few existing solutions and…
Max Komarychev
- 171
- 5
1
vote
0 answers
'HMAC style' design example for a shared secret
I'm looking to secure an API based on a shared key and a given username and datetime. The API gives access to trusted third parties and does not require the input from a user in order to access their account (i.e. no OAuth user interaction flow).…
Rebecca
- 151
- 6
1
vote
0 answers
Validating time-limited HMACs
I'm exploring using HMAC style secret-key authentication with timestamp expiry, but am struggling to get my head around how you validate the timestamp portion.
On the client side you would do:
my_hmac = hmac(my_secret, my_values)
Where you would…
kez
- 111
- 1
1
vote
1 answer
Are python's cryptographic modules good enough?
I mean, say you were writing professional grade software that would involve sensitive client information. (Take this in the context of me being an amateur programmer.)
Would you use hlib and hmac? Are they good enough to secure data? Or would you…
temporary_user_name
- 1,094
- 4
- 11
- 20
1
vote
1 answer
Using a random string to authenticate HMAC?
I am designing a simple webservice and want to use HMAC for authentication to the service.
For the purpose of this question we have:
a web service at example.com
a secret key shared between a user and the server [K]
a consumer ID which is known to…
mrwooster
- 780
- 4
- 12
0
votes
1 answer
Using browsers to monitor changes in e-commerce pages
I've been looking at ways to monitor for changes in things like price and availability on e-commerce sites via visiting browsers, with three constraints:
the sites often don't have much ongoing development effort behind them, so the solution needs…
Isvara
- 610
- 6
- 18
-1
votes
1 answer
How to secure my browser application against malicious requests?
I'm working on an application which can be added to third party websites. This means that this app runs in the browsers of the users of a third party and I don't have control over what runs in their server.
My problem is that my app needs to load…
Hexworks
- 115
- 1
-1
votes
1 answer
Requesting Advice Regarding Storing Encryption Keys
I am using HMAC to hash some data before inserting it in a database and currently I have my key as a static field.
Just wondering what the best practice regarding storing the key would be. Is having it in code good enough, or should it be in a…
user144154