Any new non-login request would include an HMAC signature computed from the Session Secret key and randomized IV's.Īll communication is handled through TLS so this is added security and not the only line of defense.If the request is valid and the password and UserID match records, a new Session Secret Key is created for that UserID on that platform and this Secret key is sent to the client and will be used to HMAC every API request fromt hat client henceforth.The server decrypts the password and HMAC using the latest nonce it has stored for this client on this platform and the client nonce which was sent in the clear, if the HMAC checks out it then validates the password against the database.It then sends a login request with a password encrypted using this temporary key. The client creates their own client nonce and creates a new temporary key from the API Secret key and both nonces.The server checks if the UserID/Email matches an existing account and if it finds one, creates and stores a server nonce which it sends as part of the response to the client.This request is HMAC'd using an API Secret Key. Client sends a request to log in providing a UserID or Email.I've been reading up on AES encryption and OAuth2 and decided to implement a solution grown form those concepts as follows: We're in the process of migrating our MVC-based server application and making a REST-ful API through which calls will be handled.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |