Best authentication solution for RESTful Database Server

Question

I'm writing a RESTful Database Server called Phoenix. Being an easy interface into an entire application's data, security is quite an important issue, and I'm interested in what authentication solutions any of you could suggest.

It needs to be:

• Secure - it's got to be very hard to break. Signing requests could be a good way of doing this, but considering it's REST there aren't many parameters that are sent so I don't know what good singing would do.
• Minimal - I'd rather it didn't take four requests to compare six tokens in HMAC-signed requests - the USP of the server is it's simplicity, so authentication from clients has got to be easy.
• Implementable - it has to fit the system, which is a database server. So, for instance, oAuth wouldn't work here.

I'd love to hear your suggestions - thank you!

Jamie

Answer 1

Not much information here about what your security or implementation needs are. The quick answers are Basic or Digest over SSL, or signed requests. Are there reasons not to use these?

Signing requests typically adds a timestamp and/or a nonce, so any request can be authenticated. See the Amazon AWS authentication documentation for a description and libraries.

Answer 2

I have a similar server. I choose to use OAuth signing for its simplicity,

http://oauth.net/core/1.0#signing%5Fprocess

We don't enforce the nonce, just limit the timestamp to a short window (30 seconds) to thwart replay.

The OAuth library is available on many platforms so you don't have to write much code to implement it. Don't know why you think OAuth is not implementable.

For each client allowed to access the data, it's assigned a consumer_key and a consumer_secret. All the requests are signed with consumer_secret so only client knowing the secret can get access.

We also considered other options. HTTTP Basic Auth over SSL is too expensive. HTTP Digest Auth is too slow because it needs to wait for a challenge.