API authentication design and hackability

A:

Well suppose i knew the secret, then i could generate the sig and pass it. What were doing for one of my startups is taking the sig param even further by making the sig rely on the other parameters and also a requestID (UUID) and timestamp and store that UUID(security reasons for a couple of hours to deny the hacker of calling the same function over and over again). This way you cant call the same call again, you would have to generate a new UUID and if the hacker replaces the UUID in the param the sig invalidates, and he does not know how to generate the sig because, other than secret, we are also generating signature based on an internal key which is 30 characters in length. So essenity

MD5(Alphabetical List of Params + APiKEY + callID + Secert + someLonginternalKey)

not sure if i answered your question but thats another way of doing security for api

Faisal Abid 2009-10-28 00:09:32

P.S Shameless self promotion , I will be taking about this on Riadventure (Riadventure.com)

Faisal Abid 2009-10-28 00:10:19

"Well suppose I knew the secret" is game over in most APIs.Your solution definitely seems more secure, but is it "security through complexity"? I don't want to complicate the process unnecessarily. Why is the advantage to including all of the parameters? Why does the extra key make it less prone to being hacked?

Peter Sankauskas 2009-10-28 00:16:47

The extra key isnt required just some extra padding, you can ignore that. However by hashing the parameters in the signature, this ensures the data you are passing (i.e param1 param2) it's integrity is kept and your sure that no one changed it (man in the middle) like the other post was saying.

Faisal Abid 2009-10-28 01:18:42

+2 A:

No. The integrity of the other parameters (param1 and param2 in your example) is not protected. An attacker can intercept the call and alter these as he likes before forwarding it. The apiCallId only prevents replays, not alteration of the first call.

I'm no expert. If I saw that immediately, there are probably other problems lurking.

erickson 2009-10-28 00:14:14

Ah-haaa... interception is the reason.

Peter Sankauskas 2009-10-28 00:17:47

But what is to stop interception of any API call even if all of the parameters are used in the signature?

Peter Sankauskas 2009-10-28 00:21:38

Kirk Broadhurst 2009-10-28 00:53:08

I'm saying if a MAC were computed over the entire message, an alteration to any part of the message would be detectable.

erickson 2009-10-28 03:01:06

+6 A:

Jack Lloyd 2009-10-28 00:29:20

Awesome answer, and I love the technical detail. 'erickson' pointed out that interception (man-in-the-middle) is possible with the above. Do you have any recommendation of how to prevent this type of attack? I guess this goes beyond the original question. Does using HTTPS (and not HTTP) cover it?

Peter Sankauskas 2009-10-28 00:37:45

If the MAC covers all the data, _and_ there is no second set of input which canonicalizes to the same input to the MAC (this is important, as Amazon learned), and you ensure there is no way to do replay attacks (your counter scheme, implemented properly, seems OK), and your MAC is secure, then you should be safe against MITM. That's because an attacker has no options - they can modify a param or API value and try to send it on, but there will be no way for them to generate the correct MAC value, so the call (should be) rejected.

Jack Lloyd 2009-10-28 02:08:57

I'd assume you enforce the call id is always incrementing by a database table. Just be careful to update it only upon accepting a valid mac. Otherwise any random attacker could send apiKey=your_id and apiCallId=9999999999999999... and a garbage MAC value and cause an easy denial of service.On HTTPS: you can use it, do so - for one thing, it will protect the confidentiality of the API inputs (and the RPC responses), and just generally make any attacks on your auth scheme much harder.

Jack Lloyd 2009-10-28 02:11:20

`H(msg || K)` is much better than `H(K || msg)`, but it's still not great - if an attack is found to generate collisions in `H()` then this MAC becomes insecure (and there **is** such an attack against MD5). So I think you've buried the lede - "use HMAC" should be near the top.

caf 2009-10-28 04:13:12

..and Nate Lawson has just put up a post (http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/) saying exactly the same thing - `H(msg || K)` (aka "secret suffix") is broken with MD5.

caf 2009-10-29 22:44:40

A:

I would suggest to use digital signatures in this case since they're more appropriate. A digital signature over for example the apikey is more than enough. You dont even need the apisecret and the hash of it. You'd only have to make sure that the digital signature stays private (just like the md5 hash).

If you want to prevent replay attack, you need some kind of randomness in every request. So I would suggest the following:

Server -> API: Nonce (= some random number)

API -> Server: Enc(nonce + digital signature)

this is encrypted with the public key of the server and the digital signature is placed with the private key of the server.

Now you cannot have a replay attack. However there is still the problem of a man in the middle attack, but fixing this is not so trivial (but quite doable). So depending on the level of security you want/need you can adapt your technical measures.

Henri 2009-10-28 22:17:37

ansaurus

tags:

views:

answers:

API authentication design and hackability

related questions