tags:

views:

622

answers:

4
+7  Q: 

Authorizing REST Requests

I'm working on a REST service that has a few requirements:

  1. It has to be secure.
  2. Users should not be able to forge requests.

My current proposed solution is to have a custom Authorization header that look like this (this is the same way that the amazon web services work):

Authorization: MYAPI username:signature

My question is how to form the signature. When the user logs into the service they are given a secret key which they should be able to use to sign requests. This will stop other users submitting requests on their behalf, but will not stop them forging requests.

The application that will be using this service is an iPhone application, so I was thinking we could have a public key embedded in the application which we can do an additional signature with, but does this mean we'll have to have two signatures, one for the user key and one for the app key?

Any advice would be greatly appreciated, I'd quite like to get this right the first time.

+1  A: 

I think the simplest way to do this right would be to use HTTPS client authentication. Apple's site has a thread on this very subject.

Edit: to handle authorization, I would create a separate resource (URI) on the server for each user, and only permit that (authenticated) user to manipulate this resource.

Steven Huwig  2008-10-27 15:27:34
How does this stop users from forging requests?
jonnii  2008-10-27 15:35:36
HTTPS client authentication requires the client to have a valid public key certificate. Unless you mean by "forging requests" that an authenticated user is somehow making unauthorized requests, which is an authorization problem not an authentication problem.
Steven Huwig  2008-10-27 16:55:23
That's the problem i'm trying to address, I updated the topic to reflect this. How would you suggest authorizing valid requests?
jonnii  2008-10-27 17:29:12
+2  A: 

What's wrong with HTTP Digest Authentication?

S.Lott  2008-10-27 15:29:21
Firstly I'm going to have to use SSL for the requests (which is fine), but it doesn't stop a user logging into the API from a non iPhone device and submitting forged requests.
jonnii  2008-10-27 15:40:43
How can they forge a request via digest authentication? How did they get the current nonce value and create an acceptable digest response?
S.Lott  2008-10-27 16:03:03
They can forge a request because they can create a 3rd party client application that logs into the api, at which point they can submit their own requests. I need to verify the source of the api request.
jonnii  2008-10-27 16:13:34
Why can't you use a client nonce in the response which is a signature string unique to each iPhone?
S.Lott  2008-10-27 16:25:52
When the user logs in we get their device id, so that might work. I'll investigate this and see what I come up with.
jonnii  2008-10-27 16:42:06
If you can read the device id, so can the attacker. It is no complete protection. It does however make the attack difficult which might be good enough. Combine it with extensive logging and you should be able to identify cheating and delete all entries for (and block?) that user.
Johan Öbrink  2009-05-01 19:30:35
A: 

There is a better discussion of this here:

http://stackoverflow.com/questions/7551/best-practices-for-securing-a-rest-api-web-service

jonnii  2008-10-31 20:24:42
+2  A: 

The answer is simple: It cannot be done. As soon as you ship any solution to the end user, he or she can allways attack the server it is communicating with. The most common version of this problem is cheating with hi-score lists in Flash games. You can make it harder by embedding some sort of encryption in the client and obfuscating the code... But all compiled and obfuscated code can allways be decompiled and unobfuscated. It is just a matter of how much time and money you are willing to spend and likewise for the potential attacker.

So your concern is not how to try to prevent the user from sending faulty data to your system. It is how to prevent the user from damaging your system. You have to design your interfaces so that all damage done by faulty data only affects the user sending it.

Johan Öbrink  2009-05-01 09:04:32
In this case we're going to be deploying to the iphone, so there is a risk of someone decompiling the code. You raise very valid points in your post about limiting the ability to damage only that users data, in this case they'd be able to cheat in a game, so we need to be able to identify cheaters and deal with them effectively. No easy task.
jonnii  2009-05-01 17:47:21
The only way to secure av game is to run it entirely ön the server and only sending the users actions over the wire. What I usually do is:1. Make cheating difficult2. Save as much information as possible. Cheating is usually reasonably easy to spot so you can delete all entries for that user afterwards.
Johan Öbrink  2009-05-01 19:23:00
If you are developing a GAME, and this is a CHEATING problem, then you have a whole other host of tools available to you - depending on whether it's a game of skill or game of chance. Generally speaking, player performance can be measured statistically and strange patterns can be spotted - that's how many fraud detection systems work in the entertainment industry. Another thing that instantly comes to mind is algorithmic design which introduces certain measurable properties to the game - for example, error accumulation in floating point numbers.
mst  2009-12-29 17:03:08

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.