Hey there,
Our application consists of a REST web service running on App Engine and a flash client. We need to make sure that only our client can make requests to the web service and to prevent situations like replay attacks.
I'm not a security expert (by far) so I'd like some advice with the security scheme I came up with.
The system will use a shared secret. The same key will be shared by the server and the client. I know that if the key gets exposed (e.g. by reverse engineering the flash client) the whole system goes down. Initially the client makes a login request to the server. The server responds with a challenge (a random number). The client sends back the HMAC-SHA1 digest of the challenge. If the digest matches the one the server it sends back the timestamp. The client will use this timestamp in the message (and message digest -- HMAC-SHA1) to mitigate replay attacks.
Baiscally this is it. Does it make sense? What would a tolerable time delta be for the timestamp when the server looks at a message (I was thinking somewhere around 30 seconds)? Any other comments?
EDIT: Oh, and what would make a good method of generating the secret keys?
Thanks.
Cheers, Alex