How to secure web api request and response by HMAC RRS feed

  • Question

  • User264732274 posted

    just read this article http://searchcloudapplications.techtarget.com/tip/How-to-secure-REST-API-endpoints-for-cloud-applications

    they said :- Hash-based message authentication code (HMAC) is an option that provides the server and the client each with a public and private key. The public key is known, but the private key is known only to that server and that client. The client creates a unique HMAC, or hash, per request to the server by combing the request data and hashing that data, along with a private key and sending it as part of a request. The server receives the request and regenerates its own unique HMAC. The server compares the two HMACs, and, if they're equal, the client is trusted and the request is executed. This process is often called a secret handshake.

    i have few question for above write up.

    1) how client can combine his request data and hash his full request data ? suppose client sending customer data like (custid, name, etc....)

    2) when client send hash of his request data to server then how could server again generate same hash of the data send by client because client will send hash of his data not actual data? please clarify this point.

    are they trying to say client will send his data and as well as send hash of those send data to server ?

    3) if i follow the above approach to prevent reply attack then how could i prevent it. suppose attacker capture request and take out private key and hash data and send it to server. then how server can understand request is coming from attacker ?

    please help me to understand how we can secure api access by HMAC with example.


    Friday, December 2, 2016 10:00 AM

All replies