All geek questions in one place

How does API signature authentication implemented by Mashery work?

Masheri allows authentication through digital signature as follows:

  • First connect the following components:
    • API Key
    • Shared secret
    • UNIX timestamp
  • Then create an MD5 hash of the string.

The documentation states that an unix timestamp requires an accuracy of +/- 5 minutes. Details: http://support.mashery.com/docs/read/mashery_api/20/Authentication .

Assuming this is not a trade secret, what is the algorithm for performing such authentication?

In particular, how is this possible when the unix timestamp can change by 5 minutes? The brute force technique may be to compute a signature for each possible timestamp value until a match is found (or not), but this does not seem practical for authenticating frequent API calls.

+4
source share
4 answers

Yes, this is similar to what he is doing. Link to the documentation that you indicated: "Five-minute wiggling is allowed on both sides of the current timestamp on the Mashery server to ensure a reasonable clock drift." This means that they need to check up to 600 hashes in order to check if the presented one is valid. 5 minutes - 300 seconds. Plus or minus does 600 checks.

It seems practical to me. 600 MD5s are not much processing. In fact, a modern password validator (for example, something that uses bcrypt) will do a lot more work to verify the password.

+3
source

Amazon gives a good example of signing a request and in fairly detailed details that should make the mechanics obvious (I understand that this is not a mess), but I think that this is your past or, at least, will help your trip to the happiness of the API security)

http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html

+2
source

Masheri can also pre-generate a list of valid signatures or cache each whitefish on request. The signature is global for all the APIs that Mashery protects for this key / public key, so there is no need to verify an unambiguous API call for each request.

0
source

sha256 is pretty fast. Even in php, you can calculate 830K sha256 per second, so they most likely just rudely force it.

<?php $COUNT = 6000000; $start = microtime(true); for($i = 0; $i < $COUNT; $i++) { $out = hash('sha256', 'wefjklwfekjlewfjklwefjklfwejkwefjklwfekjl' . $i); //print("$out\n"); } $total = microtime(true) - $start; print("Time: $total\n"); print("sha256 per second: " . ($COUNT / $total) . "\n"); ?>
0
source

Source: https://habr.com/ru/post/1380071/

More articles:


All Articles