All geek questions in one place

Can you securely authenticate a request over IP?

I am currently integrating a NAB Transact gateway into an e-commerce store. Once the payment has been processed, the NAB Transact system sends a POST request to our endpoint to process the result.

The problem is that the POST request does not contain a secure hash / token, which we can use to send back to the NAB Transact system to authenticate the request, not spoof it. Worse, the NAB Transact system does not even have an API for any authentication of any information, essentially very poor security!

Is there any way to securely authenticate these requests? For example, checking that requests come from a list of known IP addresses that are affected by the NAB transactional system? Or reverse IP lookup? What are the options and how to implement this in PHP?

Does IP authentication not rely on being secure because it can be tampered with?

+4
source share
2 answers

The problem is that the POST request does not contain a secure hash / token that we can use to send back to the NAB Transact system to authenticate that the request is real and not fake

Yup - that problem is ok :)

Doesn't rely on IP authentication, not secure, as it could be faked?

It is NOT ALL safe!

0
source

IP-based authentication is great if you:

  • know the list of IP addresses (i.e. those used by the payment provider)
  • IP addresses are static (obviously, but if the request is actually sent by the provider, and not, for example, through a hidden form on the "successful payment" page in this case)
  • they will immediately notify you of any changes (or your script may reject valid requests or accept requests from IP addresses that are no longer used by the provider)
  • all systems that can use an IP address (that is, payment provider servers that assume that the data center is not using some crappy network setup) are trusted enough to not send any false notifications.

Changing the source IP addresses is not possible because TCP uses a three-way handshake and with a fake IP address, the handshake does not work.

So, basically: IP authentication is acceptable if some basic criteria are met (see above), but, of course, it would be safer if they provided you with a way to check the notification - either by calling the API on their side or using cryptographic Signatures (better since it cannot fail due to an unavailable remote server).

+1
source

Source: https://habr.com/ru/post/1382396/

More articles:


All Articles