I am writing a REST API and would like to implement an authentication system similar to AWS.
http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html
Basically, on AWS, the client encrypts the authorization header with some request data using a secret key that is shared between the client and server. (Login: AWS user :)
The server uses the key to decrypt the header using the shared key and compare with the request data. If successful, this means that the client is legal (or at least has a legal key).
The next step may be to fulfill the request or, preferably, send the client a unique time marker (for example, 30 minutes), which will be used in the actual request (for example, added to the Token header). This token cannot be decrypted by the client (uses only the server key).
In the following requests, the server checks the token (not authorization) and allows the request to be executed.
However, is it possible to have a man-in-the-middle connection, even in SSL-encrypted connections, that retries these authenticated requests? Even if MITM does not know what is inside the message, it can cause damage, for example, by ordering the product many times. If the server receives a lost message, and the token is still within the valid timestamp, the server will consider this to be a valid request and execute it.
AWS is trying to solve this problem by requiring a timestamp:
( HTTP Date x-amz ) . , , , 15 Amazon S3, . , RequestTimeTooSkewed . - . , HTTPS- .
, 15 , ? ? , , ?
. MITM . , (: POSTS , POST DELETE ).
. , , . , cnonce , , . , cnonce . Cnonce ( ) . ( SSL), , ( , temp). ( ).