I've been working all day and night so my mind is semi-fried...but...
I have two servers:
A. Is a consumer of web services
B. Is a provider of web services
A: Is given a secret key which it must pass along each request to B when it wish to receive data back. This key is shared between the two servers and as long as the key is identical the provider returns a result to the consumer which it the does as it' pleases with.
Great but unless SSL is enabled...interception of that key is a possibility. So:
1. Use SSL -- no thanks way to much processing going on
2. Use some session technique where the consumer uses the KEY to gain a temporary SID
The latter is what I am trying to figure out (if it's feasible or not). I will probably have a better understanding tomorrow but using encryption of any kind is out of the question. Basically that key needs to be used once per session to minimize interception...then I thought...
If server A and server B are both known to have fixed IP addresses could it not be assumed then that any incoming request to server B (provider) given the IP address of server A (consumer) is indeed the real consumer? Sure the IP address can be spoofed but the server (provider) would return results and for what? If you spoofed the IP the results would not reach you but they would indeed go back to the consumer server and likely just be dropped...so unless you were also intercepting packets between these two points AND spoofed the IP you wouldn't end up with much.
If someone has managed to intercept traffic...regardless of what solution I use the data is seen. I would have to use private key encryption like Blowfish or similar or public key like SSL. Neither of which would be very good, except at securing the request.
Ugh....maybe I should just encrypt the data using the secret key and be done with it...a session approach would not stop anyone from sniffing packets it would only prevent requests from being sent to anonymous servers but if the IP of both servers is known...I could just check to ensure calling server IP is the right one for the given key. This way I avoid encryption and only risk people intercepting the data...in which case I could have encryption just in case someone requires it.
Anyways...does everything I said make sense...after listening to me babble/brain dump...does the conclusion I have finally come too make sense? Using IP validation only UNLESS greater security is needed in which case secret key encryption would be used as well???
Cheers