Page 1 of 1

Simple nonce web service

Posted: Fri Jul 23, 2010 7:47 am
by alex.barylski
I need to expose some JSON data to a remote application (both of which we maintain) and keeping things secure is important.

My idea was to query the web service by simply invoking a URL like:

Code: Select all

fetch.php?module=users&something=else
However, I am not totally sure on how to proceed with the guarantee that both the client and server web applications share a private key of some sorts. Basically my requirement isn't so much to ensure the data transfers secure, but that the requesting application can actually make the request and expect valid results.

My in-head solution goes something like:

1. Create a private key shared by both apps
2. Send request to server with url like

index.php?ts=736377469876&nonce=NJM9hjHJND7S66tndjydes5

The nonce is generated on the requesting server by sha256 hashing of the timestamp (ts) of the current system using some privat key (ie: TEST) as a salt???

Problem is, the receiving server can take it's secret key and generate a hash on timestamp and compare the two hash for equality, hoever there is no way to prevent this same set of values from from being captured and replayed. Unless I exper the request after a few seconds, the problem with this approach is two distinct physical servers could have wildly different timestamps for current time.

Any other ideas for achieiving a simple one time (semi-secure) HTTP request/response???

Cheers,
Alex

Re: Simple nonce web service

Posted: Fri Jul 23, 2010 8:25 am
by josh
Actively refuse requests that use tokens that have been logged as used (log them on the server). I googled your term "nonce" and thats the definition of it (and how I would solve this problem) Or "keep it simple stupid" with SSL and IP whitelisting? :-D

Ironically WMV protocool doesn't send referrers so if you run video hosting you can get hotlinked. I solved it with the same tactic. Served the files thru a PHP script and made it so the "parent" page generates the tokens. Then if someone hotlinked my video with an expired or invalid token I served them "alternative" content lol

PS > Isn't there a security forum for this?

Re: Simple nonce web service

Posted: Sun Jul 25, 2010 5:39 am
by kaisellgren
Use TLS to ensure authenticity, data integrity and data privacy. Then share a secret between the two servers. As long as the secret is strong, no one will be able to request on the behalf of the requesting server unless one of the servers has been compromised.

Re: Simple nonce web service

Posted: Sun Jul 25, 2010 2:00 pm
by Christopher
For validation you probably need to concat data that you pass (like your 'ts' value) with the shared secret -- then hash it. The receiver can duplicate the concat/hash and check it against the 'nonce' hash passed. You can include other values in the concat, like the date for more seed data.

For security you should use SSL.

Re: Simple nonce web service

Posted: Mon Jul 26, 2010 6:19 am
by Mordred
What Christopher says, but:
1. HMAC for signing,
2. include a timestamp (and sign it!) if you need the nonces to expire (i.e. not allow taking data from server 1 today, and giving it to server 2 after a week),
3. keep a list of used nonces on the receiving server to avoid replays (garbage collect expired nonces from time to time to avoid congestion)

(Technically, only if you do step 3 this would a nonce, otherwise it's just a signature, and the signed data can be replayed to the second server - which might or might not be an issue)

Re: Simple nonce web service

Posted: Mon Jul 26, 2010 10:26 am
by Christopher
Just looked at HMAC ... great information Mordred.