security - How to implement HMAC-SHA authentication from scratch? -


i implement authentication web app api using similar technique aws signature process. server render html user web browser clients. app return json non-browser clients (iphone, android, blackberry, ipad, etc.) trying write authentication code allow single user signed (remembered) in app multiple clients. logging out 1 client should not revoke token/cookie other clients.

  1. when user sign or logs in, how client (native mobile client or web browser especially) private/secret key? understanding key should not sent on network? can sent on ssl?

  2. for browser clients private key stored in cookie or in other form of local storage?? i.e. generic api token authentication token stored in cookie on browser , in db on phone

  3. when client browser, how sign request signature private key? i.e. generate hash of id + private key + request. native mobile clients or server server communication believe there libraries can used generate signed request. when request originates browser how work?

  4. if user required remembered on multiple clients (tablet, iphone, work computer, home laptop, etc.) user need have set of private keys/tokens each client?

i have used devise rails requires write own token authentication code.

i looking @ oauth, questions 2 , 4 both apply to, investigate aws method.

you start solution (hmac) not think "problem" fits solution :).

i'll try answer best of knowledge.

  1. to understanding ,a private key derived of public key shared. or share private key, if authentication established (in other words: know sure talking to) , connection secured (encrypted). still vulnerable man in middle attacks though.
  2. i'm not sure. cookie not secure. steal cookie, steal private key. preference locally stored key(file or storage), encrypted password.
  3. you have devise sort of client side library (in javascript or it).
  4. yes.

why share keys when share token, oauth implements. token generated application , valid limited time. way share access, not means aquire access application. login username , password (or keyfile) , token grants access untill token revoked.


Comments

Popular posts from this blog

Android layout hidden on keyboard show -

google app engine - 403 Forbidden POST - Flask WTForms -

c - Why would PK11_GenerateRandom() return an error -8023? -