- This topic has 0 replies, 1 voice, and was last updated 1 year, 1 month ago by Aruorihwo.
- February 4, 2020 at 4:07 pm #85171Spectator@aruorihwo
Security can never be over emphasized. You can not be taken as a serious web developer if you are not concerned about securing your website or web application. In fact, securing data is one of the most important and crucial topics today. Why? No one wants their data falling into the wrong hands. Someone might ask, “Wrong hands? Is this a bond movie?” Well, wrong hands might not be an evil master mind. It may just be someone not authorized to view that piece of data. If your medical records gets to your car technician, he is, in this case, wrong hands.
There exists many ways for securing your web application. One of the most popular is the basic authentication. Basic authentication basically uses a username and a password to authenticate the person requesting information. So this means, to get any data from your server, the requester would have to pass this encoded information in what is called a “digest”. This is then validated before a response is given. The main challenge with this method of securing your application is that the digest typically remains the same. Therefore, if anyone gets their hands on the digest, they could pretend to be you and make requests on your behalf without your permission. This is why you should never use basic authentication outside a Secure Socket Layer (SSL) or Transport Layer Security (TLS).
This is where HMAC Authentication comes to the rescue. HMAC simply means Hash-based Message Authentication Code and is a process for creating a Message Authentication Code with the implementation of a Hash function. It is a form of authentication that adds the right amount of spice needed to make securing our web application more delicious.
As the name “HMAC” implies, it provides a hash of the authentication constants (i.e. the username and password) and some extra information to request for data from the server. This extra information is usually the specific URI (or link) being requested, the request method (Post, Get, Put, etc), a timestamp of when the request was made and a nonce (one-time expression or code). Why all these extras? I’ll explain why below.
The first extra information is the URI and the request method. Supplying the URI ensures that the request is limited to only a specific area of the application. So if a request is “…/customer/address”, the request is limited to only that resource and therefore can’t access “…/employer/payroll”, The request method ensures that the requester is aware of the type of resources they are trying to access.
Second on the list of extras is the timestamp. The timestamp helps to create a form or “decaying” request. A lifespan for the request is specified and any request timestamp whose lifespan exceed the specified lifespan is seen as a decayed request and therefore will not be replied.
Thirdly is the nonce. A common form of attack on the security is the “Replay Attack”. This is when a request is sent again by an authorized party. This attack can be used to consume a servers resources by handling the same request multiple times and therefore lead to a denial of service to actual authorized parties. The nonce acts as a form of labeling of a request and the validation understands not to respond to a label it has seen before.
HMAC validation is a very secure means of authentication or validation that utilizes authentication constants and some extra information of the request to create a hashed message authentication code which can not easily be cracked, replayed or deciphered. This makes the HMAC authentication very powerful and very much worth the effort. Even if a request is intercepted for any reason, it can’t be replayed. And even if by some great magic, it is replayed, it is limited to a particular resource for a short period of time as the request is a decaying request. This is exactly what the whole fuss about HMAC is about. And if you still haven’t implemented it, what are you waiting for?
NB: This is an introductory article about HMAC validation, so you can have an idea of what it really is before i delve into more detailed guides on its implementation. You will find all my HMAC articles Here
- You must be logged in to reply to this topic.