I was reading about amazon's authentication process, and they use a custom process wich signs each request.
I still don't understand how signing every requests stops from a man-in-the-middle atack, since everyone who sees the request and sees the signature, can issue the same request again.
I would also apreciate if someone shared some bibliography about security or amazon web services or web services in general.
How can SSL help in this situation?
Thanks!
Here's what the documentation has to say. Basically it boils down to the timestamp, and to mitigate against replay attacks, they suggest using SSL.
Authenticating Requests
Requests to AWS are authenticated by verifying information contained within the request. This verification is performed using the information in the following table.
AWSAccessKeyId The sender’s AWS account is identified by the Access Key ID. The Access Key ID is used to look up the Secret Access Key.
Signature Each request to a web service that requires authenticated requests must contain a valid request signature, or the request is rejected. A request signature is calculated using the Secret Access Key assigned to the developer's account by AWS, which is a shared secret known only to AWS and the developer.
Timestamp The date and time the request was created, represented as a string in UTC. The format of the value of this parameter must match the format of the XML Schema dateTime data type.
The second link has this to offer:
The best mechanism for defense against a replay attack is to ensure all your requests are made over an SSL connection. If you cannot use SSL, then the mechanism available to you for prevention of replay attacks is the Expires parameter in signature version 2. This requires your client to be synchronized to atomic time (using NTP, or a similar synchronization protocol). If you do not use the Expires parameter, and rely only on the timestamp parameter, your requests are subject to a request expiration period, which varies by service, but can be as long as 15 minutes.
