If I append an HMAC to the auth token then the token cannot be tampered with. I notice many articles also recommend encrypting the token (which contains user id, expiration date and hash). What is the point of encrypting? Isn't that a waste of CPU time? (You have to decrypt the token for each request.) If it is not encrypted, anyone can see the user id and expiration date. What is the harm there?
Asked
Active
Viewed 194 times
1
-
Can you point out a few articles? – allprog Jun 14 '13 at 16:08
-
Here's one: http://eversystems.eu/Document/15/Sessionless_Authentication_with_Encrypted_Tokens – User52016 Jun 14 '13 at 16:12
-
And another one: http://ezinearticles.com/?Sessionless-Authentication-With-Encrypted-Tokens&id=3537025 – User52016 Jun 14 '13 at 16:13
1 Answers
0
Using only HMAC is a viable option: http://c2.com/cgi/wiki/wiki?HmacUserAuthentication
But: Note from disadvantages
No privacy. If you need privacy, you need full encryption: use SSL. HmacUserAuthentication is for security of service provision, not privacy.
So encryption is a requirement if you use a plain connection. In case of SSL the additional encryption is needed only if you want to prevent the end user from reading the token.
allprog
- 16,540
- 9
- 56
- 97