0

I need to authenticate users using an api key, but before handling it over to them I need to check their credentials, obviously. I think the process needs to go like this:

client->server: GET /user?username=fred

server->client: nonce=XYXY

client->server: POST /login?hashval={hash(username + password + nonce)}&nonce=XYXY&username=fred

server compares the result of hash(username + passwordFromDB + nonce) with hashval and responds with the API-key if equal

But if there was somebody eavesdropping the connection, although it wouldn't be able to directly discover my user's password, since it already knows the username and the nonce, if the password was easy enough the man-in-the-middle would be able to match my hash by trying all the generic possible values for the password.(brute-force attack)

I know connection over HTTPS and a strong password would make this process secure, but are there any other recommendations or ways of making this process more secure?

Thank you

Yuri Borges
  • 315
  • 4
  • 14

1 Answers1

1

This is basically a form of digest access authentication and as such has its same limitations.

Since all the details to compute the hash are sent along with the hash, the only thing that an attacker needs to "reverse" is the password. If that is weak, then rainbow table or brute force attacks could crack it. The only way to delay an attacker is to have a very long and strong password.

But since you are using an API key for service authentication, as a man-in-the-middle attacker I would let you authenticate with a password and then just get the API key from the response. I assume you use the API key for authentication of the rest of the requests (just like a session cookie is doing for web applications)?

There are of course other variations of securing a service, depending on what you are doing, but actually making it secure means using HTTPS as you mentioned yourself.

Community
  • 1
  • 1
Bogdan
  • 23,890
  • 3
  • 69
  • 61