0

I have reviewed a lot of information regarding the HMAC approach to securing a RESTful Web API. To prevent a replay attack, the usual recommendation is to use a TimeStamp with a constraint.

But it seems to me that a more straightforward (and fool-proof) approach would be to require a unique time-stamp, where the server accepts a specific time-stamp only once per client, so all requests from a specific client must have a unique time-stamp.

Are there any weaknesses of this TImeStamping approach in comparison to the usual recommendation?

prmph
  • 7,616
  • 11
  • 37
  • 46
  • From my point of view allowing a timestamp only once can only increase your security compared to some other timestamp constraint (like 10 minute expiration or whatever). But what do you understand by "the usual recommendation"? – Sandman Sep 21 '14 at 10:12
  • As you alluded to, the usual recommendation is to make sure the Time-stamp falls within a certain range (usually within a few minutes before the server time). This also requires some level of synchronization between the server and client. My question is, why isn't the unique timestamp (actually a nonce) approach recommended more often? – prmph Sep 21 '14 at 22:06
  • Well, maybe the amount of recommendation these approaches get is proportional to the effort they need to be implemented. E.g. A unique timestamp per client would imply some sort of session management, while a simpler timestamp constraint would only require a request filter. – Sandman Sep 21 '14 at 22:27
  • 1
    I implemented both simpler and more complex timestamp constraints as mentioned here but i haven't actually read 'literature' heavily. My information was experience based and derived from already running systems which i could study and improve. In the end i guess it's a design / architecture decision with advantages and disadvantages for every approach (and yes, for the simple range check you would have to have some kind of sync between server and client which in a closed network is not always easy :) – Sandman Sep 21 '14 at 22:33

0 Answers0