RemoteCP Panel

RemoteAuth Secure

Registered by Lars Vierbergen

This blueprint has been superseded. See the newer blueprint "Require authentication for REST resources" for updated plans.

Make the API-key exchange secure by using HMAC
Scheme:
RP...............................................................OP........................................
$h=md5(API).............................................$h=md5(API) (Database)
...........................................Initialize........................................................
 ...................................----------------->.....................................................
.......................................................................session_start(); $salt=rand(); $_SESSION['salt']=$salt;
...........................................$salt,sessid.................................................
....................................<----------------......................................................
$auth=hmac($h,$salt);........................................................................
...........................................$auth,sessid..............................................
.....................................---------------->.....................................................
......................................................................$auth==hmac($h,$salt)?$_SESSION['auth']=true : $_SESSION['auth']=false;
.....................................OK,sessid.........................................................
...................................<----------------......................................................
Client api-calls.............................................Server responses.......
Finished....................kill,sessid,$salt...............................................
...................................----------------->.....................................................
..............................................................Check salt, session_destroy();

Blueprint information

Status:
Complete
Approver:
None
Priority:
Medium
Drafter:
None
Direction:
Approved
Assignee:
Lars Vierbergen
Definition:
Superseded
Series goal:
Declined for 3.x
Implementation:
Not started
Milestone target:
None
Completed by
Lars Vierbergen

Related branches

Sprints

Whiteboard

Too less security gain and too much work.
API keys are linked to an IP, so the attacker should use the same IP to use the API-key, and he must be able to intercept it before he can use it.
It is more probable that API-keys are compromised by storing them in plain-text in a database.

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.