1
Answer

How HMAC authentication works for web api

tri_inn

tri_inn

8y
829
1

just was reading a article on web API with HMAC authentication from this url http://www.piotrwalat.net/hmac-authentication-in-asp-net-web-api/

if possible some one briefly discuss what is HMAC authentication and How this type of authentication works for web api ?

what i understood from their article that client will have a secret key and when client will request web api service then they will send hash of secret key along with request and web service will compare the hash and if match then it allow to call action ?

if i understood correctly then i have some question. suppose if am sending hash of a secret key to web api then how web api know what key client have ? because if web api has to generate hash of secret key what client used for comparing at service end then web api has to know which client is sending data.

there is change of Replay attack for HMAC authentication for web api

the article raise some points which is not clear to me to prevent the chance of Replay attack for HMAC authentication for web api.

the points are

Imagine a malicious third party intercepts a valid (properly authenticated) HTTP request coming from a legitimate client 
(eg. using a sniffer). Such a message can be stored and resent to our server at any time enabling attacker to repeat operations 
performed previously by authenticated users. Please note that new messages still cannot be created as the attacker does not 
know the secret nor has a way of retrieving it from intercepted data.

1) requests with different Date header values will have different signatures, thus attacker will not be able to modify the timestamp

we will generate hash based on secret key then how date comes to scene ? this points is not clear to me.

2) we introduce a requirement that no http request can be older than X (eg. 5) minutes - if for any reason the message is

delayed for more than that it will have to be resent with a refreshed timestamp.

point two is not clear. what this area try to mean delayed for more than that it will have to be resent with a refreshed timestamp.

Answers (1)
0
Javeed M Shaikh

Javeed M Shaikh

NA 7.8k 69.7k 12y
now sure if this is what you are looking for...

ButtonAddOrder_Click(...) 
THIS IS THE CODE I HAVE: StreamWriter myWriter new StreamWriter("customer.txt"); MyWriter.WriteLine(txtName.Text); MyWriter.Close(); 

If(addOrder == DialogResult.yes) 
{ why dont you call a function here...like myfunc() } 

}

Myfunc()
{
 DO COMMON TASK HERE
}
Accepted
0
Javeed M Shaikh

Javeed M Shaikh

NA 7.8k 69.7k 12y
great that it worked for you, also you are not stupid ; any question big or small is legit.
0
Dillon Goeda

Dillon Goeda

NA 22 6.8k 12y
I think I know what you mean... I Create a Function or Procedure then call it in both the button and if statement!!! Thanx man!!! Lol, I'm stupid....
0
Javeed M Shaikh

Javeed M Shaikh

NA 7.8k 69.7k 12y
Hi Dillion,

you question is not clear, may be you can elaborate more or give us some examples. For what i understand is you want to write a common routine and you want to call that on any event, like button click, etc. So I am not sure if you just create a Sub/Function and pass the object as the parameter and run your routine based on the object's decision.
Next Recommended Forum