Securing REST API using signature

0
votes

I have some problems to understand how to secure REST API. When a client sign up, the password is hashed and sent to the server through HTTPS. Then, the server store hash(password+privatesalt).

When the client consumes a rest service, he creates the request and a signature HMAC-SHA1 with his own password (like here). Server side, how to sign the request to compare with the client signature if the password is hash-salted in the database ?

I know the data appears in clear over the web, but I just want to authenticate the user.

1
resthashpasswordssignature

1 Answers

0
votes

You are right. If the password is stored hashed & salted on the server side, it is not possible to verify the HMAC computed on the request: a MAC required a shared secret between the client and the server.

Some solutions could be:

  • using a dedicated API key which is not the user password. As far as I know, this is the AWS choice. The password is used for administrative operation on the user account (e.g. changing the billing contact) and the API key is only used by the API client. In this case if this API key is compromised, it is relatively easy to revoke it and generate a new one with a more limited impact on the security.
  • using HTTPS with X509 client certificates. This is a more heavyweight solution and probably more complex to setup. However it is transparent for the API users since the authentication is moved to the transport layer of the protocol.