3

So I'm currently in the process of developing an an app that will be cross-platform. For this reason I want the app to use an external database on a cloud service through a REST API build using the Zend Framework. I researched on how to build a secure REST API, many resources pointed out using a HMAC for authentication. The part that leaves me a little confused is where should the secret key be generated and how should it be shared with both the server and the client?

Is every individual client (As in every user of the app) supposed to get a unique secret key?

If not, I imagine I could do something like this:

  1. Generate Secret key for (e.g.) iOS devices on the server.
  2. Hard code the key in the app
  3. With every request a HMAC is send hashing the secret key, some data and the user id.
  4. I check the user id in the HMAC with the user id send in normal JSON, and if the secret keys match.
  5. execute whatever the user request the user send.

Whenever a third party service would like to use my rest API, I would need to generate a separate secret key specifically for that service.

If every user has to generate a separate secret key, then I have no idea on how I would transfer the key to the server without the risk of a man-in-the-middle attack..

Does this sound about right?

user1026622
  • 901
  • 1
  • 6
  • 13
  • See: [When Do I Set the HMAC Private Key?](http://stackoverflow.com/questions/17386132/rest-authentication-and-hmac-private-key-when-do-i-set-it) & [Embedding the private key in a mobile app](http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/) (Scroll to section Additional Thoughts for APIs) – fionbio Jul 28 '13 at 01:03
  • Didn't expect an answer to this anymore, Thank you very much! – user1026622 Jan 04 '14 at 12:32

0 Answers0