0

I miss understanding something using HMAC authentication for my RESTFull service . HMAC sing nature is concluded on request header , and this is clue . But what about the body of the request , it's not hashed , how we should secure them . Does this mean I have to use ssl to hash the body also . As you know HMAC is a one way hashing algorithm .

Thanks in advance ...

Wasim
  • 1,915
  • 5
  • 24
  • 39

1 Answers1

1

Does this mean I have to use ssl to hash the body also

Yes, of course, SSL is a must. SSL is not used for hashing, it's used for encrypting the traffic between the client and the server. That would prevent man-in-the-middle attacks.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • Ok , thanks a lot . I have more one question , what is the advantage of HMAC hashing than basic (username , password) authentication , if I use SSL as a must . – Wasim Jun 10 '13 at 15:32
  • My understanding is that HMAC is used to safeguard the authenticity of the content of the request in order to prevent man in the middle attacks that try to change the request in some manner. SSL is used to encrypt the data itself. where I lose clarity is if either of these things are related to authorization of a user/pass. I would expect that is done in whatever oauth-ish library you are leveraging for that purpose? – jaydel Jul 27 '18 at 16:53