0

I'm writing REST API in PHP and recently I faced with authorization problem. I read a lot about basic authorization, about using private and public keys to create request signature. It is said that using request signature is more secure. But then I have a question:

-How should user will pass public key and generated signature?

I'm thinking about several options:

1) Create custom http header like X-Key, X-Signature

2) Use authorization header with custom scheme, like

AUTHORIZATION: SIGNATURE key='123' signature='abc'

3) Send this values as parameters. But I don't know if it acceptable for methods DELETE and PUT

What would you advice?

p.s. I don't want to implement oAuth

Tamara
  • 2,910
  • 6
  • 44
  • 73

1 Answers1

0

What are the desired properties of authentication scheme? Is this a publicly accessible or an intranet service? Are user accounts linked to something outside of scope of your API (linked 3rd party accounts etc). How are you going to distribute user credentials?

I would probably stick with plain old basic authorization, but encrypt everything at the transport level, making use of HTTPS mandatory. Rolling out your own cryptographic scheme is generally not a good idea. It's easier to fall victim to timing or replay attack than it seems. If you insist on client using a key pair for authentication, you can use HTTPS client certificates (though this is not widely used and maybe somewhat cumbersome solution).

There are a few security concerns about plain-text authentication over TLS. First, if someone implements MITM with forged certificate using either well known CA (maybe a government agency) or CA the client is forced to trust (big evil corporate proxy), they will get credentials. But you can't protect the client from its own environment anyway. Second, basic authentication can be prone to CSRF because browser knows how to do it and can remember credentials if you presented challenge and user filled the form. That's not a big problem if you adhere to REST principles and never allow state-changing GET requests. Also, if you are using JSON, never return arrays.

rkhayrov
  • 10,040
  • 2
  • 35
  • 40
  • Thanks for response. My API will be publicly accessible. User account are not linked to any 3rd party accounts. I'm going to give credentials for accessing API after user will register on my site. What about basic authorization I'm a little worried that user sends credentials in a plain format. We use HTTPS though. But is it enough secure? – Tamara Aug 02 '13 at 14:07
  • When using TLS plain text credentials never appear outside of client machine and your server. That makes them as much protected as 1) client machine (obviously you can't do anything about password stealing trojans); 2) private key on your server; 3) private keys of any CA the client trusts. See updated answer. – rkhayrov Aug 02 '13 at 17:02