4

as restful web api server, we supply our client a clientid and password. I think it is enough for the client to use clientid + hMAC(clientid hashed by password) for the authentication.

I have looked through some documents which advise to use Time stamp or even more information for the base string. I just cannot understand the meaning of that.

Could any guru help explain what exactly the time stamp would help for preventing attack or anything else?

James Rao
  • 168
  • 2
  • 13

1 Answers1

8

The issue is that without a timestamp any signed message is valid forever. If an attacker managed to capture a message they could replay it infinitely even without compromising your secret used to sign the message.

If you add a timestamp then a message will expire after a short time and prevent this. You would chose how long to honor timestamps for in the server application. When you do remember to consider "future" time because the clients' click might be slightly ahead of your and appear in the future to your application.

BlargleMonster
  • 1,602
  • 2
  • 18
  • 33
  • so the time stamp is actually helpful to protect the secret since if time changes, the hMac changes accordingly. if without time stamp, attacker would not care about the secret since the hMac is always the same. Is that right? – James Rao May 11 '16 at 00:23
  • 1
    but in case the attacker can capture the message even encrypted with time stamp, he can still simulate the exact same message. so what is the meaning of this kind of encryption? – James Rao May 11 '16 at 00:25
  • 1
    This isn't encryption, the message is readable by anyone who gets a copy. The point of hmac signing is to be able to validate the message came from a trusted source and hasn't been tampered with. With the timestamp the attacker would only be able to repeat the message for a short period of time making it much harder to exploit. They would need to compromise messages being sent in real time instead of being able to brute force something like captured old HTTPS traffic to get your messages. – BlargleMonster May 11 '16 at 11:26
  • Thanks Blargle. That does make sense. – James Rao May 11 '16 at 23:15
  • What if an authentication server supplies the API key expiration time based on a local security policy? – Gonçalo Peres Apr 14 '22 at 13:54
  • @GonçaloPeres that would eventually make the request invalid by causing the key that was used to sign the message to expire. However keys are typically issued for long periods of time like a year. It's much better to create messages that expire in minutes or hours than in months or years as a side effect of a key expiring. – BlargleMonster Apr 15 '22 at 17:00