How does a user get a secret key at login, and where can it be stored at the client so that it is safe (HMAC)?
-
I've read numerous articles about using HMAC and the secret key for client authentication in a RESTful client (Javascript) application today. Still, I don't find a single source that is able to transparently explain to me a process that fills the security gaps in the theory. The secret key is supposed to be secret, which means that only that specific client and the server should know about the key. Since the secret key should not be transferred over the network, it should be sent over a secure medium such as email. I will not use SSL/TLS, so sending the secret key as a response from the server at login is not an option. When questioning security, it makes no sense to me. The only reason why the user would access his email for my application, would be on registration (to activate the account). My first thought is that a cookie is not safe, but is there another way to store the secret key on the client? When the user clears his cookies, the secret key is lost. It doesn't feel very logical to send another email with a new secret key every time the cookies are gone, that wouldn't make any sense to the user. The user will use multiple clients, and a separate secret key should be generated for each client. Setting the key on registration does not sound like an option. The only thing that would make sense to me is that the client gets its hands on the secret key when the user logs in, as there is no reason to keep the key when the user logs off (or after a certain expiry time). So the question is easy: How does the user get the secret key at login, and where is it stored at the client so that it is safe? I feel a bit surprised that I cannot seem to figure this out. Lots of answers on the same question seem to beat around the bush, but never hit the sweet spot that makes me understand.
-
Answer:
From all the sources I've read, from security.stackexchange, and from a friend who has extensive technical experience in the field, it is now clear that there is absolutely no way around using SSL. HMAC requires a secret symmetric key to be present at both server and client before a request is made, and there really isn't any practical, safe alternative to get this key to the other side. Since using SSL/TLS is required anyway, there isn't really a need to use HMAC, and Basic Auth or using a time-limited token will do.
Kim Gysen at Quora Visit the source
Related Q & A:
- How should I act with a dictatorial principal at the school where I teach?Best solution by answers.yahoo.com
- Can I get a flip key for my 1997 honda civic?Best solution by cartalk.com
- How does a farm get classed as a factory farm?Best solution by Yahoo! Answers
- How can a Canadian get a job on a cruise ship?Best solution by Yahoo! Answers
- How can a Canadian get a cruise ship job?Best solution by Yahoo! Answers
Just Added Q & A:
- How many active mobile subscribers are there in China?Best solution by Quora
- How to find the right vacation?Best solution by bookit.com
- How To Make Your Own Primer?Best solution by thekrazycouponlady.com
- How do you get the domain & range?Best solution by ChaCha
- How do you open pop up blockers?Best solution by Yahoo! Answers
For every problem there is a solution! Proved by Solucija.
-
Got an issue and looking for advice?
-
Ask Solucija to search every corner of the Web for help.
-
Get workable solutions and helpful tips in a moment.
Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.