How to secure a web service call over HTTP
Question
What would be a best practice to secure a web service call over HTTP communication channel?
I aim to using extra parameters in query string to make time-limited hash values (generated by a calculation on client side) to define that sending request is valid. This will be understand by server side application how knows the client algorithm. But this way has a risk also when the client application is de-compiled!
So what is the best way? I'm looking for a dynamic algorithm, any thought?
1 answers
solution1
0 2014-01-30 16:56:05
From your comment it sounds like your need is to guard against "replay attacks" (someone sending the same request twice, when you only want for them to be able send it once). A common way to handle this is to use a nonce. At a basic level, it works like this:
1) Client wants to make a request; before doing that, it asks the server for a nonce, which is a value which will not be reused and shouldn't be predictable (eg based on the time).
2) Client gets the nonce from the server, then makes its request, sending back to the server the nonce it just got from it
3) If the client (or another client) then tries to make the request already made in step 2 above, the server won't accept it, because it'll contain a nonce which the server has already marked as "used."
That's a slight oversimplification, but that's how nonces work to prevent replay attacks.
Note: "nonce" comes from "number used once." But nonces don't actually need to be numbers.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.