ð Client and server share a secret access key and a public access key.
ð Client create a request that contains three fundamental elements:
public key header (in plain text),
date header,
Signature string calculated hashing data of the request with the secret access key.
This hash usually contains the http method, the URI path, the value of the date header
(for reply attacks), all the content of the request (for POST and PUT methods) and the
content type.
ð Client send the request to the server.
ð Server read the public key header and use it to retrieve the corresponding private access key.
ð Server use the private access key to calculate the signature in the same way as the client did.
ð Server check if the just-calculated signature matches with the one sent by the client.
ð To prevent replay attacks, We can also apply the acceptable time limit using date passed in header. Server checks that the value in the date header is within an acceptable limit (usually between 5 and 15 minutes to account clock discrepancy). The value cannot be manipulated by malicious attacker because the date it's used as part of the signature. If someone change the date header, the server will calculated a different signature of that calculated by the client, so above step will fail.
ð Other than granting user identity (nobody should know the secret access key other than the client itself. and the server of course), this mechanism also ensure the integrity of the message. If someone change something in the request, the signature won't match.
Please check it:
No comments:
Post a Comment