Group Abstract Group Abstract

Message Boards Message Boards

13
|
24.2K Views
|
6 Replies
|
26 Total Likes
View groups...
Share
Share this post:

Single-Origin Authentication for Cloud APIs

Jesse Friedman, Wolfram Research
Posted 11 years ago
POSTED BY: Jesse Friedman
6 Replies
Sort By:

Interesting, but now I believe that PermissionsKey is the best way to do that.

obj= CloudDeploy[APIFunction[{"n"->Integer},#n^2&],Permissions->{PermissionsKey["thekey"]->"Execute"}]
URLExecute[obj, {"n" -> 123, "_key" -> "thekey"}]

Tutorial: https://reference.wolfram.com/language/workflow/DeployAnAPIThatUsesAPermissionsKey.html
POSTED BY: Rodrigo Murta

Very interesting stuff here. I bet you could create some simple formulas for dynamic salt keys that would be too hard to guess. Maybe something like today's date squared minus yesterday's date. As long as both sides know the simple dynamic salt key generator formula, it would good enough to stop all but NSA abuse. lol
POSTED BY: David Johnston

Hi, I'm Riccardo one of the developers of this function.

This is super cool!

If you want to make it even more bulletproof, you can create and add a salt to your hash.

http://en.wikipedia.org/wiki/Salt_(cryptography)

A salt is basically a private key shared between your machine and the server, it improves security.

Also, I would suggest to do an hash over all your args.

APIFunction[
{"text" -> "String", "number"->"Number", "auth" -> "String"}, 
If[Hash[{"MySuperSecretSaltKey", #text, #number}] == #auth,
   "You said: " <> #text, 
   "Access denied!"] &]

What the client needs to do now is to send to the api an hash of 

Hash[{"MySuperSecretSaltKey", #text, #number}]

In this way every request to the api needs a different signature.

The reason why this can be better is because a man in the middle could steal your request data and do the same request again. If you are signing every request in this way, a man in the middle do not have the key to your api, but only the key to the request you have done.

The method I am suggesting is still not perfect, and can be improved, so if you are interested in security you can read a couple of things you may find interesting.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

http://en.wikipedia.org/wiki/Cross-site_request_forgery

Great job, let me know if you need anything.
POSTED BY: Riccardo Di Virgilio

But would not that expose the secret key in the hash?
POSTED BY: Hristo Vrigazov

Cryptographic hash functions are designed to be irreversible, or at least extremely hard to reverse. For all intents and purposes, with a good hash algorithm it is virtually impossible to calculate an input that hashes to a desired output. However, some hash functions such as MD5 have been compromised, and are now considered insecure, due to the relative simplicity of finding hash "collisions", multiple inputs that hash to the same output.
POSTED BY: Jesse Friedman

Excellent! And one can also choose which Hash method one would like to use modifying the code (and hash value) using one of the hash code types described in http://reference.wolfram.com/language/ref/Hash.html

By the way, there's no need for the Returns: this works fine:

APIFunction[{"text" -> "String", "auth" -> "String"}, 
 If[Hash[#auth] == 5806601739209730667, 
   "You said: " <> #text, 
   "Access denied!"] &]

P.S. Nice profile shot. Who took it? ;-)
POSTED BY: David Reiss
Reply to this discussion
Community posts can be styled and formatted using the Markdown syntax.
Tag limit exceeded
Note: Only the first five people you tag will receive an email notification; the other tagged names will appear as links to their profiles.
Reply Preview
Attachments
Remove
or Discard