The server looks up the client's private key (based on the provided public key) and does some timestamp check (that admittedly I don't understand) that verifies the request is not a victim of a replay attack.The client then sends the normal request (which contains the public key) and the hash to the server.With each request, the client takes several inputs (the entire request itself, the current timestamp, and the private key) and runs them through an HMAC function to produce a hash of the request.Only the client and the server know the private key it is never sent over the wire.Each client has a unique public/private key pair.I just read this article that is a few years old but describes a clever way of securing your REST APIs.
0 kommentar(er)
