Score:0

Authentication between two servers using PKA

cn flag

I've run into an small issue regarding authentication between 2 services (One way communication) using public and private key authentication (Elliptic Curve, secp256k1).

The services will communicate via an API REST via HTTPS, and the proposed implementation would be to have the client sign something with it's private key, send the signature along with the rest of the data, in the authentication header, and the server verify that signature with the public key.

I've got a library to do the actual signing and verifying, so the actual cryptographic part of it is fine, and I know it's way more complex the alternatives (Just an API key, for example), but it doesn't bother me as long as the concept itself isn't flawed, and it's at least as secure as other (probably simpler) alternatives.

Is this a good idea? If not, Why? If it is, What exactly do I sign? Is anything good (Say, the current day)? Is there a problem in signing something static?

Maarten Bodewes avatar
in flag
Generally you'd at least sign information that is linked with the session and particularly with session key establishment. But please study protocols such as TLS to get some idea. The time is less unique then you may think and is therefore not good; other's could try and establish a session at the same time and steal your signature - computers are really really really fast nowadays and relying on a clock is very very very dangerous. This is also why signing something static is no good, it allows for **replay attacks**.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.