[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
Lucas Gonze
lgonze at panix.com
Fri Sep 30 20:46:57 UTC 2005
Antoine Pitrou wrote:
>The only way your proposal can provide some kind of security is by using
>HTTPS. While most people factually only have access to bare HTTP. It may
>change in the future, but it's not the case right now.
>
>
Given that:
The client has received at least one ID by secure means, and the client
wants to fetch the corresponding representation.
SSL/TLS is not available.
The client has javascript.
On the client:
$salt = newRandomNumber();
$hashed = hash(concat($id,$salt))
$representation = GET /mapper?hashed=$hashed&salt=$salt
On the server:
$hashed = http_argument("hashed");
$salt = http_argument("salt");
if( alreadyUsed($salt))
returnError();
addToUsed($salt);
while($id = nextSavedID()){
if( eq(hash(concat($id,$salt)), $hashed) )
return(objectForID($id));
}
Work on the server is O(number of objects), but work for an attacker is
the same as brute force. An attacker who can intercept the GET can
perform a man in the middle attack.
Work on the server can be reduced to O(1) if the arguments are passed
from the client to the server according to this pseudocode:
On the client:
$pub = GET /mapper?publickey
$salt = newRandomNumber();
$package = makeFormattedPackage($salt,$id);
$encrypted = encrypt($package)
$representation = GET /mapper?encrypted=$encrypted
On the server:
$decrypted = decrypt($privateKey,http_argument("encrypted"));
$package = parseFormattedPackage($decrypted);
$id = getPackageElement($package,"id");
return(objectForID($id));
More information about the P2p-hackers
mailing list