I have a standard API on which the client has been verified with the requested body hashing with the private key is the key , And it is comparing the value of Example, the request body is How can I secure this authentication process if the request body is empty? Hasche has a hashed value of the private key, and can then be used again by anyone hearing the traffic for "blank" requests. I am assuming that the only answer will be "Requesting material in the body", but maybe I'm missing something clearly. First turn off, do not Now, the general way to handle your question (how to stop replley attacks ) There are few ways to do this by adding a random factor for each request, but the one who works well is a Then, on the receiving side, you keep track of the list of the fortune seen in the last 30 seconds. If you have one that you have seen, then reject the API call (because it will be a replay attack) If you get one that is more than 30 seconds, then reject the API call. hash in the query string.
"This request is a request body" , set it as
hash as
sha256 ('this request Request body '. PRIVATE_KEY) , and then the server will do the same to validate it.
HASH (data + key) . With weaknesses it is known that it is OK that
HMAC is designed for it. Then your hash will be:
hash = hmac (shA256, data, personal)
non-code based approach therefore:
Non = Random (16) Now = time () data = api_data + '|' + Non + '|' + Now hash = hmac (sha256, data, personal) apiCall = data '& amp; Nonce = '+ nonce +' & amp; Time = '+ now +' & amp; Sig = '+ hash]
if (now
No comments:
Post a Comment