Last post Dec 15, 2016 08:37 AM by Chris Zhao
Dec 02, 2016 10:00 AM|sudip_inn|LINK
just read this article
they said :- Hash-based message authentication code (HMAC) is an option that provides the server and the client each with a public and private key. The public key is known, but the private key is known only to that server and that client. The client creates
a unique HMAC, or hash, per request to the server by combing the request data and hashing that data, along with a private key and sending it as part of a request. The server receives the request and regenerates its own unique HMAC. The server compares the
two HMACs, and, if they're equal, the client is trusted and the request is executed. This process is often called a secret handshake.
i have few question for above write up.
1) how client can combine his request data and hash his full request data ? suppose client sending customer data like (custid, name, etc....)
2) when client send hash of his request data to server then how could server again generate same hash of the data send by client because client will send hash of his data not actual data? please clarify this point.
are they trying to say client will send his data and as well as send hash of those send data to server ?
3) if i follow the above approach to prevent reply attack then how could i prevent it. suppose attacker capture request and take out private key and hash data and send it to server. then how server can understand request is coming from attacker ?
please help me to understand how we can secure api access by HMAC with example.
Dec 02, 2016 12:33 PM|ketan_al|LINK
Please refer following
Dec 02, 2016 02:49 PM|sudip_inn|LINK
i have seen that url but here i asked few question whose answer i am looking for. if u know the answer then please share it. thanks
Dec 15, 2016 08:37 AM|Chris Zhao|LINK
You could refer following links. It provides the source code sample for securing an ASP.NET Web API using HMAC.