and server share a secret access key and
a public access key.
create a request that contains three fundamental elements:
public key header (in plain text),
Signature string calculated hashing data
of the request with the secret access key.
usually contains the http method, the URI path, the value of the date
attacks), all the content of the request (for POST and PUT methods) and
send the request to the server.
read the public key header and use it to retrieve the corresponding private
use the private access key to calculate the signature in the same way as the
check if the just-calculated signature matches with the one sent by the client.
prevent replay attacks, We can also apply the acceptable time limit using date
passed in header. Server checks that the value in the date header is within an acceptable
limit (usually between 5 and 15 minutes to account clock discrepancy). The value cannot be manipulated by malicious attacker because
the date it's used as part of the signature. If someone change the date header,
the server will calculated a different signature of that calculated by the
client, so above step will fail.
than granting user identity (nobody should know the secret access key other
than the client itself. and the server of course), this mechanism also
ensure the integrity of the message. If someone change something in the
request, the signature won't match.