ð Client
and server share a secret access key and
a public access key.
ð Client
create a request that contains three fundamental elements:
public key header (in plain text),
date header,
Signature string calculated hashing data
of the request with the secret access key.
This hash
usually contains the http method, the URI path, the value of the date
header
(for reply
attacks), all the content of the request (for POST and PUT methods) and
the
content type.
ð Client
send the request to the server.
ð Server
read the public key header and use it to retrieve the corresponding private
access key.
ð Server
use the private access key to calculate the signature in the same way as the
client did.
ð Server
check if the just-calculated signature matches with the one sent by the client.
ð To
prevent replay attacks, We can also apply the acceptable time limit using date
passed in header. Server checks that the value in the date header is within an acceptable
limit (usually between 5 and 15 minutes to account clock discrepancy). The value cannot be manipulated by malicious attacker because
the date it's used as part of the signature. If someone change the date header,
the server will calculated a different signature of that calculated by the
client, so above step will fail.
ð Other
than granting user identity (nobody should know the secret access key other
than the client itself. and the server of course), this mechanism also
ensure the integrity of the message. If someone change something in the
request, the signature won't match.
Please check it:
No comments:
Post a Comment