Mashery allows authentication via digital signature as follows:
- First, concatenate the following components:
- API key
- Shared secret
- UNIX Timestamp
- Then, create an MD5 hash of the concatentated string.
The documentation states that the unix timestamp only needs an accuracy of +/- 5 minutes. Details: http://support.mashery.com/docs/read/mashery_api/20/Authentication .
Assuming this is not a trade-secret, what is the algorithm for performing authentication like this?
Specifically, how is it possible when the unix timestamp can vary by 5 minutes? A "brute-force" technique might be to calculate a signature for every possible timestamp value until finding a match (or not), but that doesn't seem practical for authenticating frequent API calls.
Yes, that appears to be what it does. The documentation link you gave states, " A five-minute wiggle is permitted on either side of the current timestamp on the Mashery server to allow for reasonable clock drift." That means they need to check up to 600 hashes to see if the submitted one is valid. 5 minutes is 300 seconds. Plus or minus makes it 600 checks.
It seems practical to me. 600 MD5s is not a lot of processing to do. In fact, a modern password validator (like something that uses bcrypt) would perform much more work to validate a password.