How does API signature authentication work as implemented by Mashery?

6.4k views Asked by At

Mashery allows authentication via digital signature as follows:

  • First, concatenate the following components:
    • API key
    • Shared secret
    • UNIX Timestamp
  • Then, create an MD5 hash of the concatentated string.

The documentation states that the unix timestamp only needs an accuracy of +/- 5 minutes. Details: http://support.mashery.com/docs/read/mashery_api/20/Authentication .

Assuming this is not a trade-secret, what is the algorithm for performing authentication like this?

Specifically, how is it possible when the unix timestamp can vary by 5 minutes? A "brute-force" technique might be to calculate a signature for every possible timestamp value until finding a match (or not), but that doesn't seem practical for authenticating frequent API calls.

4

There are 4 answers

4
Fantius On BEST ANSWER

Yes, that appears to be what it does. The documentation link you gave states, " A five-minute wiggle is permitted on either side of the current timestamp on the Mashery server to allow for reasonable clock drift." That means they need to check up to 600 hashes to see if the submitted one is valid. 5 minutes is 300 seconds. Plus or minus makes it 600 checks.

It seems practical to me. 600 MD5s is not a lot of processing to do. In fact, a modern password validator (like something that uses bcrypt) would perform much more work to validate a password.

3
James Butler On

Amazon give a good example of request signing and in quite alot detail which should make the mechanics obvious (I realise its not mashery - but i think it's what your after, or will at least help on your journey to API security happiness)

http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html

0
EJ Campbell On

Mashery could also pre-generate the list of valid signatures or cache each sig on demand. The signature is global to all API's that Mashery is protecting for that API Key / Shared Secret, so there is no need to validate the API call uniquely for every request.

0
EJ Campbell On

sha256 is pretty fast. Even in php, you can calculate 830K sha256's a second, so they very likely just brute force it.

<?php

$COUNT = 6000000;
$start = microtime(true);
for($i = 0; $i < $COUNT; $i++) {
  $out = hash('sha256', 'wefjklwfekjlewfjklwefjklfwejkwefjklwfekjl' . $i);
  //print("$out\n");
}
$total = microtime(true) - $start;
print("Time: $total\n");
print("sha256's per second: " . ($COUNT / $total) . "\n");

?>