Authenticate API using digital signature
I am building an API solution to cater few enterprises who can share keys
with me privately. I want to build a secure API and following are the
requirements
1) If I get a request from any enterprise, I should have the proof that
only that enterprise have sent that request, so if any bad request is sent
by enterprise should have proof to show. - I plan to achieve to ask the
sender also put the signature of the request so that only they could have
sent the request as noone can create their signature.
2) Secure channel - I plan to use https
3) Other standard requirements which I plan to cater by requiring the
sender to include the Access key id created by me, date, time stamp.
I have mostly followed this using the standard ways to encrypt based on my
requirements and Amazon's way of securing the requests
(http://docs.aws.amazon.com/AmazonS3/latest/dev/S3_Authentication2.html).
curl -i -H "Content-Type: application/json \n "
-X POST -d '{ "key1": "value1", "key2":
"value2", "key3": "value3",
"key4": "value4", "accesskeyid":"sdfsd334s",
"timestamp":"35d345",
"signature":"sglfdkgjfldkgj"}'
http://localhost:5000/xyz
My intention is to only allow calls from known parties, and to prevent
calls from being reused verbatim.
Is this good enough? Underkill? Overkill?
Our server is located on amazon cloud.
No comments:
Post a Comment