Wire-Level Security
Consider a pay-for web service such as Amazon’s S3 storage service. This service needs to authenticate
requests to store and retrieve data so that only the paying clients have access to the service and that, moreover,
a particular client has privileged access to its paid-for storage. In the RESTful version of S3, Amazon uses a customization
of keyed HMAC to authenticate client requests. Amazon allows the authentication
credential to be in either the query string (which is part of the HTTP headers) or in another header key/value pair
with Authorization as the key. In either case, the basic approach is the same:
- Parts of the request data are concatenated together to form a single string, which becomes the input value for a hash computation. This string is the input message.
- The AWS (Amazon Web Services) secretKey, a unique bit string that Amazon provides to each client and which has been discussed with respect to clients against the Amazon E-Commerce service, is used to compute the hash value of the input message (see Figure 6-1). A hash value is also called a message digest, which is a fixed-length digest of arbitrarily many input bits. For the S3 service, Amazon uses the SHA-1 (Secure Hash Algorithm-1) version of HMAC, which produces a 160-bit digest no matter what the bit length of the input may be. Amazon calls this hash value the signature because the value functions like a digital signature, although technically a digital signature is an encrypted message ...
Get Java Web Services: Up and Running, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
