HMAC Helper |
[eluser]stensi[/eluser]
What's HMAC (Hash Message Authentication Code)? In short, it's basically a specific algorithm, such as MD5 or SHA1, used in combination with a hash function and a private key. It is used for verifying the data integrity and authenticity of a message or request. How's it work? A relevant example would be using HMAC in your requests to Amazon S3. When you sign up to use Amazon S3, they provide you with a public key and a private key. Only you and Amazon know what your private key is. Basically you can think of the public key as a username and the private key as a password. When making a request with Amazon S3, you include your public key within it and your HMAC. The HMAC is created by performing a hash on the data in your request using your private key. Upon receiving your request, Amazon S3 will go through the same process to authenticate your request. They use your public key to lookup your private key in their database. They then perform a hash on the data in your request using your private key. They compere the resulting HMAC with the HMAC you supplied in your request. If they match, the request is deemed as authentic! So, the private key is never sent across the internet giving no chance of it being intercepted. The longer the private key, the more secure the HMAC. Why make an HMAC Helper? The main reason I made it was because most current Amazon S3 libraries require that you use either the Crypt HMAC package from the PEAR library or PHP5's hash_hmac function. I prefer not to add the bloat of PEAR or rely on it so sticking with CodeIgniter's ideology of maintaining backwards compatibility, my HMAC helper will work in both PHP4 and PHP5. HMAC Helper Code: <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
[eluser]stensi[/eluser]
Example I've taken the XML-RPC client and server examples from the Code Igniter User Guide and modified them to include the use of HMAC signatures to authenticate requests with. XMLRPC Client Code: <?php XMLRPC Server Code: <?php In the actual XML-RPC client requests I use for my sites, I put the public key and HMAC signature in the Basic HTTP Authorization header. This gives better separation of the authentication from the content of the request. I made a drop in replacement of CodeIgniters XMLRPC controller to allow this. If anyone wants it let me know and I'll post it. For now I'll leave it out since this post is long enough already. I pass the public key and HMAC signature like so: Code: $server_url = 'http://' . $public_key . ':' . $signature . '@domain.com/xmlrpc_server'); Which is then accessible in the server in this way: Code: $public_key = $_SERVER['PHP_AUTH_USER']; Anyway, I hope someone finds this useful. I know I would have a day ago!
[eluser]carnalito[/eluser]
Hi Stansi, you saved my day. As far as i searched the forum, your solution to authenticate via xmlrpc-lib is the best of all (maybe the only one?!) I will try it and would be happy to get some help from your side (as i need it). Thanks again for posting your code. Regards Carnalito
[eluser]carnalito[/eluser]
Hi Stansi, done testing and i like it. One question is how to do the "xml-rpc-communication" from point of successful validation? Is providing a session-id the way to go? or validating the keys on every request? Thanks. Regards Carnalito |
Welcome Guest, Not a member yet? Register Sign In |