I am thinking about using nonce and secure request to API Server. Is this the right implementation for using nonce?
PURPOSE
- Protect API Server from Replay attack
- Protect API Server from MITM attack
- Protect Core API Server from Resource exhaustion attack
IMPLEMENTATION
== ALL REQUEST IN HTTPS ==
PREPARATION:
[CLIENT] check if [session_id] exists
- If exist use it
- If not exist request [session_id] uuidv4 from [SERVER]
[SERVER] generate [session_id] and store it in database ( redis )
BEFORE ANY IMPORTANT REQUEST:
- [CLIENT] request [snonce] from [SERVER] when submitting form / before api request with [session_id] or [auth_token_id :: if exist]
[SERVER] check throttle limit based on [session_id] or [auth_token_id :: if exist]
- If allowed, continue
[SERVER] generates [snonce] with uuidv4, [snonce_id] with uuidv1
- [SERVER] store [snonce] to database ( redis ) with [session_id] + [snonce_id] + [snonce] + [time_created]
- There will be a cleanup service on [SERVER], deleting expired and unused [snonce]
- [SERVER] return [snonce] + [snonce_id]
- [CLIENT] generates [cnonce] from uuidv4
- [CLIENT] generate [ticket] from SHA256
{ content = [snonce] + [auth_token :: if exist ], salt = [cnonce] }
- [CLIENT] send ( [session_id] , [cnonce], [snonce_id], [ticket], [username :: if exist], [payload] )
- [SERVER] checks if [ [session_id] + [snonce_id] exist in database and get all result ]
- [SERVER] delete used [snonce] on database
- If [username] exists, check and get [auth_token] from database
- [SERVER] check [ticket] with SHA256
{ content = [snonce] + [auth_token :: if exist ], salt = [cnonce] }
- Proceed with the request if valid.
QUESTION:
Is the above logic and implementation valid and secure?
Is it necessary to generate cnonce and SHA256 it since the request is already in HTTPS TLS?
