I'm designing a RESTFUL API that will always be used over HTTPS, what security advantages over the use of HTTP Basic Auth could be brought to my system by using such kind of message authentication codes?
Asked
Active
Viewed 1,019 times
1 Answers
5
HTTPS is HTTP-within-SSL and SSL already enforces integrity checks -- indeed, it does so with HMAC (see section 6.2.3).
Using Basic authentication is safe within SSL, and sufficient. You don't need an extra HMAC. The method shown by AWS is meant to provide some sort of authentication in situations where data travels unprotected, in order to prevent the client credentials from travelling as cleartext, because an eavesdropper could otherwise learn them; SSL provides both confidentiality and integrity, making this point moot.
-
The "not" should not be in "where the client credentials do not travel", correct? The HMAC is for when credentials _do_ travel as cleartext. – user50849 Sep 05 '13 at 11:19
-
1I have clarified the wording. – Tom Leek Sep 05 '13 at 11:30