i am trying to secure a connection between a Mobile Device (Client) using a webApp and a Home Device (Server) in a potentially unsafe Wifi Network.
The communication is asynchronous and i am trying to prevent "replay attacks".
I was thinking about Challenge Response, but the overhead of "ask for challenge, receive challenge, send message with solved challenge" is a performance issue for us.
So i was thinking about using some sort of TAN Book approach like online baking does it:
Initially the Client would ask for a set of Challenges that it stores. The Server would store those Challenges and keep track of how many are already used.
If only n Challenges are left, the Server creates new Challenges and sends them with the next response to the Client. This way, the Client should almost always have enough Challenges without the overhead of Asking for them first before every request.
Example:
- Client wants to log in and asks for challenges first, giving his username/userid.
- Server creates n Challenges and stores them for the given userid, then sends them to the user.
- Client sends challenge-id and hash(challenge, shared-secret).
- Server compares stored challenge (identified by challenge-id) hashed with shared secret and if correct, returns success and deltes challenge since it was now used.
then it gets easier
- Client wants to call API Endpoint X on Server, sends request with added Headers (challenge-id, hash(challenge, shared-secret))
- Server checks challenge and uppon success deletes it, executes method x and returns response. In response it adds a new challenge in the header (i.e. challenge_id-xyz: 45egrgh3gw43gw43zrezh54egh44zg54b54esb...54sreh5j)
if the client is low on challenges
- Client wants to call API Point X, sends Request with Challenge in Header
- Server checks Challenge, upon success deletes it, realizes the client is low on challenges (due to low amount of stored challenges) and creates new ones. It sends Response for API Point X and adds new challenges in the headers.
Is there already a concept like this and if not, does this sound to much like "bake your own crypto" or does it sound legit? Or is there a better way to do this without to much http overhead?