On Nov 8, 2007, at 10:17 AM, Chad Sollis wrote:
Greetings,
I am building a webservice that I would like to require
authentication to
access. What would be a best practice (and perhaps a light how-to) on
secure authentication, preferably using a token/shared key.
Unfortunately, the client consuming the webservice will likely not
have a
lot of flexibility on generating anything dynamic to pass along with
the
request. Is this even possible, if the parameters are static on
their side?
I am open to any and all suggestions.
There are two levels of security to think about here.
Strong Authentication to prove the identity of the users.
Encryption/Privacy to protect the integrity of the data transmission.
To achieve strong authentication there are several methods.
One quite interesting idea I heard about that addresses this is the use
of a one time use pad of passwords. http://www.grc.com/ppp.htm
This site describes the algorithms involved. You could implement
this easily in PHP.
To achieve Encryption/Privacy, all you really need is SSL. That will
be strong enough to keep prying eyes from seeing your data
transmissions.
--lonnie
_______________________________________________
UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net
