-
Notifications
You must be signed in to change notification settings - Fork 1
HMAC
Hash-based Message Authentication Code (HMAC) is used to ensure data integrity. The server and app share a secret key. When the app creates an API request it takes all of the different parameters and concatenates them in a specific order. It then runs it through the following formula
HMAC(K,m) = H((K ⊕ opad) ∥ H((K ⊕ ipad) ∥ m)) where m is the message and K is the secret key
When the server receives the request it computes its own HMAC from the received data. If the server's HMAC matches the apps then the data wasn't tampered with and the request proceeds. Otherwise the request is rejected.
The order in which the data is concatenated is important. In this applications case the order is as follows:
- method
- timestamp
- install ID
- user data
User Data is a JSON array. Using a JSON array means the server can easily perform the HMAC without knowing the exact number of parameters passed in each method request. It also means the order of the information in user data is irrelevant
The Secret Key is generated for each HMAC using an HOTP. In this way authentication and data verification are combined. As without the secret HOTP the data can't be tampered with and without the counter, increment value, and secret key of the HOTP the HMAC's secret key can't be generated.
An invalid HMAC will result in the user being logged out of the server.