Zayin Krige

There are a number of ways to prevent replay attacks when writing RESTful webservices.

Each option will depend on your requirements.

For transactional webservices I have designed a method which i find to be reasonably secure

lets say that this is how your webservice is currently invoked

https://localhost:8181/someWebService/getVoucherNumber?service_provider_item_id=4&posuser_idnumber=7902115131088&posuser_pin=1234&license_code=cd15b372-cfec-11de-b323-82ddcd6bb138

this is all good and well, BUT any attacker can re-use this string as many times as they want.

The solution is to add another parameter. Lets call this parameter “signature”

To generate a signature, we do the following:

1) take the current UTCS datetime and format it like this “yyyy’-'MM’-'dd’ ‘HH’:'mm’:'ss”.
2) blowfish encrypt that string
3) hex encode the resulting string so we end up with something like this “60e215044148b7a4a831a16065b180fa4a823b91″

Now we call our webservice with the added parameter

https://localhost:8181/someWebService/getVoucherNumber?service_provider_item_id=4&posuser_idnumber=7902115131088&posuser_pin=1234&license_code=cd15b372-cfec-11de-b323-82ddcd6bb138&signature=60e215044148b7a4a831a16065b180fa4a823b91

The webservice does the following
1) hex decode the string
2) blowfish decrypt it
3) make sure that the resulting datetime stamp is within “10″ seconds of the current time

If the signature is valid, then continue processing the webservice request

Bookmark It

Hide Sites

1. zayinkrige says:

   December 3, 2009 at 2:02 pm

   New Blog Post -> Preventing replay attacks when writing RESTful webservices – http://www.zayinkrige.com/preventing-rep…
2. Tweets that mention Preventing replay attacks when writing RESTful webservices « Zayin Krige -- Topsy.com says:

   December 3, 2009 at 2:04 pm

   [...] This post was mentioned on Twitter by Zayin Krige, Zayin Krige. Zayin Krige said: New Blog Post -> Preventing replay attacks when writing RESTful webservices – http://toast.tw/100akx [...]