问题
as restful web api server, we supply our client a clientid and password. I think it is enough for the client to use clientid + hMAC(clientid hashed by password) for the authentication.
I have looked through some documents which advise to use Time stamp or even more information for the base string. I just cannot understand the meaning of that.
Could any guru help explain what exactly the time stamp would help for preventing attack or anything else?
回答1:
The issue is that without a timestamp any signed message is valid forever. If an attacker managed to capture a message they could replay it infinitely even without compromising your secret used to sign the message.
If you add a timestamp then a message will expire after a short time and prevent this. You would chose how long to honor timestamps for in the server application. When you do remember to consider "future" time because the clients' click might be slightly ahead of your and appear in the future to your application.
来源:https://stackoverflow.com/questions/37150187/time-stamp-in-hmac-authentication