[UPHPU] Token Authentication
Lonnie Olson
lists at kittypee.com
Thu Nov 8 15:43:32 MST 2007
On Nov 8, 2007, at 10:17 AM, Chad Sollis wrote:
> Greetings,
> I am building a webservice that I would like to require
> authentication to
> access. What would be a best practice (and perhaps a light how-to) on
> secure authentication, preferably using a token/shared key.
>
> Unfortunately, the client consuming the webservice will likely not
> have a
> lot of flexibility on generating anything dynamic to pass along with
> the
> request. Is this even possible, if the parameters are static on
> their side?
>
> I am open to any and all suggestions.
There are two levels of security to think about here.
Strong Authentication to prove the identity of the users.
Encryption/Privacy to protect the integrity of the data transmission.
To achieve strong authentication there are several methods.
One quite interesting idea I heard about that addresses this is the use
of a one time use pad of passwords. http://www.grc.com/ppp.htm
This site describes the algorithms involved. You could implement
this easily in PHP.
To achieve Encryption/Privacy, all you really need is SSL. That will
be strong enough to keep prying eyes from seeing your data
transmissions.
--lonnie
More information about the UPHPU
mailing list