Correlation ID's in HMAC's

[krak3n]

Hey Guys

HMAC signing is going well so far but in our travels we have found there are some cases where HMAC signing request bodies for GET request results in you just signing an empty request body. This results in the same signature for those requests.

I was wondering if there was something unique we could always send and use has part of the signing / verification process, and we do already have something unique every request should have, a Correlation ID which is sent in the Correlation-ID header.

We could:

• Add the Correlation ID to the Client Secret Key
• Always send a request body (even for GET's that includes the Correlation ID) - This would mean sending the ID twice, once as part of the body and again as a header to check equality on the other side.

This would technically mean that every requests signature is unique.

Any thoughts?

[radeklos]

My understanding of signatures is that it's possible to use it only in our internal network. If something could fetch data from there it would mean that we have more serious issue. It protects that data cannot be changed without knowing secret key.

But we can generate signature from URL as well that makes unique hmac for different filters.. The Correlation-ID should be timestamp so the signature will expired and invalidate request.