How To - Use Tokens to Enhance Security

From The Socknet

Jump to: navigation, search

IP Verification is the ultimate mechanism for determining whether an agent represents a entity. But it is possible for a service or provider to set a token to act as a password and avoid the time cost of IP Verification.

The Specification

When an entity contacts another entity for any purpose, it may include a token field in from object in the request.

Example: 

POST some_function
{ do_something: "something",
  from: { serviceid: "http://photosite.com/agents",
             token: "1442959932"
           }
}

It is not required to provide or accept a token. If a token is not present or if either party does not want to use tokens, IP Verification is used instead.

If the recipient of the request chooses to accept tokens, then it will store this token.

If the sender makes further contact with the recipient using a token, the recipient will check to see if it has a matching token stored from that sender. If it has that token stored, it will skip IP verification checks.

If the given token does not match the stored token, the recipient will fall back on IP Verification to verify the sender. If the sender is verified, the new token should replace the old token in storage.

The recipient is free to store partial tokens, hashes of tokens, or no tokens if it sees fit.

The recipient is free to use arbitrary rules to determine whether it wants to store the token. For example, it may choose to ignore a token unless it is passed via HTTPS or if it is too short.

A sender SHOULD use a different and hard-to-guess token for each recipient it communicates with.

Example of a token generator that requires minimal storage

Every month: 

$system->set_salt(rand() * 65535);

Every time: 

$token = md5($recipient->open_id . $system->get_salt());

Something like the above can create a unique, impossible to guess token for each recipient and only requires one piece of information to be stored by the sender.

This example uses a salt and the OpenID or ServiceID of the user in a one-way hash function. Presumably, it is impossible to determine the salt value from the hash.

Considerations

Tokens will be required for clients, once that specification is created.

Retrieved from "http://www.socknet.net/w/How_To_-_Use_Tokens_to_Enhance_Security"
Personal tools