Wednesday, January 28, 2009

SAuth 1.0

An HTTP request signing scheme using RSA, SAuth (pdf).

SAuth is an HTTP request signing scheme for User Agent
authentication. It applies RSA, SHA-1 and MD5 to HTTP request

The User Agent is authenticated and the content of the HTTP
request are protected from tampering (middle man).

It has been designed for a system with shared RSA keys on client
and server, substantial key sizes (e.g., 1024), and for the very
frequent use of those Key Pairs. It compromises cost and benefit
in favor of long term security. (RSA signing is expensive).

Other request signing authentication schemes include for example
the Amazon S3 authentication scheme. One of the design
objectives in request signing schemes is the avoidance of the
overhead of challenge- response protocols. A request is
statelessly verified with a shared key in a single transaction.

SAuth is not asymmetric in the verification of request
signatures. It transmits a reduced form of the signature that is
unable to support asymmetric signature verification. The reduced
form of the signature enhances the security of the Key Pair at
the expense of the cost of verification.

No comments: