Hawk

[Martin Blom]

Hi group,

I've very glad to finally have found an authentication scheme for HTTP that sucks less than Digest, and my intention is to use Hawk in a project I'm working on.

We have three kinds of "clients": users accessing the site with a web browser, devices operating on their own and devices being operated by a user. Here's my current plan:

1) The devices with be given a secret key somehow and will use that key to perform operations, plain Hawk.
2) Users in the web browser will provide a username and password, and I'll derive a key using SHA256(username + ":" + "NameOfSystem" + ":" + password), similar to HA1 in Digest but with fixed realm (since there is no realm attribute in Hawk?) and using SHA256 instead of MD5. The key ID will be based on the username.
3) Some device operations requires elevated privileges and in that situation I plan to derive a combined key using both the user and device keys. It will be a simple binary concatenation of the keys, hashed: SHA256(key1 + key2). The key ID will a space-separated list of the individual key IDs.

Comments? Do you feel I'm violating the spirit the protocol by doing this?

[Eran Hammer]

Looks like a reasonable way to generate the shared secrets. I did not review the actual method used for security purposes but from a protocol perspective, this looks like something I have seen others do.

 

EH

--
You received this message because you are subscribed to the Google Groups "oz-protocol" group.
To unsubscribe from this group and stop receiving emails from it, send an email to oz-protocol...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.