I'm doing some tests with HMAC by using a time-window mechanism based on UTC+0 synced time. The server has a special public API call http://myserver.com/api/servertime/
that will return the server's exact UTC+0 time. This way the API users can sync their requesting client so it will be able to match the time window my API allows for secure calls. I built in a 30 minute timeslot (-15min
- +15min
).
My code looks like this:
func GenerateHmac512(message []byte, key []byte) []byte {
h := hmac.New(sha512.New, key)
h.Write(message)
return []byte(base64.StdEncoding.EncodeToString(h.Sum(nil)))
}
func ValidateHmac512(message, messageMAC, key []byte) bool {
var err error
decryptedMessageMAC, err := base64.StdEncoding.DecodeString(string(messageMAC))
if err != nil {
log.Fatalln(err.Error())
return false
}
mac := hmac.New(sha512.New, key)
mac.Write(message)
expectedMAC := mac.Sum(nil)
return hmac.Equal(decryptedMessageMAC, expectedMAC)
}
func main() {
timestamp := time.Now().Unix()
key := []byte("afad9411468602782fb62d904f623d87")
message := []byte(fmt.Sprintf("SecretHash,Value1,Value2,Value3,TimeStamp:%d", time.Now().Unix()))
hmacHash := GenerateHmac512(message, key)
hmacValid := ValidateHmac512(message, hmacHash, key)
log.Println(timestamp)
log.Println(string(hmacHash))
log.Println(hmacValid)
requestValid := false
if timestamp > time.Now().Unix()-(60*15) && timestamp < time.Now().Unix()+(60+15) {
requestValid = true
}
log.Println(requestValid)
}
I'm hashing the timestamp that will be publicly provided in the call in my HMAC hash, combined with the secret hash. I'm wondering if this is fool-proof enough, or it would need more work to make it totally solid? The call would be something like this:
POST http://myserver.com/api/users/
Value1 : Data1
Value2 : Data2
Value3 : Data3
Timestamp : 1420497639
Eventually when this is all OK I'm gonna send this data over SSL/TLS. I know SSL is more than enough and HMAC wouldn't be needed, but I like to have these 3 layers of security. And I want to benchmark variations of these layers to see what the performance impact is and how I can tweak it to have a good balance between performance and security.