3

My team is working on web API project for one customer which will call this API. Now we are thinking about authentication. We've stopped on two options HMAC and client certificates

  • HMAC:

    • pros - no expiration (just pair of client id and secret key),
    • cons - complex logic for client to implement HMAC token.

  • Client certificate:

    • pros - simple for client (just attach client certificate to httprequest),
    • cons - expiration, need to support of renewal of certificates.

Please help me with pros and cons here.

StackzOfZtuff
  • 17,923
  • 1
  • 51
  • 86
mtkachenko
  • 211
  • 2
  • 12

2 Answers2

8

Overall, I would recommend HMAC unless you have particular requirements for client certificates. The reasons are:

Expiry

While it is true that there is no mandatory expiry with HMAC, in reality, you should expire any kind of password/secret/encryption key on a regular basis. This is enforced by certificates but you should do it as a matter of policy for any such key. I don't think this is a genuine pro for HMAC.

Intermediaries

If you have some intermediary like a Web Application Firewall that needs to inspect requests, it can be complex to use client certificates. This is a con for client certificates and a pro for HMAC.

Complexity

Is it really so complex to create an HMAC? There are client libraries to do this for Ruby, Java, .Net, Node and Python. I stopped googling there, but I'm sure most modern platforms have an existing library. This is probably a pro for certificates as you said, but a relatively minor one in my opinion.

Familiarity

HMAC is in use in some popular APIs from different market sectors (e.g. Twitter, AWS, Xero). I think client certificates are relatively uncommon outside of an enterprise setting. This is a pro for HMAC and a con for client certs. Disclaimer: This is subjective. I have no hard evidence for this - it's just based on what I've experienced in practice.

Mike Goodwin
  • 2,161
  • 1
  • 12
  • 13
2

Be careful, you are confusing two types of authentication here:

  • HMACs authenticate a single message only and not a whole user/client (have a look here please). HMACs may need an already authenticated or trusted user/client beforehand.
  • Client certificates authenticate, as the name already suggests, clients.

So depending on the specifications of your api you could use both?

Community
  • 1
Sebastian
  • 330
  • 1
  • 8
  • Basic workflow: client needs to send data in our api. Here I don't see big differences: using HMAC I can authenticate message (who sent it, signature contains clientid). As I understand client certificate supports very similar logic: when I call some api from code I need to "attach" client certificate to each request. – mtkachenko Dec 14 '15 at 12:25
  • Very abstractly spoken: There is no need to "attach" the client certificate to each request, because that's what HMACs are for. Client certificates are usually sent during handshakes, where some kind of secret is generated. This secret is then used to generate a HMAC for each message sent between server and client. – Sebastian Dec 14 '15 at 12:33
  • Does handshake concept work in "requests from code"? I mean it's not a browser and I need to add certificate to request everytime. – mtkachenko Dec 14 '15 at 12:45
  • Do your clients have something like a session? Or are these requests made only every now and then by your clients? Basically I have to leave this question to somebody who is more expierienced than me. I was just pointing out that you were comparing apples and pears in your initial question – Sebastian Dec 14 '15 at 12:50
  • What do you think about pros and cons? – mtkachenko Dec 14 '15 at 12:52