When a server receives an API call, it needs to know two things: who is making the call, and whether the call is legal.
If you had only one element (the "key") and turned it on each time it was called, it would answer both questions. Based on the โkeyโ, the server knows who you are, and because only you know the key, this proves that the call really comes from you. But turning on the key with each call is a bad security practice: if someone can read at least one of your messages on the way, your key is compromised and someone can pretend to be you. Therefore, if you are not using HTTPS, this approach does not work.
Instead, you can enable digital signature with each call signed with some โsecretโ number. (The "secret" number is not sent by itself). If an attacker manages to read your message, he will not be able to determine this "secret" number from the signature. (This is how digital signatures work: they are one-way).
But this does not solve the identification issue: In the latter case, how does the server know who is calling? He may try to verify the signature on the "secret" of each individual user, but, of course, it will be very time-consuming.
So, here's what we do: send both the โkeyโ (which identifies the user) and the signature created using the โsecretโ number (which proves that the message is legal). The server scans the user based on the key, and then verifies the signature using this secret user number.
This is a bit like when you write a check: it has an account number (to identify you) and your signature (to prove that you are you). Having only an account number will not prove that you actually wrote the check. Having only a signature without an account number would force the bank to compare your check with all its signatures for all of its accounts, which, obviously, would be ineffective.
Eugene Osovetsky Sep 30 '09 at 23:03 2009-09-30 23:03
source share