Services key authentication with Flash - how to store keys?

Events happening in the community are now at Drupal community events on www.drupal.org.
itarato's picture
Posted by itarato on December 28, 2010 at 11:52pm

Hi,

I would like to hear about your opinion. I'm using Services 6.2, XML-RPC and key authentication. I'm calling it from an embedded Flash object. The communication works perfectly. My problem is with the api key and where to store it.
I need the api key in the Flash object when sending the XML-RPC request. I shouldn't hardcode the key in Actionscript, it should stay customizable. I think it's also not a good practice (moreover is a security hole) to provide the key as a flashvar.
I can't think of any other good and secure way to get the api key. (Ok, I can imagine that end users can enter the key value in Flash and store it in the Flash user variables. But I'm pretty sure that end users shouldn't get the key at all. Also looks bad at the user-experience point of view.)
What do you think, how it should be provided?

Thanks,
Peter

Categories: , , ,

Comments

difficult

Posted by rolf vreijdenberger on February 3, 2011 at 9:11am
rolf vreijdenberger's picture

Hi Peter,

this is a known hard issue :)

Over normal http traffic, everything can be intercepted by a man in the middle attack, which means that any piece of information sent to a flashfile can be seen and intercepted. So the key cannot be transferred without exposing it.
This is true for:
- a seperate call to a script to get the key
- key loaded in via a file
- key passed to flash via a webpages flashvars
- hardcoded in flash (which can be decrypted)

It can of course be obfuscated, security through obscurity etc., but it cannot be totally hidden.

on the bright side, full security can be had.

we use amfphp at our company to communicate with flash (via our opensource package see http://www.dpdk.nl/opensource/drupalproxy-as-a-bridge-between-flash-as3-...) and if you use key authentication, combined with the right domain and user permissions (via a login through flash for example, optionally 'under the hood' via a sessionId/user object passed in via flashvars) the communication will be very safe.

Handing out the key (making it public via hardcoding in swf or via flashvars) does not feel right, but does not have to be a security issue either.

Is there any reason why you use xmlrpc instead of the native method of flash of using flash remoting (with amfphp communication via services to drupal)?

The link above will give you all functionality you will need to communicate with services, with sessions, key authentication, the works. In three lines of code :)
you can also download some demo code from a presentation I gave at the dutch adobe user group XL event recently at http://augxl.dpdk.nl (see downloads, full commented source code available, presentation is in dutch)

good luck

Kind regards,

Rolf Vreijdenberger

drupal and flash: http://www.dpdk.nl/opensource/drupalproxy-as-a-bridge-between-flash-as3-...

Wow, thanks

Posted by itarato on February 12, 2011 at 10:24am
itarato's picture

Hi Rolf,

I've been checking out your library and it's really great. I'll check if I can use it.
I was wrong with XMLRPC, I'm not using that, I'm using AMFPHP.
I got the point of domain-key pair authentication. Maybe I'm wrong but I guess this model is not really distributable. How would you make it so that you can give your service to anybody (deploying it to different domains) and s/he will have the same secure environment?

Thanks,
Peter

i'm also interested in

Posted by maemae on March 21, 2011 at 8:36am
maemae's picture

i'm also interested in client-side server authentification.

subscribe.

Services

Group organizers

Group categories

Discussions

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week

See all hot content.