An enterprise is deploying APIs that utilize a private key and a public key to ensure the connection string is protected. To connect to the API, customers must use the private key.
Which of the following would BEST secure the REST API connection to the database while preventing the use of a hard-coded string in the request string?
A
Reference:
https://eclipsesource.com/blogs/2016/07/06/keyed-hash-message-authentication-code-in-rest-apis/
How does HMAC provide authentication? Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses a hash function and a secret key. With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography.
I would choose D
RSET API - HMAC
It's D. The explanation describes D
REST APIs that serve their content via HTTP have limited options for authentication. One of these is request signing. With a little bit of custom specification the standard approach HMAC can be utilized for efficient and secure authentication.
Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
Ive been doing the same - using Gemini, ChatGPT and Copilot - problem is - they a give different answers. And you can give the same question the next day and they might give another answer. I find they are also very biased - they have valid arguments but they totally disregard some parts of the scenario. Then you call them out on it and they change their answer... so... good luck to us all!
HMAC (Hash-based Message Authentication Code) is a cryptographic method used for message authentication. It involves a process that uses a secret key along with a cryptographic hash function to create a hash-based authentication code. In this context, using HMAC for the keys would allow the creation of a secure hash value based on the private key, ensuring that the connection string isn't transmitted in plain text. HMAC provides a way to sign and verify the integrity and authenticity of the API request without exposing the private key in the request string. It ensures that the connection remains secure without the risk of exposing sensitive information like hard-coded strings or private keys.
HMAC (Hash-based Message Authentication Code): Purpose: HMAC is used to ensure data integrity and authenticity by combining a secret key with the message. It generates a hash that can be verified on the receiving end using the same secret key. Prevents Hard-Coding: By using HMAC, the private key is not directly embedded in the request. Instead, it is used to generate a hash that secures the data. This means that even if the request string is intercepted, the actual key remains protected. Security: HMAC provides strong security guarantees and ensures that the data has not been tampered with. It is widely used in secure API authentication.