Hivetop Hivetop

Introducing auth.pico: A Secure and Modern HTTP Authentication Scheme

Jonas Seidemann
Feature image

With the increasing sophistication of cyber threats, modern API authentication needs to be both robust and easy to implement. At alpico, we are happy to announce the release of our brand-new authentication scheme, a state-of-the-art solution that leverages ed25519 signatures for securing your HTTP requests.

To start using the alpico Authentication Scheme and access our code, visit our GitHub repository.

The Challenge of Modern API Authentication

Every request made to the alpico backend needs to be authenticated by the client. However, password-based schemes and traditional methods like HTTP Basic and Digest fall short in ensuring the level of security required for today’s APIs. Even HMAC-based approaches, while stronger, demand the management of shared secrets that must be kept secure on both ends. This becomes a significant challenge in a distributed backend system.

To address these concerns, we have adopted a public-key signature scheme, where the private key never leaves the device on which it was generated. With a previously registered public key, the backend can confidently verify that a specific request originates from a particular user and that the request parameters have not been tampered with.

Why ed25519 Signatures?

We have chosen to build our authentication scheme on top of ed25519 signatures for several compelling reasons:

  1. Efficiency: ed25519 signatures are fast to calculate, ensuring that the authentication process doesn’t introduce significant latency into your API requests.
  2. Security: Implementing ed25519 is easier to do securely than RSA, reducing the likelihood of vulnerabilities in your authentication system.
  3. Widespread Support: ed25519 signatures enjoy wide support across various programming languages and libraries, making it accessible for developers in different ecosystems.

You can find a comprehensive description of ed25519 in RFC 8082, which includes example code and test vectors. While implementing ed25519 signatures from scratch is possible, we strongly recommend using an existing library like libsodium to minimize the risk of subtle bugs undermining your system’s security.

Security Considerations

Security is paramount in any authentication scheme, and the alpico Authentication Scheme has been meticulously designed with this principle in mind. Let’s delve deeper into the various aspects of security that our scheme provides:

1. Public-Key Cryptography

At the heart of our authentication scheme lies public-key cryptography, specifically ed25519 signatures. This cryptographic approach offers robust security benefits:

2. Signature Validity

The alpico Authentication Scheme introduces the concept of signature validity through the time parameter. This feature plays a crucial role in enhancing security:

3. Protection Against Key Theft

One significant security concern with public-key cryptography is the potential theft of private keys. The alpico Authentication Scheme mitigates this risk:

4. Header Integrity

Our authentication scheme places a strong emphasis on HTTP header integrity:

Ongoing Maintenance and Updates

The alpico team is committed to continuously monitoring the security landscape and addressing any emerging threats. As part of our commitment to security, we will release updates and improvements to the authentication scheme as needed.

Community and Collaboration

We encourage active collaboration and feedback from the developer community. If you identify potential security improvements or have suggestions for enhancing the scheme’s security posture, please don’t hesitate to engage with us on our GitHub repository. Your input is invaluable in making the alpico Authentication Scheme even more secure in the future.

← Back to Blog