I\'m developing an API system which provides functionalities for a game. Current

Question

I'm developing an API system which provides functionalities for a game. Currently, we are using HMAC to prevent simulating requests (let's say, prevent hackers from simulating the game) but because we encountered some issues with HMAC, I thought that it could be better to use a temporary password. Same as what Google Authenticator does.

I'd like to know is this a good approach to use TOTP to generate a temporary password from client and send it to the server via HTTP request and validate it on the server? The goal is to prevent simulating or sending requests from 3rd-party clients.

Explanation / Answer

TOTP is an HMAC. It just happens to be an HMAC of a timestamp with some granularity where the passwords need to be rotated. Note that with either a time-based HMAC or some other HMAC, an attacker with a copy of a legitimate client can extract the shared key and use that key to forge requests from their client.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.