Secure API Access with MD5 Hashing

TL;DR

This guide shows you how to secure your APIs using a simple but effective authentication and authorization method based on MD5 hashing. We’ll combine a user ID, secret key, the API endpoint being accessed, and the request payload into a hash for verification.

Step-by-Step Guide

1. Understand the Concept

• Each user gets a unique userid and a secret key. Never share the key!
• Before sending an API request, the client calculates an MD5 hash of: userid + key + endpoint + payload.
• The server receives the request, recalculates the same hash using its stored user secrets, and compares it to the hash sent by the client. If they match, the request is authenticated.

Client-Side Hash Generation

You’ll need a library or function to calculate MD5 hashes in your chosen programming language. Here are examples:

• Python:

  import hashlib
  
  def generate_hash(userid, key, endpoint, payload):
    data = userid + key + endpoint + payload
    hashed_data = hashlib.md5(data.encode('utf-8')).hexdigest()
    return hashed_data

• JavaScript:

  function generateHash(userid, key, endpoint, payload) {
    const data = userid + key + endpoint + payload;
    const hash = CryptoJS.MD5(data).toString(); //Requires CryptoJS library
    return hash;
  }
  

Server-Side Verification

On your server, implement the following steps for each API request:

1. Extract the userid from the request (e.g., from headers or authentication tokens).
2. Retrieve the user’s secret key from a secure storage location (database, configuration file – *never* hardcode it!).
3. Extract the endpoint and payload from the request.
4. Calculate the MD5 hash using the same formula as the client:

   data = userid + key + endpoint + payload
   hash = hashlib.md5(data.encode('utf-8')).hexdigest() #Python example

5. Compare the calculated hash with the hash sent by the client in the request header (e.g., an X-Signature header).
6. If the hashes match, authenticate the user and authorize access to the requested resource. Otherwise, reject the request with a 401 Unauthorized error.

Example Request Header

The client should include the generated hash in a custom header:

X-Signature: <generated_hash>

Important Security Considerations

• HTTPS is Essential: Always use HTTPS to encrypt communication and prevent man-in-the-middle attacks.
• Salt the Hash (Recommended): Add a random salt value to both client-side hash generation and server-side verification for increased security. This makes it harder for attackers to precompute hashes.
• Rate Limiting: Implement rate limiting to prevent brute-force attacks attempting to guess user secrets.
• Key Rotation: Regularly rotate user keys to minimize the impact of compromised credentials.
• MD5 is Old: MD5 has known vulnerabilities. While suitable for basic authentication, consider stronger hashing algorithms like SHA-256 or newer for higher security requirements.