I was just hoping for a bit of feedback regarding a proposed method for securing access to a state-less web API server which could help protect bitcoins.
I would like it such that each request is signed by the client, in such a way that I can guarantee that the issuer of the request is a valid user of our site.
Server and client have a shared secret - i.e. the hashed password of the user, so...
- Server sends a random nonce value to the client
- Client constructs a signing key K as (nonce,hashed_password)
- Client signs each request with key K
- e.g. ('delete image_x',user_id,request_signature)
- Server then checks the signature as being valid for every request before processing it.
Are there any obvious flaws?
cheers!