The RSA authentication method is almost identical to HMAC. The only difference is that it uses an RSA private key to sign the String-to-Hash and a RSA public key to validate that the signature is valid. RSA keys provide a more secure way of signing your auth headers than using a password. While a password can eventually be cracked with a brute force attack, RSA keys are nearly impossible to decipher by brute force alone. The downside of using RSA to sign API calls, is that RSA signatures require a lot more CPU resources (up to ~250 times) than HMAC hashing.
The following section outlines the steps involved in generating an RSA key pair with OpenSSL. We recommend that you generate a 2048 bit key pair as 1024 bit keys are no longer considered secure and 4096 bit keys consume considerable CPU resources when signing API calls.
- Generate a 2048-bit RSA private key and write it to a file
#Output an RSA private key with 2048 bit protection. openssl genrsa -out private.pem 2048
- Generate a PKCS8 formatted file from the private key and write it to file
private8.pem. The private8.pem file must be used in the RSA-DIGEST function to sign the requests.
#Generate a pk8 file from the private key. openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private.pem -out private8.pem
- Generate the public key file from the private key and write it to a file
#Generate a public key from the private key. openssl rsa -in private.pem -outform PEM -pubout -out public.pem
Now that you know how to create a public and a private key, You must send the public key to Bluefin, and keep the private key on your server.
|username||This property must be set to your partnerId.|
|nonce||This property must be set to a nonce. A nonce can be any arbitrary string, however each nonce can be used only once once over a 15 minute period. Our service keeps a record of these nonces; if a nonce is encountered more than once during a 15 minute period the API call is rejected and an auth error response is produced. It is up to you to keep the nonce unique.|
|timestamp||A unix timestamp. Our service will reject API calls with a timestamp older than 15 minutes.|
|response||The response property is an RSA private key signature of a number of the API call's properties.|
How to construct RSA Authentication headers for Decryptx Parser requests
Updated over 1 year ago