I've written an article for SD Times about the proliferation of standards for Cloud security. In the article I mention the Amazon Query API method of authentication, which although not an actual standard, has become something of an "industry standard" for authentication to Cloud-based APIs. It is widely used, not least for Amazon's own APIs of course.
The article didn't allow space for message examples, but here in this blog I can show an example of the Amazon Query API. This request is generated by a Vordel Gateway, acting as a client in this case. You can see that the request contains an "Authorization" header which is an HMAC signature computed over data including the URL, the timestamp, and the nonce ("number once" - a value which changes with each request, to combat capture-replay attacks). The signature is created using a shared secret key. An advantage of the Query API is that it is *much* smaller than using XML Signature, for example. It is also RESTful, because the request is a regular HTTP POST with the parameters passed as HTTP parameters. In effect it mimics a HTML Form POST. Here is the example below:
GET /ProcessAPIRequest HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Via: 1.1 Dell-PC (Gateway)
Limitations of Statistics on Measuring Risk
21 hours ago