API on intranet - auth implementation, yes, no, how ?

[xint]

Hello,
A few years ago, I wrote an application for our internal use. It is an API that I would now like to extend functionally. As it was previously only for us and was running on our own intranet, I hadn't implemented any authentication at that time. Every query was answered, no matter where it came from.

Now the question of authentication come up and I'm still at the very beginning without any substantial ideas. On the one hand, I fear that the additional transmission of Salt+Hash and the server-side handling of many requests will have an effect on response times, but that's just a feeling that I can't yet substantiate. On the other hand, I also wonder if I can't just save the client's IP as authorized after successful authentication, because the leasetime for DHCP assignment is usually longer than 24 hours.
When using IPs, I only have to look it up in a list as it is already part of the transaction. Transferring the hash would easily double the amount of data for each transaction.

I am now looking for arguments and ideas ...

Thank you very much !

[MarkMLl]

What is this API of which you speak, and how much trouble are you going to to protect against intrusion if (when) somebody runs it from home?

If it's anything remotely HTTP-oriented then look at SSL etc. Otherwise consider something like CHAP as the minimum usable.

MarkMLl

[xint]

Thanks for picking my question up.

The API provides internal access to various information from the ERP database. We implemented it this way because, on the one hand, not every service in the company is able to query the database directly and, on the other hand, we do not want to give several services access to this important database.
In addition, the API can already prepare the data for certain function calls in such a way that it can be further processed by the client in the best possible way.

There is no remote access! The API ignores all requests that do not come from an address range that does not from its own subnet.

[MarkMLl]

For /purely/ local use, and assuming that you've built from the ground up hence don't have ready access to e.g. SSL, I'd have thought CHAP would have been adequate.

I'm pretty sure I've done an implementation somewhere, but the key points (in a business environment) is that the user enters a (username and) password from which a hash is immediately generated, then the password is overwritten with the same number of spaces before it goes out of scope to ensure that it's not left hanging around memory.

Somebody like Thaddy might express himself strongly on this, in which case I suggest acquiescing in the interest of a quiet life :-)

MarkMLl