Mt. Gox Trading API "nonce" Issue In Distributed App

MagicalTux

vip

Activity: 608

Merit: 501

-

Quote from: jimbobway on July 26, 2011, 02:54:00 PM

In the trading API you have to specify a "nonce" parameter of an increasing integer value. This is fine for non-distributed apps. However, we are developing a distributed app that could be deployed to hundreds or thousands of machines. This nonce value will be harder to increment in synchronization since normally it is based on a computer's clock. If two transactions were happening at near the same time, it is possible a late request might arrive before the earlier request due to the unpredictable nature of the Internet. Is it possible to supply a unique identifier for the nonce instead of an increasing value?

The other solution would be to supply a username and password but I don't know how long this will be supported.

Thanks.

I would be curious to hear more about your needs, and we may be able to provide solutions that fit your needs.

Please contact me ([email protected]) for more details.

wumpus

hero member

Activity: 812

Merit: 1022

No Maps for These Territories

The ever-increasing requirement is impossible to guarantee in a distributed system. The only way around this will be a central sequence ID generator... (or a system that "votes" for a sequence ID generator, for example using Zookeeper, so that another node can take it over when one fails)

kjj

legendary

Activity: 1302

Merit: 1026

I can think of at least 3 solutions.

Solution 1, the unique server ID

Assume that the nonce can be up to 19 digits long (64 bit int). Subtract 10 digits for the current unix timestamp.

Figure out the maximum number of machines you'll ever have, take X=ceiling(log₁₀(#)).

Now, take 9 and subtract X. Whatever you get is the number of digits to take from the front of the microseconds clock when making the nonce.

So, if you expect not more than 10,000 machines, X will be 4. So in your mtgox code, you use

Code:

$req['nonce'] = $mt[1].substr($mt[0], 2, 6).$unique_id_for_this_machine;

Solution 2, the proxy

Relay all of your requests through another box that calculates the nonce and signature.

Solution 2, start over

Seriously. What sort of distributed system needs access to an exchange?

MilkMan

newbie

Activity: 44

Merit: 0

Ya I don't even understand how API works, or what it does to protect the site. I'll be researching that tonight. Thanks!

jimbobway

legendary

Activity: 1304

Merit: 1015

Quote from: jimbobway on July 26, 2011, 07:11:28 PM

Quote from: error on July 26, 2011, 07:04:11 PM

Quote from: jimbobway on July 26, 2011, 06:42:02 PM

Quote from: error on July 26, 2011, 06:32:31 PM

So hundreds or thousands of machines will be using the same MtGox account? That doesn't sound pleasant.

You want 1000 accounts for 1000 machines? That sounds even less pleasant.

Sorry, but you haven't provided enough detail about what you're doing to offer anything that resembles a solution or even a workaround.

Sorry if I sounded off the mark. I guess I just want a solution to not having to supply an incremental nonce. A nonce, in the security world, can even be a unique id, which I can generate no problem using C# guid. Their trading API limits my application which will be distributed, and I am hoping they will make it better. Or, if they can let me know that I can supply a user and pass instead of the key, secret, nonce, and hash of the post then I'll be happy too. Yes, I am kind of vague but I don't think I can talk about the application I am working on yet until it is ready.

jimbobway

legendary

Activity: 1304

Merit: 1015

Quote from: error on July 26, 2011, 07:04:11 PM

Quote from: jimbobway on July 26, 2011, 06:42:02 PM

Quote from: error on July 26, 2011, 06:32:31 PM

So hundreds or thousands of machines will be using the same MtGox account? That doesn't sound pleasant.

You want 1000 accounts for 1000 machines? That sounds even less pleasant.

Sorry, but you haven't provided enough detail about what you're doing to offer anything that resembles a solution or even a workaround.

Sorry if I sounded off the mark. I guess I just want a solution to not having to supply an incremental nonce. A nonce, in the security world, can even be a unique id, which I can generate no problem using C# guid. Their trading API limits my application which will be distributed, and I am hoping they will make it better. Or, if they can let me know that I can supply a user and pass instead of the key, secret, and hash of the post then I'll be happy too. Yes, I am kind of vague but I don't think I can talk about the application I am working on yet until it is ready.

MilkMan

newbie

Activity: 44

Merit: 0

Quote from: jimbobway on July 26, 2011, 06:52:10 PM

Quote from: MilkMan on July 26, 2011, 06:49:26 PM

If your worried at all about Mt. Gox.'s security issues, then purchase the yubikey key. It is a device allowing secure identification with a "One Time Password". It is recognized as a USB keyboard by your computer, and touching it with your finger causes it to input a 44 characters long password which is unique and can be used only once. Each time you use it a new password is generated, protecting your account even if someone has access to your computer. Awesome Technology. Oh and it's only 29.99 and you can even pay with Bitcoin!

This has nothing to do with my question but thanks for the tip. I do have a Yubikey.

Oh cool, then you already know what's up

error

hero member

Activity: 588

Merit: 500

Quote from: jimbobway on July 26, 2011, 06:42:02 PM

Quote from: error on July 26, 2011, 06:32:31 PM

So hundreds or thousands of machines will be using the same MtGox account? That doesn't sound pleasant.

You want 1000 accounts for 1000 machines? That sounds even less pleasant.

Sorry, but you haven't provided enough detail about what you're doing to offer anything that resembles a solution or even a workaround.

jimbobway

legendary

Activity: 1304

Merit: 1015

Quote from: MilkMan on July 26, 2011, 06:49:26 PM

If your worried at all about Mt. Gox.'s security issues, then purchase the yubikey key. It is a device allowing secure identification with a "One Time Password". It is recognized as a USB keyboard by your computer, and touching it with your finger causes it to input a 44 characters long password which is unique and can be used only once. Each time you use it a new password is generated, protecting your account even if someone has access to your computer. Awesome Technology. Oh and it's only 29.99 and you can even pay with Bitcoin!

This has nothing to do with my question but thanks for the tip. I do have a Yubikey.

MilkMan

newbie

Activity: 44

Merit: 0

If your worried at all about Mt. Gox.'s security issues, then purchase the yubikey key. It is a device allowing secure identification with a "One Time Password". It is recognized as a USB keyboard by your computer, and touching it with your finger causes it to input a 44 characters long password which is unique and can be used only once. Each time you use it a new password is generated, protecting your account even if someone has access to your computer. Awesome Technology. Oh and it's only 29.99 and you can even pay with Bitcoin!

jimbobway

legendary

Activity: 1304

Merit: 1015

Quote from: error on July 26, 2011, 06:32:31 PM

So hundreds or thousands of machines will be using the same MtGox account? That doesn't sound pleasant.

You want 1000 accounts for 1000 machines? That sounds even less pleasant.

error

hero member

Activity: 588

Merit: 500

So hundreds or thousands of machines will be using the same MtGox account? That doesn't sound pleasant.

jimbobway

legendary

Activity: 1304

Merit: 1015

In the trading API you have to specify a "nonce" parameter of an increasing integer value. This is fine for non-distributed apps. However, we are developing a distributed app that could be deployed to hundreds or thousands of machines. This nonce value will be harder to increment in synchronization since normally it is based on a computer's clock. If two transactions were happening at near the same time, it is possible a late request might arrive before the earlier request due to the unpredictable nature of the Internet. Is it possible to supply a unique identifier for the nonce instead of an increasing value?

The other solution would be to supply a username and password but I don't know how long this will be supported.

Thanks.

Topic: Mt. Gox Trading API "nonce" Issue In Distributed App (Read 1516 times)