6

My understanding of the authentication process. The host creates a secret and a public api key. The client is crypting the payload with the help of the secret, this is the signature. Then sends its public key, payload, signature to the host.

Example client

The host checks if the public key is allowed to do an operation and gets the secret according to the clients public key. With the help of the secret the host decrypts the signature and compares it to the payload.

Question

  • Is the above process described correctly?
  • How to decrypt the signature and compare it to the payload?
  • Or am I supposed to crypt it in the same way as the client dos and compare it then?
  • What exactly do the two steps update & digest Node Docs

Client:

  authenticate: (self)->
    payload = 'AUTH' + moment()
    signature = crypto.createHmac('sha384', WEBSOCKET_SECRET)
      .update(payload)
      .digest('hex')

    data = {
      event: 'auth',
      apiKey: WEBSOCKET_KEY,
      authSig: signature,
      authPayload: payload
    }
    self.send self, data

Server:

hmac = crypto.createHmac('sha384', WEBSOCKET_SECRET)
hmac.on 'readable', () ->
  data = hmac.read()
  if (data)
    console.log data, data.toString('utf-8')


# hmac.write(authPayload)
hmac.write(signature)
hmac.end()

Current Server Side Solution

  authenticate: (authPublicKey, authSignature, authPayload)->
    signature = crypto.createHmac('sha384', WEBSOCKET_SECRET)
      .update(authPayload)
      .digest('hex')

    return authSignature == signature
Andi Giga
  • 3,744
  • 9
  • 38
  • 68

2 Answers2

8

HMAC isn't use to encrypt/decrypt, is just use for authentication and check of data integrity.

Client send his payload, his pk, and the hmac of his payload with his secret key. Server retrieve user with his pk, recompute the hmac with the retrieved sk and then check if the computed hmac is equal to the retrieved hmac.

Client has a public key, and secret key :

var str        = payload_string;
var public_key = pk;
var secret_key = sk;

var hmac = crypto.createHmac('sha384', sk).update(str).digest('hex');

request.post({uri:..., json: { hmac, public_key, payload: str }, function(err, response, body) {
   console.log(body);
});

On server :

exports.... = function(req, res)
{
   var hmac = req.body.hmac;
   var pk = req.body.public_key;
   var payload  = req.body.payload;


   // retrieve authorized user
   User.findOne({ pk }, function(err, user) {
      if(err || !user){
        return res.status(403).json({error:"Invalid user"});
      }

      // recompute hmac
      var compute_hmac= crypto.createHmac('sha384', user.sk).update(payload).digest('hex');

      // check hmac
      if(compute_hmac != hmac) {
        return res.status(403).json({error:"Security check failed"});
      }
      // do stg
      return res.status(200).json({success:"ok"});
    });
  }
codejockie
  • 9,020
  • 4
  • 40
  • 46
Daphoque
  • 4,421
  • 1
  • 20
  • 31
  • Where should I keep the `secret_key` for the client? – Rich Oct 07 '20 at 07:36
  • Hi team, I've had to downvote this as it introduces a timing attack. In addition to using `crypto.timingSafeEqual(a, b)` we also need to verify the lengths are the same (also in a timing safe manner). Can we please update this answer to reflect this production reality? – lol Apr 06 '23 at 01:49
4

These lines vulnerable to timing attack:

if(compute_hmac != hmac) {

return authSignature == signature

It's better to use:

crypto.timingSafeEqual(a, b)
Chiro Hiro
  • 41
  • 1