2

I would like to use the TLS-SRP protocol to secure the communication between a mobile app client and a WebAPI REST server. My primary reason is to avoid using self-signed certificate stored on the device or hardcoded for security reason (breach, decompiling...). Setting up the salt between the server and the client is not an issue. However I don't know how to customise the HttpClient on the client-side and the WebAPI server to follow the protocol.

Has anyone done that before? Could you point me to any documentation?

Cheers,

gfache
  • 606
  • 6
  • 15
  • Did you ever get this working? I know on .NET you cannot mess around with the HttpContext. I made a TCP LIstener to itercept/proxy data do SRP(but I cant find library to do SRP?) and then passes data into WebAPI. It is wierd but it works. Although I dont know where .NET has SRP? – Piotr Kula May 02 '18 at 20:20
  • Not yet unfortunately. It is not my top priority just now so maybe later... From what I could find in the docs, no .Net does not support SRP. SRP algorithm is described in the [rfc2945](https://tools.ietf.org/html/rfc2945) and on the [standford site](http://srp.stanford.edu/). I know the SRP hash is implemented in the `Bouncy Castle` library, which is quite widely used it seems. After that one needs to implement the communication (I would start with `HttpMessageHandler`) I would say, which is certainly not an 1 hour task... But it seems you did that already? – gfache May 03 '18 at 10:21
  • Yea I found `Bouncy Castle` after writing this question. It has source code plus also ChaCha in there which I also need. I turns out its TLS with RFC 5054 (SRP) that .NET never implemented due to copyright concerns. whatever. Seems like you doing somethign similar to me? I have incomming connections with SRP handshake, then doing ChaCha BEFORE hitting WebAPI. I have a proof of concept running on a TcpListener, decoding TLV, SRP Handshake and ChaCha encruption, then proxying to an internal hosted WebAPI site. I could not find any way to intercept Http before HttpContext is created.. – Piotr Kula May 04 '18 at 12:47
  • Arr that's to bad... I would like to do something similar yes but in an IIS hosted server. What do you mean by _I could not find any way to intercept Http before HttpContext is created.._ ? – gfache May 17 '18 at 08:56
  • Well in DotNet world.. The HttpContext is created by somekind of out of process thread. I assume this is for security to prevent messing and trying to exploit things in there. So for example, I can say HttpContext.Parse("my custome HTTP1.1 complaint request") as you can in Node or other languages. There is also no hook/event for any thing like `OnDataRecieved` so you cannot decrypt the data before HttpContext is Built. It assumes the data is UTF HTTP1.x string. So I need to use TcpSockets and wierd stuff to achieve this – Piotr Kula May 18 '18 at 19:33

0 Answers0