节点Hmac身份验证 [英] Node Hmac Authentication

问题描述

我对身份验证过程的理解.主机创建一个secret和一个public api key.客户端在秘密的帮助下对有效负载进行加密，这就是签名.然后将其公钥，有效负载，签名发送给主机.

My understanding of the authentication process. The host creates a secret and a public api key. The client is crypting the payload with the help of the secret, this is the signature. Then sends its public key, payload, signature to the host.

示例客户端

主机检查是否允许公钥进行操作，并根据客户端的公钥获取机密.主机借助该秘密对签名进行解密，并将其与有效负载进行比较.

The host checks if the public key is allowed to do an operation and gets the secret according to the clients public key. With the help of the secret the host decrypts the signature and compares it to the payload.

• 以上过程描述正确吗?
• 如何解密签名并将其与有效负载进行比较?
• 还是我应该以与客户端相同的方式对其进行加密，然后进行比较?
• 这两个步骤update&分别执行什么操作? digest 节点文档

• Is the above process described correctly?
• How to decrypt the signature and compare it to the payload?
• Or am I supposed to crypt it in the same way as the client dos and compare it then?
• What exactly do the two steps update & digest Node Docs

  authenticate: (self)->
    payload = 'AUTH' + moment()
    signature = crypto.createHmac('sha384', WEBSOCKET_SECRET)
      .update(payload)
      .digest('hex')

    data = {
      event: 'auth',
      apiKey: WEBSOCKET_KEY,
      authSig: signature,
      authPayload: payload
    }
    self.send self, data

服务器:

hmac = crypto.createHmac('sha384', WEBSOCKET_SECRET)
hmac.on 'readable', () ->
  data = hmac.read()
  if (data)
    console.log data, data.toString('utf-8')


# hmac.write(authPayload)
hmac.write(signature)
hmac.end()

当前服务器端解决方案

  authenticate: (authPublicKey, authSignature, authPayload)->
    signature = crypto.createHmac('sha384', WEBSOCKET_SECRET)
      .update(authPayload)
      .digest('hex')

    return authSignature == signature

推荐答案

HMAC不用于加密/解密，仅用于身份验证和数据完整性检查.

HMAC isn't use to encrypt/decrypt, is just use for authentication and check of data integrity.

客户端使用他的秘密密钥发送他的有效载荷，他的pk和他的有效载荷的hmac. 服务器用他的pk检索用户，用检索到的sk重新计算hmac，然后检查计算出的hmac是否等于检索到的hmac.

Client send his payload, his pk, and the hmac of his payload with his secret key. Server retrieve user with his pk, recompute the hmac with the retrieved sk and then check if the computed hmac is equal to the retrieved hmac.

客户端有一个公共密钥和一个秘密密钥:

Client has a public key, and secret key :

var str        = payload_string;
var public_key = pk;
var secret_key = sk;

var hmac = crypto.createHmac('sha384', sk).update(str).digest('hex');

request.post({uri:..., json: { hmac, public_key, payload: str }, function(err, response, body) {
   console.log(body);
});

在服务器上:

exports.... = function(req, res)
{
   var hmac = req.body.hmac;
   var pk = req.body.public_key;
   var payload  = req.body.payload;


   // retrieve authorized user
   User.findOne({ pk }, function(err, user) {
      if(err || !user){
        return res.status(403).json({error:"Invalid user"});
      }

      // recompute hmac
      var compute_hmac= crypto.createHmac('sha384', user.sk).update(payload).digest('hex');

      // check hmac
      if(compute_hmac != hmac) {
        return res.status(403).json({error:"Security check failed"});
      }
      // do stg
      return res.status(200).json({success:"ok"});
    });
  }

这篇关于节点Hmac身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！