节点Hmac身份验证 [英] Node Hmac Authentication
问题描述
我对身份验证过程的理解.主机创建一个secret
和一个public api key
.客户端在秘密的帮助下对有效负载进行加密,这就是签名.然后将其公钥,有效负载,签名发送给主机.
My understanding of the authentication process. The host creates a secret
and a public api key
. The client is crypting the payload with the help of the secret, this is the signature. Then sends its public key, payload, signature to the host.
主机检查是否允许公钥进行操作,并根据客户端的公钥获取机密.主机借助该秘密对签名进行解密,并将其与有效负载进行比较.
The host checks if the public key is allowed to do an operation and gets the secret according to the clients public key. With the help of the secret the host decrypts the signature and compares it to the payload.
- 以上过程描述正确吗?
- 如何解密签名并将其与有效负载进行比较?
- 还是我应该以与客户端相同的方式对其进行加密,然后进行比较?
- 这两个步骤
update
&分别执行什么操作?digest
节点文档
- Is the above process described correctly?
- How to decrypt the signature and compare it to the payload?
- Or am I supposed to crypt it in the same way as the client dos and compare it then?
- What exactly do the two steps
update
&digest
Node Docs
authenticate: (self)->
payload = 'AUTH' + moment()
signature = crypto.createHmac('sha384', WEBSOCKET_SECRET)
.update(payload)
.digest('hex')
data = {
event: 'auth',
apiKey: WEBSOCKET_KEY,
authSig: signature,
authPayload: payload
}
self.send self, data
服务器:
hmac = crypto.createHmac('sha384', WEBSOCKET_SECRET)
hmac.on 'readable', () ->
data = hmac.read()
if (data)
console.log data, data.toString('utf-8')
# hmac.write(authPayload)
hmac.write(signature)
hmac.end()
当前服务器端解决方案
authenticate: (authPublicKey, authSignature, authPayload)->
signature = crypto.createHmac('sha384', WEBSOCKET_SECRET)
.update(authPayload)
.digest('hex')
return authSignature == signature
推荐答案
HMAC不用于加密/解密,仅用于身份验证和数据完整性检查.
HMAC isn't use to encrypt/decrypt, is just use for authentication and check of data integrity.
客户端使用他的秘密密钥发送他的有效载荷,他的pk和他的有效载荷的hmac. 服务器用他的pk检索用户,用检索到的sk重新计算hmac,然后检查计算出的hmac是否等于检索到的hmac.
Client send his payload, his pk, and the hmac of his payload with his secret key. Server retrieve user with his pk, recompute the hmac with the retrieved sk and then check if the computed hmac is equal to the retrieved hmac.
客户端有一个公共密钥和一个秘密密钥:
Client has a public key, and secret key :
var str = payload_string;
var public_key = pk;
var secret_key = sk;
var hmac = crypto.createHmac('sha384', sk).update(str).digest('hex');
request.post({uri:..., json: { hmac, public_key, payload: str }, function(err, response, body) {
console.log(body);
});
在服务器上:
exports.... = function(req, res)
{
var hmac = req.body.hmac;
var pk = req.body.public_key;
var payload = req.body.payload;
// retrieve authorized user
User.findOne({ pk }, function(err, user) {
if(err || !user){
return res.status(403).json({error:"Invalid user"});
}
// recompute hmac
var compute_hmac= crypto.createHmac('sha384', user.sk).update(payload).digest('hex');
// check hmac
if(compute_hmac != hmac) {
return res.status(403).json({error:"Security check failed"});
}
// do stg
return res.status(200).json({success:"ok"});
});
}
这篇关于节点Hmac身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!