Andi Giga Andi Giga - 2 months ago 18
Node.js Question

Node Hmac Authentication

My understanding of the authentication process. The host creates a

secret
and a
public api key
. The client is crypting the payload with the help of the secret, this is the signature. Then sends its public key, payload, signature to the host.

Example client

The host checks if the public key is allowed to do an operation and gets the secret according to the clients public key. With the help of the secret the host decrypts the signature and compares it to the payload.

Question




  • Is the above process described correctly?

  • How to decrypt the signature and compare it to the payload?

  • Or am I supposed to crypt it in the same way as the client dos and compare it then?

  • What exactly do the two steps
    update
    &
    digest
    Node Docs



Client:



authenticate: (self)->
payload = 'AUTH' + moment()
signature = crypto.createHmac('sha384', WEBSOCKET_SECRET)
.update(payload)
.digest('hex')

data = {
event: 'auth',
apiKey: WEBSOCKET_KEY,
authSig: signature,
authPayload: payload
}
self.send self, data


Server:



hmac = crypto.createHmac('sha384', WEBSOCKET_SECRET)
hmac.on 'readable', () ->
data = hmac.read()
if (data)
console.log data, data.toString('utf-8')


# hmac.write(authPayload)
hmac.write(signature)
hmac.end()


Current Server Side Solution



authenticate: (authPublicKey, authSignature, authPayload)->
signature = crypto.createHmac('sha384', WEBSOCKET_SECRET)
.update(authPayload)
.digest('hex')

return authSignature == signature

Answer

HMAC isn't use to crypt / decrypt, is just use for authentication and check of data integrity.

Client send his payload, his pk, and the hmac of his payload with his secret key. Server retrieve user with his pk, recompute the hmac with the retrieved sk and then check if the computed hmac is equal to the retrieved hmac.

Client has a public key, and secret key :

var str        = payload_string;
var public_key = pk;
var secret_key = sk;

var hmac = crypto.createHmac('sha384', sk).update(str).digest('hex');

request.post({uri:..., json:{hmac:hmac, public_key:public_key, payload: str}, function(err, response, body){
   console.log(body);
});

On server :

exports.... = function(req, res)
{
   var hmac = req.body.hmac;
   var pk = req.body.public_key;
   var payload  = req.body.payload;


   // retrieve authorized user
   User.findOne({pk:pk},function(err, user){
      if(err || !user){
        return res.status(403).json({error:"Invalid user"});
      }
     else
     {

         // recompute hmac
         var compute_hmac= crypto.createHmac('sha384', user.sk).update(payload).digest('hex');

         // check hmac
         if(compute_hmac != hmac){
           return res.status(403).json({error:"Security check failed"});
         }
         else
         {
            // do stg
            return res.status(200).json({success:"ok"});
         }
      }
    });