I'm looking at Weixin's document, I found that they are using SHA-1. I feel like it's not secure, but then my friend said 'never mind, we use https', so I am wondering, is it important to use SHA-1 or others? When will https encrypt our request?
Thanks!
This is Weixin's document:
https://developers.weixin.qq.com/doc/offiaccount/en/Basic_Information/Access_Overview.html
private function checkSignature()
{
$signature = $\GET["signature"];
$timestamp = $\GET["timestamp"];
$nonce = $\GET["nonce"];
$token = TOKEN;
$tmpArr = array($token, $timestamp, $nonce);
sort($tmpArr, SORT_STRING);
$tmpStr = implode( $tmpArr );
$tmpStr = sha1( $tmpStr );
if( $tmpStr == $signature ){
return true;
}else{
return false;
}
}
SHA-1 is a one way hash function. It should be avoided in most cases, but in your case WeChat doesn't offer you any alternative (though WeChat could of course modify their implementation in the future).
Also to answer your other question, which is when HTTPS encrypts your request; HTTPS is a protocol which ensures that the data in motion is secured and encrypted.
The moment a browser attempts to access a website that is secured by SSL, the browser and the web server get into a sequence of message exchanges which is also known as "SSL Handshake". The SSL Handshake happens behind the scene and it transparent to the user.
The handshake process leads to the establishment of a session key using the public and private key pair. The session key is then used to set up the SSL Connection.
Since symmetric cryptography is more efficient in terms of power, the PKI part is used only during the SSL Handshake to establish the symmetric session key. The data in motion is encrypted using the shared symmetric key.
Related
I am using nodejs for TLS 1.2 requests to a server, which requires client authentication. This means, that during the inital handshake the client has sign a hash value over random values negotiated between client and server.
In nodejs you have to supply the (e.g. RSA) key or the .pfx/.p12 file along with the according passphrase with the request:
var https = require('https'), fs = require('fs')
var options = {
host: url, path: func, method: 'POST',
pfx: fs.readFileSync('mycert.pfx'),
passphrase: 'mysecret',
secureProtocol: 'TLSv1_2_method'
}
var req = https.request(options, function (res) {
...
In fact you are handing out your signature infrastructure instead of just signing a single item.
Customers don't want that, they insist in usage of Windows Certificate Store for signature, or, even better, use a hardware token (smartcard, HSM) or a remote Key Vault that administers and protocols signature creation.
For this I would need a "sign" callback when the basic TLS handshake is done.
I've seen, that nodejs is using a SecureContext object, which is created by TLS.createSecureContext(). Is it possible to replace this object by your own implementation? What is its functional interface? Has anybody already done that?
Any other ideas?
according to documentation of pouchdb-authentification, all the operations are done over http.
var db = new PouchDB('http://mysite:5984/mydb', {skipSetup: true});
db.login('batman', 'brucewayne').then(function (batman) {
console.log("I'm Batman.");
return db.logout();
});
does it use https under the hood, or is the username and password really going clair and readable over the wire mode over the wire ?
You can certainly setup your server with an SSL certificate and use PouchDB with https.
On their site when it says that PouchDB uses HTTP, it is referring to the protocol being used. This doesn't preclude the use of HTTPS.
I have an endpoint (in any language, let's say Python) that exposes some service as HTTPS using a certificate issued by any widely known and trusted CA, that is
probably included in virtually any browser in the world.
The easiest part is that I can issue TLS requests against this endpoint using Node.js with no further problems.
For security reasons, I would like to check that every time my Node.js issues a TLS request against this HTTPS endpoint, I want to make sure that the certificate being used, is the certificate that I trust, and the one that was requested by my company.
What is the best way to accomplish that?
It sounds like the answer at How to get SSL certificate information using node.js? would be suitable for your needs.
You can use the following code to get your endpoint's certificate then check its fingerprint or hash against what you expect.
var https = require('https');
var options = {
host: 'google.com',
port: 443,
method: 'GET'
};
var req = https.request(options, function(res) {
console.log(res.connection.getPeerCertificate());
});
req.end();
I'm using node.js 0.10.12. I have generated 2048-bit RSA keypairs that I store as .pem files locally.
Using the built-in 'crypto' library that comes with node, I am trying to decrypt a block of data encrypted with the public RSA key mentioned above.
I've gotten this far:
var privateKey = fs.readFileSync('private.pem', { encoding: 'utf8' });
var cryptOpt = { key: /* PEM encoded private key */ privKey };
var cred = crypto.createCredentials( cryptOpt );
var rsa = crypto.createDecipheriv( 'rsa', cred.?key-in-binary-format?, cred.?initialization vector? );
I'm not sure I'm on the right path here.
• I don't know where the key is stored in binary form inside 'cred'.
• I don't know what to put in initialization-vector parameter.
The data will be encrypted using standard libraries on iOS, which, to my knowledge, does not allow the user to specify an initialization vector when encrypting with RSA.
I haven't been able to extract much knowledge or understanding from the node.js crypto docs:
http://nodejs.org/api/crypto.html
As there isn't any asymmetric encryption happening in the nodejs, I think you are more or less lost in the woods. You will require another library if you want to encrypt anything with RSA. The openssl list-cipher-algorithms documentation that crypto.createCipher(algorithm, password) and crypto.createCipheriv(algorithm, key, iv) only lists symmetric algorithms such as AES and DES (etc.). An IV is only used for symmetric algorithms in general in either way. nodejs only seems to support RSA signing and verification.
I would really suggest to get deeper into the subject matter before continuing on your development path.
I have created a TLS server and an appropriate TLS client in Node.js. Obviously they both work with each other, but I would like to verify it.
Basically, I think of something such as inspecting the connection, or manually connecting to the server and inspecting what it sends, or something like that ...
The relevant code of the server is:
var tlsOptions = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('server.pem')
};
tls.createServer(tlsOptions, function (tlsConnection) {
var d = dnode({
// [...]
});
tlsConnection.pipe(d).pipe(tlsConnection);
}).listen(3000);
The appropriate client code is:
var d = dnode();
d.on('remote', function (remote) {
// [...]
});
var tlsConnection = tls.connect({
host: '192.168.178.31',
port: 3000
});
tlsConnection.pipe(d).pipe(tlsConnection);
How could I do that?
Wireshark will tell you if the data is TLS encrypted, but it will not tell you if the connection is actually secure against Man-in-the-Middle attacks. For this, you need to test if your client refuses to connect to a server that provides a certificate not signed by a trusted CA, a certificate only valid for a different host name, a certificate not valid anymore, a revoked certificate, ...
If your server.pem is not a certificate from a real/trusted CA, and your client doesn't refuse to connect to the server (and you didn't explicitly provide server.pem to the client), then your client is very probably insecure. Given that you are connecting to an IP, not a host name, no trusted CA should have issued a certificate for it, so I assume you use a selfsigned one and are vulnerable. You probably need to specify rejectUnauthorized when connect()ing. (Rant: As this is a pretty common mistake, I think it is extremely irresponsible to make no verification the default.)
Basically, I think of something such as inspecting the connection, or manually connecting to the server and inspecting what it sends, or something like that ...
You can use tools such as Wireshark to see the data they are transmitting.