Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securing a javascript client with hmac

Tags:

javascript

php

hmac

ajax-push

I am researching ways to secure a javascript application I am working on. The application is a chat client which uses APE (Ajax Push Engine) as the backend.

Currently, anyone can access the page and make a GET/POST request to the APE server. I only want to serve the chat client to registered users, and I want to make sure only their requests will be accepted. I can use username/password authentication with PHP to serve a user the page. But once they have the page, what's to stop them from modifying the javascript or letting it fall into the wrong hands?

This method for securing a client/server application looks promising: http://abhinavsingh.com/blog/2009/12/how-to-add-content-verification-using-hmac-in-php/

I have another source that says this is ideal for a javascript client since it doesn't depend on sending the private key. But how can this be? According to to the tutorial above, the client needs to provide the private key. This doesn't seem very safe since anyone who has the javascript now has that user's private key. From what I understand it would work something like this:

  1. User logs in with a username and password
  2. PHP validates the username and password, looks up the user's private key and inserts it into the javascript
  3. Javascript supplies a signature (using the private key), and the public key with all APE requests
  4. APE compares the computed signature to the received signature and decides whether to handle the requests.

How is this secure if the javascript application needs to be aware of the private key?

Thanks for the help!

like image 276
Walderman Avatar asked Nov 23 '10 02:11

Walderman

People also ask

What is HMAC Javascript?

HMAC (hash-based message authentication code) is a particular type of message authentication code (MAC). As with any MAC, the hash function can be used for both verifying data integrity and authentication of the message.

What is HMAC encryption?

Hash-based Message Authentication Code (HMAC) is a message authentication code that uses a cryptographic key in conjunction with a hash function. Hash-based message authentication code (HMAC) provides the server and the client each with a private key that is known only to that specific server and that specific client.

What is a HMAC sha256 hash?

HMACSHA256 is a type of keyed hash algorithm that is constructed from the SHA-256 hash function and used as a Hash-based Message Authentication Code (HMAC).

1 Answers

The answer: You technically cannot prevent the user from modifying the JavaScript. So don't worry about that because you can do nothing about it.

However, the attack you do need to prevent is Cross-Site Request Forgery (CSRF). Malicious scripts on different domains are capable of automatically submitting forms to your domain with the cookies stored by the browser. To deal with that, you need to include an authentication token (which should be sufficiently random, not related to the username or password, and sent in the HTML page in which the chat client resides) in the actual data sent by the AJAX request (which is not automatically filled in by the browser).

like image 191
PleaseStand Avatar answered Sep 21 '22 04:09

PleaseStand
Sign in to Comment

Related questions

Why supervisor faild to start the program?
How to choose solutions for secure messaging front-end and HIPAA compliant database?
How to handle duplicate IDs for inline SVGs?
Memory exhausted (minimal script)
How to fetch multiple table data with multiple queries to one data-table
ArrayObject does not work with end() in PHP 7.4
Why array_unique does not detect duplicate objects?
Laravel - N+1 problem within my relationship recursion
How can I get every n rows in MySQL?
How to unserialize PHP Serialized array/variable/class and return suitable object in C#
Custom themes for the Netbeans IDE? [closed]
PHP - Find parent key of array
PHP Doesn't Display Errors or Warnings
Ideal Multi-Developer Lamp Stack?
Debugging PHP in Aptana 2.0
Is there an intelligent PHP Emacs tagging solution?
iPhone web app, not storing cookie
MS Access: How does one insert NULL into DateTime field
How does the "edit section" feature on Wikipedia work?
Zend Youtube API - Upload Videos on a Single Account?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!