[ $davids.sh ] — david shekunts blog

💬 Friends, I have a question for you: has anyone dealt with the problem of request signature encry…

# [ $davids.sh ] · message #99

💬 Friends, I have a question for you: has anyone dealt with the problem of request signature encryption using symmetric or asymmetric encryption?

Colleagues are developing a financial transaction service and have chosen HMAC (symmetric encryption, where the shared key with the client is stored on both sides), but if the secrets storage leaks, it's all over

I want to understand: is it worth giving up and just securing the secrets storage, or is it better to use some kind of asymmetric encryption

Do you have any ideas?

  • @ Dmitry Z · # 138

    Is there no SSL?

  • @ 🦾 IT-Dressing room 💪 · # 139

    I don’t really know how to properly set up SSL in this situation. Specifically, should I issue and verify certificates manually for each client request?

    By the way, I found a solution—I’ll write about it in the next post.

  • @ Dmitry Z · # 140

    SSL checks the certificate once, and then a symmetric session key is used.

  • @ 🦾 IT-Dressing room 💪 · # 141

    I just don't quite understand at what level and how the SSL certificate will be verified.

  • @ Dmitry Z · # 142

    Well, you do use some kind of transport protocol.

  • @ 🦾 IT-Dressing room 💪 · # 143

    HTTP

  • @ Dmitry Z · # 144

    Why not use HTTPS then?

  • @ 🦾 IT-Dressing room 💪 · # 145

    I mean HTTPS.

    I think we're talking about different issues: the task requires signing the request bodies, not just the requests themselves. To achieve this, we decided to use HMAC, but since it's symmetric, we'll have to generate it for each client and store it somewhere on our end. The question was how to do this securely. I'll discuss this in the next post.

  • @ Dmitry Z · # 146

    Do you need to hide data from the server code? Why re-encrypt something that’s already encrypted?

  • @ 🦾 IT-Dressing room 💪 · # 147

    To ensure that the request is coming from the expected sender

    The best answer to your question is the description of HMAC (https://en.wikipedia.org/wiki/HMAC). Most APIs that handle transactions (Stripe, Yandex, Tinkoff, etc.) use it to generate a signature for the request.

  • @ Dmitry Z · # 148

    When you establish a connection with a server, it can verify the client's certificate. This serves as a verification that the client is indeed the correct one.

  • @ 🦾 IT-Dressing room 💪 · # 149

    So, are you suggesting that we issue certificates for clients and independently verify that these are indeed the certificates we issued?

  • @ Dmitry Z · # 150

    If clients do not have their own certificates, then yes.

  • @ Dmitry Z · # 151

    The request will include the client's identity, and it can be verified.

  • @ 🦾 IT-Dressing room 💪 · # 152

    Got it now 😊

  • @ 🦾 IT-Dressing room 💪 · # 153

    Here's the next question: how will we see at the code level that this is the same client with the same certificate?

  • @ Dmitry Z · # 154

    The transport protocol includes a client identity. This could be a certificate. And you can, for example, verify that the certificate was issued by you.

  • @ Dmitry Z · # 155

    I used WCF, it has that. I think it's everywhere.

  • @ Dmitry Z · # 156

    Do you need to grant access to a resource on the server for a specific user? Then you can store the user's key thumbprint on the server.

  • @ Dmitry Z · # 157

    Or in a self-made certificate that you issue to the user, fill in some field with their name. And verify the name on the server.