samedi 6 décembre 2014

PHP server request with shared key - code safety



Disclaimer: I am not very familiar with safety techniques in general.


The problem: Quickly create lots of small files in server from a bash script.


I used to use scp (secure copy) in order to create those files but I found it extremely slow with the login operation needed, even when using a shared key through SSH.


So I thought to create one bash script and one php script that share a key in order to speed up the operation doing only the absolutely essentials.


Client's Bash sends a final password, the filename of the file to create, the content of that file and the current UTC second.


In client, the final password is calculated as:



#pseudocode
final password = sha256( ${currentDateTime}${sharedKey}${remoteFilename}${content} )


The request is posted to the server using the CURL command.


Server's PHP now has the password from the client, the filename to create, the content, and the UTC second the request started from. Server calculates the full UTC time by going to the closest second to the past that matches the UTC second sent by the client. For example if second send by the client = 12 and server UTC time is 13:42:25, then 13:42:12 is used by the server.


Server php generates its own "real" password (aka the password that the client SHOULD use for that UTC time (13:42:12 in this example), that filename and content, based on that shared key:



$realPasswd = hash('sha256', $timeString.$sharedKey.$filename.$content);


Then server checks $realPasswd against the password sent by the client (the so-called final password I referred to earlier)


On my noobish understanding, this technique should be pretty safe, because, even if the whole request is sniffed by an attacker, then he will only be able to send exactly the same request and only for 1 minute (because the final password will change for the next UTC minute).


He will not be able to alter the remoteFilename or the content and he will be able to create acceptable by the server requests only for 1 minute.


What is your opinion on this?





Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)