How do i sign variables?

At the very minimum:

The server should have an asymmetric signature key-pair (private for signing, public for verification).
The server should send the client a message containing the variables data, and a a signature for the hash value of the variables data:

M, S(H(M))
Upon reception, the client stores the entire message. When the time comes, the client sends the server everything back, then the server computes the hash for the variables data and verifies that

V(S(H(M))) = H(M)

Thus making sure that the variables data was issued by the server.

This is the very basis of the protocol, which should be expanded to handle whatever threats you need to secure against. The protocol as given is very prone to attacks, and only guarantees that the data was signed by the server.

Implemening this in .NET, almost all needed functionality is provided by the Security.Cryptography namespace. See the following MSDN article, it provides sample code for signing and verifying a given hash value, using DSA. See here for sample code of creating a hash value using SHA256.

Sounds hackish but still secure. I can put all the variables into a byte array and call md5 right? hmm IIRC it doesnt matter if the user has hundreds of data with sigs, i dont think they can find the salt? i think i'll accept this.

acidzombie24 2010-03-22 22:20:38

Just to be clear, your proposal is that the hash be stored on the server, right? If you're going to store the hash on the server then why not simply store *all* the data on the server? Then the problem goes away.

Eric Lippert 2010-03-22 22:26:46

The hash would be stored client side. Otherwise i'd store all 5*64bits on the server

acidzombie24 2010-03-22 22:49:23

@Eric, @acidzombie24: The idea was to send the hash to the client. Once the data and hash is sent back to the server, it allows to check whether the data was modified. I don't know for how long you want to store the data on the client, maybe for a long time (using a cookie or local storage)? Maybe you don't want to/can't store data server-side?

M4N 2010-03-22 22:53:16

@Eric, @acidzombie24: updated the answer to clarify.

M4N 2010-03-22 23:02:39

i'm surprised you modified it, i wasn't confused ;). I'm just waiting a bit before i accept this answer.

acidzombie24 2010-03-22 23:20:39

If the hash and the data are both stored on the client then what stops the hostile client from editing the data *and the hash*? What you want to do to prevent that is to *encrypt the hash with a private key on the server*. Then the client cannot edit the hash without knowing the private key, which is a secret. With this system, the whole thing can be stored on the client and verified by the server at a later date. However, don't think that you can get this correct just from this sketch; correct hashing and signing is not a trivial problem.

Eric Lippert 2010-03-22 23:28:59

Wait a minute, you're talking about 40 bytes of data per user here? Storage is what, a tenth of a penny for a million bytes? I suspect that the dollar's worth of your time you've spent typing in the question is more than the cost of storing this data for every one of your customers.

Eric Lippert 2010-03-22 23:36:06

I was not questioning the "must be stored on the client" part of the question, instead tried to give a simple idea how this problem could be approached. If the user does not know how you build the input to calculate the hash, then he will not easily be able to create a valid hash for tampered data.

M4N 2010-03-22 23:39:34

@Eric Lippert: I hope you see this. Now i am thinking about keeping it serverside but i am a bit worried about writes killing the database. For one i am using sqlite atm even while after moving to mysql i can see writes causing a problem.

acidzombie24 2010-03-23 01:17:54

Oh and its not just customers. Its anyone who visits the site or uses the app. I guess i need sessions data as well. hmmm. You made me think eric. You made me think hard!

acidzombie24 2010-03-23 01:19:41

ansaurus

tags:

views:

answers:

How do i sign variables?

related questions