signing - How to sign data properly in Ruby (HMAC?) -

-

I have a server (ROR app) sending information to the customer (Ruby Sinatra App) and I have a The way should the client come to ensure that the data comes from my server instead of a bad third party.

The customer must log in to the server before anything else will be sent back in other ways so that the server can reply with a shared key which used to sign all further responses But then the third party can get that reaction and it can be bad.

Let me sign the server response in Ruby, platform applicability), so that verification of fraud can be done without inspection of the customer's code. Any ideas?

UPDATE : See if I can tell it better!

(I've added the code to the Gitub as I have written this question, so you can do it (if you want!) Is a poke around :)

The process is : Blogs that use a bookmarklet on their mobile device. This site submits the currently visited URL to .heroku.com. When siteender.heroku.com receives that request, its DB checks to see if anyone has logged in using this account. If they have, their IP address will be addressed and sitesender.heroku.com will request a request for the target app (a webserver) on that IP, which aims to target the bookmark URL in the default browser.

The basic idea is that when you find an iPhone, you can send your main computer to your site from your iPhone to your iPhone, you can not cope with the page (eg flash, screen size ).

Obviously one major issue is that anyone with an open server can seriously request a request to open 'seriously the website' for the IP and I have snatched a plague on the digital world . I am using it as a server (this is an incredibly good but the cloud-based ROR host) I just can not test the original IP.

As far as I understand HTTPS, for this setting I want to sort the certificate for every application? I agree that I need some form of asymmetric crypto, sign requests from sitemaker .heroku.com, with a private key (never distributed), and demonstrate equality by using the public key, and equality Take a test for - but you have guessed correctly, I still know little how HMAC works! How is this asymmetric? Is it prepared so that the same HMAC operation with the private key and the public key produces the same signature? In which case - HMAC is a winner!

Thank you for your patience!

I'm not sure that actually "has been investigated for free, but there is no replica" what do you say.

In general, if you need a secure communication channel, then https is your friend.

That is the way to go (or if it is insufficient due to some architectural issue), HMAC and asymmetric crypto.

Update: I'm not sure that I understand this problem, so I will try to describe the problem that you think you are trying to solve You have: You need customers who they trust that the response they are seeing is actually coming from your server.

Assuming that I am right and it is actually a problem that you are trying to solve, HTTPS resolves it well, you establish the evidence on your server-you own it You can sign on, but the customer will not trust it by default; For this, you need to buy from one of the Standard Certificate Authority (CA) - and then the client makes an HTTPS request on your server HTTPS verifies that the certificate provided is issued for that server It was the one on which it is talking. You have done

Finally, I think there is a misconception that how a HMCAC works. The main principle of asymmetric crypto is not to distribute your private key anytime with asymmetric crypto, you encrypt messages with the recipient's public key and it decrypts it with your private key. Signs messages with your private key, and it verifies using your public key.


Comments

Post a Comment

Popular posts from this blog

c# - How to capture HTTP packet with SharpPcap -

-
I would like to capture all incoming HTTP packets on my machine. To do this, I am using SharpPcap which is a WinPcap The cover is. SharpPcap works very well, but it captures TCP packets and what it wants to do for me is a very low level. Does anyone know how can I easily get full HTTP requests / reactions from all these TCP packets? Thanks SharpPcap is already able to capture the packet in the same way That's what the virus does (just in the code instead of the GUI). And you can either either parse them directly or you can put them in the drive in the common .pcap file format. The steps to parse the capture are: Open a connection at any time Loop a while Or start capturing using an event callback Parsing the raw packet for the type you want If you are reading .PPP dump files In addition to calling you an offline capture reader is almost the same, there is no need to select an interface, and you can set the majority There is no need to do the modes. All st...
Read more

php - Multiple Select with Explode: only returns the word "Array" -

-
By using Wordpress I have created a multiple selection box so that users can select categories to exclude. When the page is initially loaded, I see my predefined default option. However, when I select a new value and I save ... I only see the word "Array" and have not chosen anything else? & lt; Class = "amultiple" id = "& lt; php echo $ value ['id'] ;? gt;" name = "& gt; php echo $ value ['id'] ;; gt; []" Multiple = "multiple" size = "8" & gt; & Lt ;? Php global option; Foreign currency ($ value as value $) {if (get_settings ($ value ['id']) === FALSE {$$ value ['id'] = $ value ['std']; } And {$$ value ['id'] = get_settings ($ value ['id']); }} $ Ranges = & amp; Amp; Categories ('type = post & orderbiz = name & amp; hide_empty = 1'); If ($ ranges) {$ ex_cat = implode (',', $ tt_cat_exclude); Forex Currency ($ range a...
Read more

php - jQuery AJAX Post not working -

-
I do not understand why this script does not work. It has something to do within AJAX PostScript / Function. Right now, when I submit my form, it runs php code on the same page. What it should do, send the values ​​of the form for Project_Azax.fp, then there will be a refund of success on the page which is correct or false. $ (document) .ready (function () {$ ('div # didIt'). Hide (); $ ('form [name = adminForm]'). Submit (function () ($ {'.post' ('/ project_ajax.php', {action: $ ('[name = action]') Val (), pId: $ ('[name = pId]'). Val (), name ('[Name = name]'. Val (), url: $ ('[url = url]'). Val (), summary: ('[summary = summary]'). Val ()}, Function (data) {if (data.success) {$ ('div # didIt') .Sliddown ('slow');} and {warning ('unsuccessful SA!');}}, 'Jason'); return false ;});}); What is the code for project_ajax.php below ... if ($ _ POST ['action'] == ...
Read more