drmet46444 2015-01-05 22:53
浏览 34
已采纳

带时间窗的HMAC

I'm doing some tests with HMAC by using a time-window mechanism based on UTC+0 synced time. The server has a special public API call http://myserver.com/api/servertime/ that will return the server's exact UTC+0 time. This way the API users can sync their requesting client so it will be able to match the time window my API allows for secure calls. I built in a 30 minute timeslot (-15min - +15min).

My code looks like this:

func GenerateHmac512(message []byte, key []byte) []byte {
    h := hmac.New(sha512.New, key)
    h.Write(message)
    return []byte(base64.StdEncoding.EncodeToString(h.Sum(nil)))
}

func ValidateHmac512(message, messageMAC, key []byte) bool {
    var err error
    decryptedMessageMAC, err := base64.StdEncoding.DecodeString(string(messageMAC))

    if err != nil {
        log.Fatalln(err.Error())
        return false
    }

    mac := hmac.New(sha512.New, key)
    mac.Write(message)
    expectedMAC := mac.Sum(nil)
    return hmac.Equal(decryptedMessageMAC, expectedMAC)
}

func main() {
    timestamp := time.Now().Unix()
    key := []byte("afad9411468602782fb62d904f623d87")
    message := []byte(fmt.Sprintf("SecretHash,Value1,Value2,Value3,TimeStamp:%d", time.Now().Unix()))
    hmacHash := GenerateHmac512(message, key)
    hmacValid := ValidateHmac512(message, hmacHash, key)
    log.Println(timestamp)
    log.Println(string(hmacHash))
    log.Println(hmacValid)

    requestValid := false

    if timestamp > time.Now().Unix()-(60*15) && timestamp < time.Now().Unix()+(60+15) {
        requestValid = true
    }

    log.Println(requestValid)
}

I'm hashing the timestamp that will be publicly provided in the call in my HMAC hash, combined with the secret hash. I'm wondering if this is fool-proof enough, or it would need more work to make it totally solid? The call would be something like this:

POST http://myserver.com/api/users/
Value1 : Data1
Value2 : Data2
Value3 : Data3
Timestamp : 1420497639

Eventually when this is all OK I'm gonna send this data over SSL/TLS. I know SSL is more than enough and HMAC wouldn't be needed, but I like to have these 3 layers of security. And I want to benchmark variations of these layers to see what the performance impact is and how I can tweak it to have a good balance between performance and security.

  • 写回答

1条回答 默认 最新

  • doubu0897 2015-01-06 13:38
    关注

    There's not much to answer here, an HMAC authenticates a message and verifies integrity, and that seems to be what you want. Also, TLS is only "more than enough" if you're authenticating the client. If this is an unauthenticated call, then HMAC is still reasonable to prove the knowledge of a shared secret.

    Note that SecretHash is superfluous. You already have a secret shared key.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 组策略中的计算机配置策略无法下发
  • ¥15 机器学习简单问题解决
  • ¥15 如何绘制动力学系统的相图
  • ¥15 对接wps接口实现获取元数据
  • ¥20 给自己本科IT专业毕业的妹m找个实习工作
  • ¥15 用友U8:向一个无法连接的网络尝试了一个套接字操作,如何解决?
  • ¥30 我的代码按理说完成了模型的搭建、训练、验证测试等工作(标签-网络|关键词-变化检测)
  • ¥50 mac mini外接显示器 画质字体模糊
  • ¥15 TLS1.2协议通信解密
  • ¥40 图书信息管理系统程序编写