ср, 20 трав. 2020 о 18:57 Tim Roberts <
ti...@probo.com> пише:
>
> K S wrote:
> >
> > I'm working on a IoT application (CherryPy runs on the IoT device).
> > The server supports HTTPS but the endpoint on the IoT device is HTTP.
> > How can I validate the integrity of the server for incoming HTTP
> > request (i.e server POST to IoT device). The data itself isn't
> > sensitive so I just need integrity of the request (not encryption).
>
> I'm curious to know what leads you to think this is an issue. HTTP is a
> TCP protocol, and TCP has checksums and integrity guarantees. You might
> lose entire transactions, but if a transaction arrives, it should be intact.
I agree with Tim in that TCP guarantees the integrity on its level. But it looks
like the topic starter wants to emulate one of the properties of TLS in order to
prevent tampering with the payload (MITM). In this case, it's probably
reasonable to sign the payload and check the signature on the receiving end.
One way to do this is to use X-Hub-Signature, which is rather popular in
systems that implement webhooks (GitHub, Facebook, Google Could etc.)
But this technology uses a shared secret and therefore is only applicable
when both client and server are controlled by the same party. Then, the
client-side just signs the payload and the server verifies the signature.
It's useful for transmitting some information via untrusted network.
By the way, you don't have to put this header before the HTTP request
body. You can use trailer headers for this:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Trailer.
This allows you to calculate the signature as you iterate over the payload
and just output the result at the end.
Though, if you don't fully control the client, you shouldn't use the shared
secret way. Instead, use public-private key cryptography. The server would
hold a private key and the clients will have access to the public key. Clients
will then be able to encrypt the messages which would only be decryptable
by the server (owner of the private key).
--
Cheers,
Sviatoslav.
---
https://useplaintext.email/
() ascii ribbon campaign - against html e-mail
/\
www.asciiribbon.org - against proprietary attachments
---