Validate Server Integrity (Incoming HTTP Request)

24 views
Skip to first unread message

K S

unread,
May 20, 2020, 8:42:59 AM5/20/20
to cherrypy-users
I'm working on a IoT application (CherryPy runs on the IoT device). The server supports HTTPS but the endpoint on the IoT device is HTTP. How can I validate the integrity of the server for incoming HTTP request (i.e server POST to IoT device). The data itself isn't sensitive so I just need integrity of the request (not encryption).

Thank you

Michiel Overtoom

unread,
May 20, 2020, 8:58:58 AM5/20/20
to cherryp...@googlegroups.com
Hi,

Perhaps digitally sign the data with a hash and have the IoT device recalculate it and check if it's the same hash?

Greetings,

> On 2020-05-20, at 14:32, K S <kamran.s...@gmail.com> wrote:
>
> I'm working on a IoT application (CherryPy runs on the IoT device). The server supports HTTPS but the endpoint on the IoT device is HTTP. How can I validate the integrity of the server for incoming HTTP request (i.e server POST to IoT device). The data itself isn't sensitive so I just need integrity of the request (not encryption).
>
> Thank you
>
> --
> You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cherrypy-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/cherrypy-users/cda78508-ff8a-40c6-86eb-f6989eebb87e%40googlegroups.com.

--
"You can't actually make computers run faster, you can only make them do less." - RiderOfGiraffes

Tim Roberts

unread,
May 20, 2020, 12:57:22 PM5/20/20
to cherryp...@googlegroups.com
I'm curious to know what leads you to think this is an issue. HTTP is a
TCP protocol, and TCP has checksums and integrity guarantees.  You might
lose entire transactions, but if a transaction arrives, it should be intact.

--
Tim Roberts, ti...@probo.com
Providenza & Boekelheide, Inc.


Sviatoslav Sydorenko

unread,
May 21, 2020, 9:28:46 AM5/21/20
to cherryp...@googlegroups.com
ср, 20 трав. 2020 о 18:57 Tim Roberts <ti...@probo.com> пише:
>
> K S wrote:
> >
> > I'm working on a IoT application (CherryPy runs on the IoT device).
> > The server supports HTTPS but the endpoint on the IoT device is HTTP.
> > How can I validate the integrity of the server for incoming HTTP
> > request (i.e server POST to IoT device). The data itself isn't
> > sensitive so I just need integrity of the request (not encryption).
>
> I'm curious to know what leads you to think this is an issue. HTTP is a
> TCP protocol, and TCP has checksums and integrity guarantees. You might
> lose entire transactions, but if a transaction arrives, it should be intact.

I agree with Tim in that TCP guarantees the integrity on its level. But it looks
like the topic starter wants to emulate one of the properties of TLS in order to
prevent tampering with the payload (MITM). In this case, it's probably
reasonable to sign the payload and check the signature on the receiving end.

One way to do this is to use X-Hub-Signature, which is rather popular in
systems that implement webhooks (GitHub, Facebook, Google Could etc.)
But this technology uses a shared secret and therefore is only applicable
when both client and server are controlled by the same party. Then, the
client-side just signs the payload and the server verifies the signature.
It's useful for transmitting some information via untrusted network.

By the way, you don't have to put this header before the HTTP request
body. You can use trailer headers for this:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Trailer.
This allows you to calculate the signature as you iterate over the payload
and just output the result at the end.

Though, if you don't fully control the client, you shouldn't use the shared
secret way. Instead, use public-private key cryptography. The server would
hold a private key and the clients will have access to the public key. Clients
will then be able to encrypt the messages which would only be decryptable
by the server (owner of the private key).


--
Cheers,
Sviatoslav.

---
https://useplaintext.email/
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
---
Reply all
Reply to author
Forward
0 new messages