Coder Social home page Coder Social logo

httpv's Introduction

HTTP-Verify

A custom URI scheme that adds ECDSA based signatures to vanilla HTTP 1.1 requests. The scheme can run over tcp or tls and is transparent to the underlying HTTP server. Within this repository you will find simple examples, a proxy server and a library with useful constructs to build your very own httpv implementation!

Checkout the wiki for a formal explanation!

##New Schemes

###httpv Runs over http. Example:

httpv://localhost/api/status

###httpsv Runs over https. Example:

httpsv://ahimsa.io:1060/api/status

httpv's People

Contributors

nskelsey avatar

Stargazers

Rick avatar avatar Alex Kuck avatar

Watchers

James Cloos avatar avatar

httpv's Issues

Blah blah

The Web Resource Signature (WRS) Extension

Status of This Project

This specification along with the attached implementation was written to satisify the final project requirements for CS6161 Analysis of Algorithms, a course taught by Gabe Robins at the University of Virginia. The current implementation is expiremental in nature and should be treated as such. If you find this project intersting feel free to email me at nskelsey at gmail or open an issue on Github.

Abstract

This document speicifes version 0.1 of the WRS extension.
The WRS extension provides authentication of resources served over HTTP or HTTPS.
The extension lets a client and all future viewers of the session between a client and server verify the authenticity of data provided by the server during that session.

Contents

  1. Introduction
  2. URI Schemes
  3. The HTTP Transaction
    1. The HTTPV Request
    2. The HTTPV Response
    3. The Transaction Bundle
  4. The Signature Algorithm
  5. Digital Commitments
  6. Limitations
  7. A Public Key Archcitecture

Introduction

The goal of the WRS extension is to create auditable resources served over the web. The extension specifies how an HTTP transaction is signed by a server and verified by a client. This form of authentication is different than the form provided TLS because it generates proofs that can be evaluated by third parties. The WRS extension therefore requires voluntary participation of servers and a seperate publicly known signature key for each server.

The extension uses digitial signatures to assert the intergrity and authenticity of a resource served to a potentially untrustworthy client. Claims of resources providing inaccurate data can be provably shown to be false. A signature generated over the resource behind a URL, creates a responsible party for that resource. If that resource were to ever be subtly changed or removed previously signed sessions could be used by a third party to prove that the resource changed.

It is too complicated to try and develop a public key infrastructe to distribute server public keys in this document. The problem of distributing these signature keys will be left as an open discussion in Section 8. However, given recent develops in distributed databases it may be possible to avoid the certificate authority system specified in rfc5208.

At its core, WRS is an extension to HTTP that works by manipulating headers. These headers along with the contents of an HTTP request-response pair forms the content of what a server will sign. This signature along with the entire transaction can then be stored for safe keeping and reverified by a client or a third party as needed. The exact format of the content that is signed is specified in Sections 2 and 3.

URI Schemes

In order to preserve compatability with http and promote the extensions use I am claiming (in an unofficial way of course) the URI Schemes httpv and httpsv to indicate a WRS extended resource served either by HTTP or HTTPS. WRS is backwards compatable with HTTP 1.1 meaning any server hosting httpv is implicitiy hosting resources over http. However, implentations can optionally enforce strict complicance with WRS 0.1 and drop http support.

As of this writing there is only one host on the internet serving either scheme. The endpoints are:

httpv://ahimsa.io:1070/api

httpsv://ahimsa.io:1075/api

However, since WRS is a backwards compataible extension both endpoints are still accessible via http and https respectively.

http://ahimsa.io:1070/api

https://ahimsa.io:1075/api

The server will still sign the http transaction, but most HTTP implementation will not record the entire transaction and thus the signature cannot be verified.

The HTTP Transaction

This extension only generates signed endpoints for transactions that only have one request and one response. The request to the server MUST be a GET with an empty body. Supporting POST requests may be useful in the future but it is unsupported as of now.

The servers response to that GET is the canonical one. This is a response containing data produced by the server after processing the Request-URI. More details on the spefics can be found here.

Once the WRS enabled server processes the Request-URI then the server will proceed with signing the transaction only if processing the URI did not produce an error. The signature algorithm requires that the entire request and response be in memory and available before it can be completed.

The goal of using a single transaction is to produce a bundle of data from both the client's request and the server's response for the server to sign. This is done to ensure that the signature is tied to a particular URI accessed in the clients paramaterized way. The servers response is randomized to prevent an attacker from determistically controlling the input to the signature.

The HTTPV Request

The only difference between a httpv and an http request is the addition of one header. This header is Httpv-Ver: 0.1 and it should be included as the last header of the request. All other attributes are kept standard. A strict HTTPV server MUST respond with a 700 Bad Protocol if that header is not present.

If an HTTPV server wishes to preserve backwards comptability it can ignore the header requirement and add it to the request object used in the signing bundle.

The HTTPV Response

The HTTPV response has several headers which must be present. Other than the addition of custom headers the response back to the client is standard HTTP.

Httpv-Ver: <string>

The version of WRS the server is running.

Httpv-Ts: <int>

This is the servers UNIX timestamp in seconds since 00:00 Jan 1 1970.

Httpv-N: <base64>

This is the servers nonce encoded as a base64. It is a 32 byte field.

Httpv-Sig: <base64>

This is the servers signature of the transaction. It is about 50 bytes.

The Transaction Bundle

When the server is ready to sign the entire transaction it must bundle the request and response together. For effecieny reasons the entire bundle is not signed, but instead the hash of the bundle is signed. This hash then sign process requires that the bundle computed by the client and the server be exactly identical.

This means that any sort of proxying that modifies the contents, or headers of the request or response will change the hash resulting in failed signature verification.

The bundle is arranged simply. The order is:

Request
Request Headers
Request Body
<lf>
Response
Response Headers
Response Body

It would make sense to define a formal structure for this bundle, but currently you should refer to the code for the exact layout.

The Signature Algorithm

With a bundle arranged, it must be hashed and then signed using an asymmetric key. Once generated the signature is converted to base64 and then added to the response headers as Httpv-Sig. Note that the Httpv-Sig header is the only datum left out of the transaction bundle.

Version 0.1 uses the sha256 hashing algorithm defined by NIST.
The Signature Algorithm is the Elipitic Curve Digital Signature Algorithm over the Koblitz curve secp256k1 defined in SEC2.

Signing

The signature is thus:

ecdsa_sign(secp256k1, privateKey, sha256(transaction_bundle))

Verifying

Verification is then:

ecdsa_verify(secp256k1, publicKey, sha256(transaction_bundle))

The signature is encoded and decoded from the response according to the Distinguished Encoding Rules (DER). This is a standardized format. More details live here.

Digital Commitments

Limitations

A Public Key Archcitecture

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.