How do i sign variables?
https://stackoverflow.com/questions/2495962
-
21-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a few variables that must be stored on the client side. As usual anything on client side can be tampered. I would like to sign a few variables and verified them when the data is sent back to the server. At the moment i think they are 5 64bit vars.
On the server i would like to sign those 5 variables, then ensure the signature is valid when the client sends it back. How do i do this using C# .NET?
-edit- in this case i am not using asp.net
Solution
At the very minimum:
The server should have an asymmetric signature key-pair (private for signing, public for verification).
The server should send the client a message containing the variables data, and a a signature for the hash value of the variables data:
M, S(H(M))
Upon reception, the client stores the entire message. When the time comes, the client sends the server everything back, then the server computes the hash for the variables data and verifies that
V(S(H(M))) = H(M)
Thus making sure that the variables data was issued by the server.
This is the very basis of the protocol, which should be expanded to handle whatever threats you need to secure against. The protocol as given is very prone to attacks, and only guarantees that the data was signed by the server.
Implemening this in .NET, almost all needed functionality is provided by the Security.Cryptography namespace. See the following MSDN article, it provides sample code for signing and verifying a given hash value, using DSA. See here for sample code of creating a hash value using SHA256.
OTHER TIPS
Please see Encrypt ViewState in ASP.NET 2.0.
A simple approach would be to calculate a checksum or hash (e.g. MD5) over the numbers and send this to the client with the data. When the data (and the hash) is sent back back by the client, create another hash with the sent data and compare it with the original hash (sent by the client) to verify whether the data was tampered.
E.g. convert the numbers to strings, concatenate them and calculate the MD5 hash over it. This can be "improved" by adding the currently logged-in user's name or the current SessionID to the string before calculating the hash.
