Validate Server Integrity (Incoming HTTP Request)

Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
K S
Reply | Threaded
Open this post in threaded view
|

Validate Server Integrity (Incoming HTTP Request)

K S
I'm working on a IoT application (CherryPy runs on the IoT device). The server supports HTTPS but the endpoint on the IoT device is HTTP. How can I validate the integrity of the server for incoming HTTP request (i.e server POST to IoT device). The data itself isn't sensitive so I just need integrity of the request (not encryption).

Thank you

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/cherrypy-users/cda78508-ff8a-40c6-86eb-f6989eebb87e%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Validate Server Integrity (Incoming HTTP Request)

Michiel Overtoom
Hi,

Perhaps digitally sign the data with a hash and have the IoT device recalculate it and check if it's the same hash?

Greetings,

> On 2020-05-20, at 14:32, K S <[hidden email]> wrote:
>
> I'm working on a IoT application (CherryPy runs on the IoT device). The server supports HTTPS but the endpoint on the IoT device is HTTP. How can I validate the integrity of the server for incoming HTTP request (i.e server POST to IoT device). The data itself isn't sensitive so I just need integrity of the request (not encryption).
>
> Thank you
>
> --
> You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/cherrypy-users/cda78508-ff8a-40c6-86eb-f6989eebb87e%40googlegroups.com.

--
"You can't actually make computers run faster, you can only make them do less." - RiderOfGiraffes

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/cherrypy-users/1AF48983-36A0-455D-B9C0-DA47A6BF6949%40xs4all.nl.
Reply | Threaded
Open this post in threaded view
|

Re: Validate Server Integrity (Incoming HTTP Request)

Tim Roberts
In reply to this post by K S
K S wrote:
>
> I'm working on a IoT application (CherryPy runs on the IoT device).
> The server supports HTTPS but the endpoint on the IoT device is HTTP.
> How can I validate the integrity of the server for incoming HTTP
> request (i.e server POST to IoT device). The data itself isn't
> sensitive so I just need integrity of the request (not encryption).

I'm curious to know what leads you to think this is an issue. HTTP is a
TCP protocol, and TCP has checksums and integrity guarantees.  You might
lose entire transactions, but if a transaction arrives, it should be intact.

--
Tim Roberts, [hidden email]
Providenza & Boekelheide, Inc.


--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/cherrypy-users/f4b8110a-e71e-683b-369a-d0663e0ea0e1%40probo.com.

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Validate Server Integrity (Incoming HTTP Request)

Sviatoslav Sydorenko (@webknjaz)
ср, 20 трав. 2020 о 18:57 Tim Roberts <[hidden email]> пише:

>
> K S wrote:
> >
> > I'm working on a IoT application (CherryPy runs on the IoT device).
> > The server supports HTTPS but the endpoint on the IoT device is HTTP.
> > How can I validate the integrity of the server for incoming HTTP
> > request (i.e server POST to IoT device). The data itself isn't
> > sensitive so I just need integrity of the request (not encryption).
>
> I'm curious to know what leads you to think this is an issue. HTTP is a
> TCP protocol, and TCP has checksums and integrity guarantees.  You might
> lose entire transactions, but if a transaction arrives, it should be intact.

I agree with Tim in that TCP guarantees the integrity on its level. But it looks
like the topic starter wants to emulate one of the properties of TLS in order to
prevent tampering with the payload (MITM). In this case, it's probably
reasonable to sign the payload and check the signature on the receiving end.

One way to do this is to use X-Hub-Signature, which is rather popular in
systems that implement webhooks (GitHub, Facebook, Google Could etc.)
But this technology uses a shared secret and therefore is only applicable
when both client and server are controlled by the same party. Then, the
client-side just signs the payload and the server verifies the signature.
It's useful for transmitting some information via untrusted network.

By the way, you don't have to put this header before the HTTP request
body. You can use trailer headers for this:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Trailer.
This allows you to calculate the signature as you iterate over the payload
and just output the result at the end.

Though, if you don't fully control the client, you shouldn't use the shared
secret way. Instead, use public-private key cryptography. The server would
hold a private key and the clients will have access to the public key. Clients
will then be able to encrypt the messages which would only be decryptable
by the server (owner of the private key).


--
Cheers,
Sviatoslav.

---
https://useplaintext.email/
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments
---

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/cherrypy-users/CAFYONRCKXMr59cv2iG9h0cHUqmKD9qZfJ-9OOCE_2u-aqHKMOw%40mail.gmail.com.