Bitcoin Forum
December 09, 2016, 07:52:01 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Secure messanging specification  (Read 1085 times)
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
February 25, 2011, 09:34:07 AM
 #1

For the bitcoin stockmarket making orders is going to be done to a webservice using http post request.

So this is a kind of protocol that market orders will be sent to the server with.

The post request will have two fields, signature and data

signature is the base64 encoded binary signature from a openssl 2048bit RSA signature of the base64 encoded data

data is base64 encoded string of a json data structure.
Two elements in the data structure are message and mac
The protocol does not deal with message, so we will leave this part.
mac or message authentication code is a random number appended to the integer of unix epoc(unix time)

The  server that is receiving this request must have the senders public key to verify that the data is infact from the client and has not been tampered.

The server will keep a record of each mac that is sent by this client account(for this public key)

If the server receives a message from the client account, and the mac is the same as one previously sent the message is rejected. This is to prevent replay attack, attackers having the same order processed twice.

The difference between client or server is made by whoever is making the request, the client makes the request, server is the responder.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
1481269921
Hero Member
*
Offline Offline

Posts: 1481269921

View Profile Personal Message (Offline)

Ignore
1481269921
Reply with quote  #2

1481269921
Report to moderator
1481269921
Hero Member
*
Offline Offline

Posts: 1481269921

View Profile Personal Message (Offline)

Ignore
1481269921
Reply with quote  #2

1481269921
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481269921
Hero Member
*
Offline Offline

Posts: 1481269921

View Profile Personal Message (Offline)

Ignore
1481269921
Reply with quote  #2

1481269921
Report to moderator
grondilu
Legendary
*
Offline Offline

Activity: 1134


View Profile
February 25, 2011, 10:11:10 AM
 #2

The client part is very easy:

Code:
#!/bin/bash

# server address (todo:  add an option to set it on command line)
server=127.0.0.1

# private key
# you can generate one with:  openssl genrsa -out rsa-test 2048
# public key can be obtained with:  openssl rsa -pubout -in rsa-test
privkey="rsa-test"

# message is given on command line
message="$@"

# Message authentication code is a random number appended to unix EPOC
mac=$(bc <<<"$(date +%s)+$RANDOM")

data="$(base64 <<<"{ \"message\": \"$message\", \"mac\": $mac }")"

signature="$(openssl rsautl -sign -inkey $privkey -in <(echo "$data") |base64)"

wget -O - --post-data "data=$data&signature=$signature" http://$server

Notice that the signature process will fail if the message is too long.  In that case, a hash of the message should be used instead of the message itself.  We might then consider using dgst instead of rsautl.

I think the client should also send its public key, otherwise I don't know how the server can guess it  Wink

So basically, the last line should rather be:

Code:
wget -O - --post-data "data=$data&signature=$signature&pubkey=$(openssl rsa -pubout -in $privkey)" http://$server
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
February 25, 2011, 11:18:11 AM
 #3

Yes, you're right. The "signature" in a whirlpool hash of the data that's encrypted by the private key.

I forgot to say that.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
grondilu
Legendary
*
Offline Offline

Activity: 1134


View Profile
February 25, 2011, 11:29:47 AM
 #4

Yes, you're right. The "signature" in a whirlpool hash of the data that's encrypted by the private key.

I forgot to say that.

openssl doesn't do whirlpool for signed digest.

hash options for dgst are:  [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1]
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
February 25, 2011, 11:36:07 AM
 #5

Yes, you're right. The "signature" in a whirlpool hash of the data that's encrypted by the private key.

I forgot to say that.

openssl doesn't do whirlpool for signed digest.

hash options for dgst are:  [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1]


Yes it does, version 1.0.0 or greater has whirlpool, it just doesn't list it as an option, pass in -whirlpool as a dgst option.

It probably means that you'll want to get the source and compile it (don't install if you don't want to ruin your system)

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
grondilu
Legendary
*
Offline Offline

Activity: 1134


View Profile
February 25, 2011, 11:49:14 AM
 #6

Ok, then here is the client code:

Code:
#!/bin/bash

# server address (todo:  add an option to set it on command line)
server=127.0.0.1/stockmarket-server.cgi

# private key
# you can generate one with:  openssl genrsa -out rsa-test 2048
# public key can be obtained with:  openssl rsa -pubout -in rsa-test
privkey="rsa-test"

# message is given on command line
message="$@"

# Message authentication code is a random number appended to unix EPOC
mac=$(bc <<<"$(date +%s)+$RANDOM")

# base64 JSON data
data="$(base64 -w 0 <<<"{ \"message\": \"$message\", \"mac\": $mac }")"

# base64 whirlpool signature
signature="$(openssl dgst -whirlpool -sign $privkey <<< "$data" |base64 -w 0)"

# sending via POST method
wget -q -O - --post-data "data=\"$data\" signature=\"$signature\" pubkey=\"$(openssl rsa -pubout -in $privkey)\"" http://$server

And here is the code for the server (a CGI script):

Code:
#!/bin/bash

echo "Content-type:     text/plain"
echo

echo stock market exchange server
echo

if [[ "$REQUEST_METHOD" = "POST" ]] && [[ "$CONTENT_LENGTH" -gt 0 ]]
then
    read -N $CONTENT_LENGTH POST_DATA <&0

    # todo:  retrieve post data more securely than using "eval"
    eval "$POST_DATA"

    if openssl dgst -whirlpool -signature <(base64 -d <<<"$signature") -verify <(echo "$pubkey") <<<"$data" 2>&1
    then
        data="$(base64 -d <<<"$data")"
        echo "$data"
    else
        echo wrong signature
    fi

else
    echo no data received
fi


Several aspects of your specification for the server depend on the kind of database you want to use.  Would you consider using mongodb?
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!