Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
B
B
bernex2015-12-07 10:05:46
PHP
bernex, 2015-12-07 10:05:46

How to sign and secure request data?

The task is to protect a request of the form from:
1. Iteration of $ORDERID
2. Visibility of $ORDERID
3. Knowing that the request came from where it was created, and not "manually"
/payment/$ORDERID/
/payment/$USERID/
At first there was an idea : /payment/$ORDERID/$SIGN, where
$SIGN = hash( 'sha256', $orderID . $this->salt)
But I think this is not enough. I would like not to shine $ORDERID and $USERID
Does it make sense to use:

$nonceSize = openssl_cipher_iv_length($METHOD);
        $nonce = openssl_random_pseudo_bytes($nonceSize);

        $ciphertext = openssl_encrypt(
            $message,
            $METHOD,
            $key,
            OPENSSL_RAW_DATA,
            $nonce
        );

        return base64_encode($nonce.$ciphertext);

To get a simple request without a signature: /payment/$CRYPTEDDATA
$CRYPTEDDATA = crypt($ORDERID);
Or do I need to add a hash? Or is encryption enough? I do not want to complicate to the level of delirium.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
A
Alex Safonov, 2015-12-07
@bernex

I do not want to complicate to the level of delirium.
Unfortunately, you will have to write some wrapper to encrypt/decrypt the protected segments. If you can make it so that the code is flexible and reusable, then it won't be bullshit.
In particular, you can change the encryption algorithm to one that is less expensive in terms of CPU time.
I would opt out of return base64_encode($nonce.$ciphertext); in favor of translating each byte of the ciphertext into hex (for example), or even into some 25-decimal system (English alphabet).

Report
M
MetaDone, 2015-12-07
@MetaDone

https://tech.yandex.ru/money/doc/dg/reference/noti...
it's not very clear what you want, but it seems like a scheme like Yandex-money will do

Report
E
Evgeny Svirsky, 2015-12-07
@e_svirsky

You can use aes 256 encryption with a secret. from selection protection and data userId and orderId are not visible.

Similar questions
G
GRO242019-10-20 17:02:09
Writing a loop to a variable? 2Reply
V
Vlad_beg2017-05-20 16:44:33
How to correctly copy the value of one structure to another? 3Reply
G
gsdev992019-11-01 14:29:39
How to properly configure sqlite so that LIKE works in Cyrillic? 4Reply
A
Andrey Khopta2015-06-23 20:22:29
Nginx push-stream-module is it possible to subscribe via POST request? 3Reply
G
Good Samaritan2021-05-03 15:41:50
How to get pharmacies along google maps route? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question