Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
B
B
bernex2015-12-07 10:05:46
PHP
bernex, 2015-12-07 10:05:46

How to sign and secure request data?

The task is to protect a request of the form from:
1. Iteration of $ORDERID
2. Visibility of $ORDERID
3. Knowing that the request came from where it was created, and not "manually"
/payment/$ORDERID/
/payment/$USERID/
At first there was an idea : /payment/$ORDERID/$SIGN, where
$SIGN = hash( 'sha256', $orderID . $this->salt)
But I think this is not enough. I would like not to shine $ORDERID and $USERID
Does it make sense to use:

$nonceSize = openssl_cipher_iv_length($METHOD);
        $nonce = openssl_random_pseudo_bytes($nonceSize);

        $ciphertext = openssl_encrypt(
            $message,
            $METHOD,
            $key,
            OPENSSL_RAW_DATA,
            $nonce
        );

        return base64_encode($nonce.$ciphertext);

To get a simple request without a signature: /payment/$CRYPTEDDATA
$CRYPTEDDATA = crypt($ORDERID);
Or do I need to add a hash? Or is encryption enough? I do not want to complicate to the level of delirium.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
A
Alex Safonov, 2015-12-07
@bernex

I do not want to complicate to the level of delirium.
Unfortunately, you will have to write some wrapper to encrypt/decrypt the protected segments. If you can make it so that the code is flexible and reusable, then it won't be bullshit.
In particular, you can change the encryption algorithm to one that is less expensive in terms of CPU time.
I would opt out of return base64_encode($nonce.$ciphertext); in favor of translating each byte of the ciphertext into hex (for example), or even into some 25-decimal system (English alphabet).

Report
M
MetaDone, 2015-12-07
@MetaDone

https://tech.yandex.ru/money/doc/dg/reference/noti...
it's not very clear what you want, but it seems like a scheme like Yandex-money will do

Report
E
Evgeny Svirsky, 2015-12-07
@e_svirsky

You can use aes 256 encryption with a secret. from selection protection and data userId and orderId are not visible.

Similar questions
I
Illia T2019-12-25 05:18:12
Why doesn't fadeIn() work? 2Reply
E
eellazy2015-08-23 15:46:40
How to add width to elements, if necessary? 1Reply
V
Vladimir Seregin2017-08-03 05:25:46
How to extend someone else's python library? 2Reply
M
Mikhail Sokolov2015-08-28 20:53:01
How to set up Iptables + DB and restrict access? 4Reply
A
Andrey Andreev2015-09-09 14:44:08
Can't make a script that checks the current date on the server and adds +2 days to the number in the tag? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question