Google云消息传递是否提供/支持身份验证，完整性和不可否认性？

Question

I want to make sure that what I receive from the server, actually came from the server and was not tampered in transit. I have an application that send commands from a server to mobile devices. For power efficiency purposes, it would be nice to include that kind of payload into the GCM message. However, it would be bad if someone tries to impersonate the server and send incorrect or malicious commands. I wonder if GCM provides mechanism to this respect, if just signing the messages would be enough or if it is better just to use GCM for waking up the application and then use another channel to receive the command, even if it consumes a small amount of extra energy.

Answer 1

If you want to verify that the message came from the server, you should sign it with a private key from a public/private key pair. You can then verify the signature in the client using the public key. This way you know that the request came from the server (assuming your private key isn't compromised. Keep it safe!). This is how Windows update works, as well APT and YUM.

Note though, that this will only prevent someone impersonating your server. It won't encrypt the data, and it won't guarantee anything about the client. You can't do the same thing in reverse (sign client originating data with a client private key) because anything that comes from the client can be tampered with/spoofed or otherwise malicious. If you want the client information to be encrypted you can encrypt it with the servers public key and only the server's private key will decrypt it.