stackoom
  简体   繁体   中英

Encrypt json data with secret key on IOS and decrypt it with node js

 原文  2015-07-02 07:11:02       ios/ json/ node.js/ encryption/ jwt

Question

I need to protect my API for CSRF on post and put requests.

To do that, I think the mobile device (example iOS) need to send to the API server (node.js) a token. This token must be encrypted and contain a JSON data that will be decrypted server side.

To decrypt the data, the mobile device use the same secret key that the sever know.

For example : {_csrf: 123456789} will be decrypted from the token sent via the mobile device and checked by the API if it match.

  1. Is it the right way ? If not what is the right way ?

  2. How I can encrypt a Jon data on iOS and decrypt it on node.js ? (JWT Token does not have library for iOS)

Can you provide me a example code to encrypt data on iOS et decrypt on node.js ?

2 answers

solution1
 0 ACCPTED  2015-07-02 11:03:59

Just use https, it encrypts everything, even any query string.

The content is encrypted with a random symmetric key and that key is encrypted with a asymmetric key from the certificate. Additionally the symmetric key has a short lifetime. Additionally you do not have to implements and encryption routines.

Also note that iOS9 will by default require https to be used for all connections, any http connections will need to be white-listed in the plist.

If you do your own encryption you immediately have a problem sharing the encryption key between the device and the server. This is not an easy problem to solve.

solution2
 0  2015-07-03 18:12:06

When accessing the API from a browser page, to protect against CSRF, you can send a token in HTTP headers, for example, X-CSRF-Token, or, use a cookie.

For example, have your server send the CSRF token in an HTTP response using the X-CSRF-Token header. You can have your page send it back in the JSON on the POST or PUT. Or have your page read it from the cookie and put it into the JSON.

(HTTPS from the browser will not protect against CSRF, since any script on any other site running in the same browser can POST to your HTTPS server freely. Your page needs to have a token that no other page in the same browser has access to.)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Encrypt iOS and Decrypt Node.js AES Encrypt and Decrypt iOS/Node.js Security Inquiry Encrypt and Decrypt Cookies on iOS Encrypt/decrypt for Image on IOS Encrypt with iOS; Decrypt with .Net Encrypt data in iOS with ECC, and decrypt data in java, failed Looking for a way to encrypt/decrypt network data between PHP and iOS Need direction for Encrypt/decrypt data stored in SQLite database in iOS RNCryptor Encrypt in iOS and Decrypt in PHP iOS Encrypt/Decrypt Need Guidance
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM