Can I use password_hash() to validate the sender?

Question

I need check on my server if I received a trusty message from sender. Basically I have a private key that only the Sender (client) and the Receiver (server) knows what is. The Sender generate a public key (based on private key) and send it to Receiver, with the action to execute. The Receiver check if this public key is valid. If it is, execute what Sender wants.

My doubt here is how I need hash the public key. If I need use a simple hash algo (like hash(sha256) ) or if I can use the password_hash() to it.

More about the process (optional reading):

Sender and Receiver knows the private key. Sender generate a public key based on private key, current time and optional additional data. So it send to server with the action, so I send something like that:

command:key = 12345678901234567890123456789012
command:timestamp = 1234567890
action:name = truncate:users

Receiver will check if command:key is valid, regenerating the public key on server side, repeating the same process done by sender, with the same private key. If it pass, it'll check too if this key was used before, and if timestamp is closest to current time (to avoid use older valid keys). If all is valid, so the action:name is executed by server and a response is returned to sender.

Example :

Bob (client) wants execute on Alpha (server) the truncate-users function. Bob knows the server private key. So he create a public key (token) to validate your command on server.

Server will receive Bob command and check if your public key is valid, based on server private key. How it is, so server will execute Bob command and return a success value.

The idea is not encrypt Bob message to server, but only tells to server that he is a trusty guy.

Answer 1

If I understand what you are doing correctly, then yes, you can use password_hash . Something like this:

Sender:

$key = "super secret";
$timestamp = time();
$action = "truncate:users";
$signature = password_hash($key . $timestamp . $action, PASSWORD_DEFAULT);
$message = array(
  'command:key' => $signature,
  'command:timestamp' => $timestamp,
  'action:name' => $action
);
send($message);

Receiver:

$message = receive();
$key = "super secret";
$valid = password_verify($key . $message['command:timestamp'] . $message['action:name'], $message['command:key']);
if ($valid) {
  //message is OK
} else {
  //something is wrong; maybe an attacker?
}

Really, this isn't public key cryptography, this is message signing, which is a pretty standard thing to do. You could also look into the hash_hmac function for this, or use OpenSSL. Generally, those are better ideas, since it's much easier to mess things up if you try to do it yourself.

Answer 2

It sounds like what you're really asking for is how to compute a digital signature for the request. Signatures are used to verify that the request came from the right sender, and that the message has not been tampered with.

It looks like PHP supports signatures through openSSL

• http://php.net/manual/en/function.openssl-sign.php
• http://php.net/manual/en/function.openssl-verify.php

I'd suggest that you read up on how to implement a signature system correctly. It's easy to get things wrong - even experts get it wrong fairly frequently - so take the time to understand what you're building and the security risks.