stackoom
  简体   繁体   中英

How can I verify the identity of a server I control in a Python application?

 原文  2015-07-26 16:33:19       python/ python-3.x

Question

My application automatically downloads updates from a central server. I'm a bit worried about someone, for example, hijacking my domain name and pointing it to their own server that offers subverted copies of the application.

It seems to me like symmetric keys are the way to go about this. I'm thinking I can encode the public key right into the program's source and keep the private key on my sever, then add a step to the protocol where the client sends a message meaning "are you an authorized server" and the server sends back a message meaning "I sure am" encoded with the private key, and thus decoding it with the public key verifies that it came from my server. We then proceed as normal.

Assuming this isn't a completely stupid way to go about things, how do I go about it? What lightweight libraries exist to encode/decode with RSA keys? I don't think I want full TLS with SSL; I don't care who reads the update, and I can't really afford decryption overhead anyway - the download times are annoying as it is!

1 answers

solution1
 1 ACCPTED  2015-07-26 16:47:12

The process needs to work something like this...

Server-side:

  • Build your message data on the server
  • Hash it using something like SHA256
  • Use the private key to sign the hash
  • Send the signature and the data to the client

Client-side:

  • Receive data and signature
  • Calculate the hash of the data independently
  • Use the public key to verify that the hash we've generated matches the one signed by the server.

If so, we know the data has been sent by the server and is unmodified. We don't stop anyone else seeing the data, merely from tampering with it.

The reason for doing it this way is the asymmetric encryption is very expensive (and gets more expensive quickly as message size increases). By simply signing a hash, we're limiting the amount of data that we need to process cryptographically, while still ensuring the message is unmodified.

Be aware that this is a very high-level overview and there are lots of details that need to be handled correctly. Anything related to crypto is extremely hard to do correctly. If possible, find a library that already does this and use that instead.

If you can't find something that suits your needs, look into pycrypto or rsa and get reading. This question might be a good place to start, but make sure you read both answers .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I verify that a variable is a number in Python? Advanced Python FTP - can I control how ftplib talks to a server? Python: How can I verify that an element on the page has been removed? How can I verify when a copy is made in Python? How can I verify a Python method was called with parameters including a DataFrames? How can I verify and create values on the Windows registry with Python? How can I control GAE logging in Python? How can I control Google Hangouts with Python? How can I control the keyboard and mouse with Python? Which mail server can I control from Python / Django?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM