I'm new to cryptography, I want to implement https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-10 to my spring-boot application (requirement from the client). The client asks me to implement a header something like this,
Authorization: Signature keyId="Test",algorithm="rsa-sha256",
signature="SjWJWbWN7i0wzBvtPl8rbASWz5xQW6mcJmn ibttBqtifLN7Sazz
6m79cNfwwb8DMJ5cou1s7uEGKKCs FLEEaDV5lp7q25WqS lavg7T8hc0GppauB
6hbgEKTwblDHYGEtbGmtdHgVCk9SuS13F0hZ8FD0k/5OxEPXe5WozsbM="
I have no idea about the Authentication signature generation based on this specification. Anyone help me to understand these terms in a simple manner
- what is the KeyId & usage of it?
- what is the signature value and how to generate it?
I have no idea help me to understand this
CodePudding user response:
What you see here is yet another layer of protection in case someone brakes the TLS. The documentation states it like this:
For high security transactions, having an additional signature on the HTTP header allows a client to ensure that even if the transport channel has been compromised, that the content of the messages have not been compromised.
So what you really want to do is to use some kind of Message Authentication Code (MAC) so even if an active attacker has the ability to manipulate the message sent, the MAC will not match and the whole message will be rejected by the server.
I have looked through the docs and implementing this stuff is not a trivial matter. But it looks like there are libraries already present which can help you achieve this. First Google hits:
Regarding keyId:
The
keyIdfield is an opaque string that the server can use to look up the component they need to validate the signature. It could be an SSH key fingerprint, a URL to machine-readable key data, an LDAP DN, etc. Management of keys and assignment ofkeyIdis out of scope for this document.
In short - you decide what it is going to be. It needs to be something that allows you to identify the subject and enables to verify the signature in the first place.