AllBASIC Forum

BASIC User Group => NOT BASIC => Topic started by: jalih on August 14, 2022, 10:36:20 PM

Title: WebSocket server and secure authentication
Post by: jalih on August 14, 2022, 10:36:20 PM

I started writing a WebSocket server that will act as  an "router" between smart home  controllers and mobile applications used to control and monitor systems. Naturally smart home controllers can also save data into cloud.

I am thinking about what would be the best way to authenticate smarthome controlllers and mobile applications. Traditional approach would be to login with username and password but as I want my server to be as secure as possible, would ed25519 based public key authentication be a better option?

Server program and  mobile clients will all be 8th applications and 8th supports more crypto stuff out of the box than I will ever need.

As connection is made over https, there is probably no need to  encrypt the communication channel. So, something like following would work:

• Client sends it's public key to server
• Server checks that public key exist inside the user database, responds with a challenge message and computes hash based on this message
• Client independently computes the message hash, passes private key and hash for cr:ed25519-sign and sends result back to server
• Server uses public key, hash and signature buffer from the client to authenticate the user with cr:ed25519-verify

Other possibility that allows encrypting messages between server and clients is:

• The client sends its public key to the server. The server creates a shared secret (servers private key, client public key) which it uses to encrypt a randomly generated session-key to the client.
• If the client is sending an invalid public key, no communication is possible and the server drops the connection.
• If the client is sending a valid public key, it knows the shared secret (servers public key, client private key) and uses that to decrypt the session key.
• Now session key can be used to encrypt data over channel

Title: Re: WebSocket server and secure authentication
Post by: John on August 14, 2022, 11:40:48 PM

I would suggest you adapt 8th to the OAuth 2.0 standard as that seems to be where everyone is headed.

Title: Re: WebSocket server and secure authentication
Post by: jalih on August 15, 2022, 12:28:03 AM

Quote from: John on August 14, 2022, 11:40:48 PM

I would suggest you adapt 8th to the OAuth 2.0 standard as that seems to be where everyone is headed.

There seems to be words for OAuth authentication included, so it's probably already supported.

For my use case here, it's probably not the best option as I don't want to use any third party services.

Title: Re: WebSocket server and secure authentication
Post by: AIR on August 15, 2022, 10:23:51 AM

How about setting up 2FA?  There are several open-source self-hosted solutions if you want to stay away from 3rd parties.

Or you can use 8th to create 2FA support on the server side.   ;D

AIR.

Title: Re: WebSocket server and secure authentication
Post by: jalih on August 15, 2022, 12:06:16 PM

Quote from: AIR on August 15, 2022, 10:23:51 AM

How about setting up 2FA?  There are several open-source self-hosted solutions if you want to stay away from 3rd parties.

Or you can use 8th to create 2FA support on the server side.   ;D

AIR.

It seems 2FA support is also included with the 8th!  ;D