// Forgeries/Intercept
There have been some incredible forgeries of paintings in history. Unfortunately, for some art collectors, there are some very talented painters with the skill to reproduce other painters styles and then top it off with a near perfect signature. Leaving enthusiasts, collectors, and experts alike with something less than it claimed to be. Access tokens experience the same problem.
Access tokens, while they are not works of art, can be passed off as forgeries or even stolen. If access tokens can easily be forged, anyone can masquerade as another user and do things on their behalf. Intercepted access tokens, for example tokens being passed over an unencrypted connection can be intercepted and used. This is where a signed token comes in.
// Signed Tokens
A signed token is like a normal token, but it has an extra bit of information tacked to verify the authenticity and contents. Sometimes signed tokens are used to identify users or grant access to a protected resource. A signed token, or a signed anything, is a payload concatenated with the digest of the payload and a 'secret'. A payload is whatever bit of information we care about and the digest is the output of our hashing function, which we'll get to. This signature allows us to verify the content hasn't been tampered with and is authentic, because only people who know the secret can generate the right digest. It's like we have a machine that takes in a message, signature, and a secret then tells you if its good or tampered with. So, how would we create such a machine? First, we need a hashing function.
// Hashing function
A hashing function is some math thing that creates a unique signature from arbitrary data and/or a secret to make the signature even more unique. I've mentioned digest, hash, and signature a few times already, but they're all the same thing: the output of the hashing function. A hashing function is only one way, it can't be reverted and you can't reproduce the original data from just the digest. A hashing function will produce the same digest if it is fed the same data and secret, but if even one character or bit is changed in the input or secret, the digest will be very different. We'll look at SHA256, hashing function that can take in an optional secret.
 |
| SHA256 takes in data and a secret then produces a constant length signature or hash. |
- Clone the repository
- cd ./sha256-test
- npm install --save
- node hash-test.js
Node comes with an implementation of the SHA256 hashing algorithm in the crypto module. The following example has a preset secret and will hash whatever line is typed into the terminal.
 |
| The output of the hashing function radically changes even for a small change in the input |
Try few things and see what the outcome is. Typing in the same message twice will produce the exact same output because the data and the secret haven't changed. Try changing the original message just a little big and see what happens to the output. As you can see in the image above, even a small change makes a huge difference! I only omitted one character from the original message. The same thing will happen if the data remains the same, but the secret is only changed slightly. How can we use this to our advantage and prove that messages or tokens haven't been tampered with?
// Next Time
Now that we have a little bit of an understanding of how a hashing function works, we'll make our own access token.
No comments:
Post a Comment