1,3 → 1,5 |
|
|
# Server requests using client challenges |
|
### What is it? |
10,10 → 12,54 |
A usage example is located in the directory example/ |
|
### System requirements |
- PHP compatible web-server (tested with Apache 2, nginx, and Microsoft IIS) |
- PHP-compatible web server (tested with Apache 2, nginx, and Microsoft IIS) |
- PHP 7.0 or higher (also tested with PHP 8.0) |
- Independent of operating system (tested with Windows, Linux, and macOS X) |
|
|
### Program flow |
|
#### 1. Request from Client to Server (Get Challenge) |
Request parameters: |
- None |
|
The server will generate a secret random number between Min and Max. |
The difference between Min and Max is the complexity constant. |
|
Response: |
- Current time ("Start time") |
- IP address of the client |
- Challenge = `Hash(StartTime + IP address + Random number)` |
- Min value |
- Max value |
- Challenge integrity = `Hash_HMAC(Challenge, ServerSecret)` |
|
Additionally, the server will create a "transaction file" (which prevents a replay attack). The filename is `Hash_HMAC(IP+Random, ServerSecret)`. |
|
The client will now brute-force all values to find the random value between Min and Max. |
|
#### 2. Request from Client to Server (Solve Challenge and request the resource) |
|
Request parameters: |
- StartTime (as received previously from the server) |
- IP address of the client (as received previously from the server) |
- Challenge (as received previously from server) |
- Answer (the random number found) |
- Challenge Integrity (as received previously from the server) |
|
The server will do: |
- Check if parameters exist and have the correct data type |
- Verify that the IP address is the same, otherwise return the error "IP address changed" |
- Verify StartTime is not older than "X" minutes*, otherwise return the error "Challenge expired" |
- Verify that the challenge integrity fits the HMAC of the Challenge |
- Check if the challenge was solved, i.e. Original Challenge matches `Hash(StartTime + IP + Answer)` |
- Check if the transaction file exists, otherwise return the error "Challenge submitted twice" |
- If all is OK, delete the transaction file (to prevent the answer is sent again) and grant access to the resource |
|
Note: Depending on when you solve the challenge, you should decide on a fitting timeout value, e.g. |
- When the challenge is solved once the login/contact/... form is shown -> choose a timeout value of 10 minutes. The usage of a "transaction file" is important, because the same challenge can be submitted within 10 minutes. |
- When the challenge is solved during the pressing of the "log in/send/..." button -> choose a timeout value of 10-30 seconds (depending on what your complexity constant is and how fast the client CPU is). Usage of "transaction file" is still recommended, but not as important. |
|
### Reporting a bug |
You can file a bug report here: |
- https://www.viathinksoft.com/thinkbug/thinkbug.php?id=119 |