GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → nginx-modules → ngx_http_hmac_secure_link_module

nginx-modules / ngx_http_hmac_secure_link_module

Licence: Unlicense license
HMAC Secure Link module for NGINX.

Programming Languages

c
50402 projects - #5 most used programming language

Labels

nginxsecuritylegacymoduleauthenticationopensslunix-timestamphashhmactimestampgosthashing-algorithmblake2sha3sha512lifetimerfc-2104sm3iso-8601expiration-period

Projects that are alternatives of or similar to ngx http hmac secure link module

hash-wasm
Lightning fast hash functions using hand-tuned WebAssembly binaries
Stars: ✭ 382 (+712.77%)
Mutual labels:  hash, hmac, sha3, sha512, sm3
noble-hashes
Audited & minimal JS implementation of SHA2, SHA3, RIPEMD, BLAKE2/3, HMAC, HKDF, PBKDF2 & Scrypt
Stars: ✭ 213 (+353.19%)
Mutual labels:  hash, hmac, blake2, sha3, sha512
jscrypto
Crypto library for Node/ES6/Typescript/Browser.
Stars: ✭ 20 (-57.45%)
Mutual labels:  openssl, hash, sha512
iroha-ed25519
RFC8032 compatible Ed25519 implementation with pluggable hash (sha2-512, sha3-512)
Stars: ✭ 28 (-40.43%)
Mutual labels:  openssl, sha3, sha512
WebCrypto.swift
A small collection of cryptographic functions based on the JavaScript WebCrypto API.
Stars: ✭ 16 (-65.96%)
Mutual labels:  openssl, hash, sha512
hash-checker
Fast and simple application that allows you to generate and compare hashes from files and text
Stars: ✭ 72 (+53.19%)
Mutual labels:  hash, hashing-algorithm, sha512
hkdf
A standalone Java 7 implementation of HMAC-based key derivation function (HKDF) defined in RFC 5869 first described by Hugo Krawczyk. HKDF follows the "extract-then-expand" paradigm which is compatible to NIST 800-56C Rev. 1 two step KDF
Stars: ✭ 47 (+0%)
Mutual labels:  hash, hmac
Open Crypto
🔑 Hashing (BCrypt, SHA2, HMAC), encryption (AES), public-key (RSA), and random data generation.
Stars: ✭ 115 (+144.68%)
Mutual labels:  openssl, hash
go-checksum
Simple tool to calc Golang module checksum of go.mod and module dir.
Stars: ✭ 45 (-4.26%)
Mutual labels:  module, hash
Scrypt
A .NET implementation of scrypt password hash algorithm.
Stars: ✭ 90 (+91.49%)
Mutual labels:  hash, hashing-algorithm
sha3
SHA3 for Ruby is a XKCP based native (C) binding to SHA3 (FIPS 202) cryptographic hashing algorithm
Stars: ✭ 35 (-25.53%)
Mutual labels:  hash, sha3
fhash
fHash - an open source files hash calculator for Windows and macOS
Stars: ✭ 222 (+372.34%)
Mutual labels:  hash, sha512
timestampy
🕒 Bunch of utilities useful when working with UNIX timestamps
Stars: ✭ 21 (-55.32%)
Mutual labels:  unix-timestamp, timestamp
get-css-data
A micro-library for collecting stylesheet data from link and style nodes
Stars: ✭ 29 (-38.3%)
Mutual labels:  legacy, module
Nsec
A modern and easy-to-use cryptographic library for .NET Core based on libsodium
Stars: ✭ 217 (+361.7%)
Mutual labels:  hash, hmac
Jssha
A JavaScript/TypeScript implementation of the complete Secure Hash Standard (SHA) family (SHA-1, SHA-224/256/384/512, SHA3-224/256/384/512, SHAKE128/256, cSHAKE128/256, and KMAC128/256) with HMAC.
Stars: ✭ 2,089 (+4344.68%)
Mutual labels:  hash, hmac
node-blake2
All four BLAKE2 variants (blake2b, blake2bp, blake2s, blake2sp) with stream support for Node.js
Stars: ✭ 52 (+10.64%)
Mutual labels:  hash, blake2
prvhash
PRVHASH - Pseudo-Random-Value Hash. Hash functions, PRNG with unlimited period, randomness extractor. (Codename Gradilac/Градилак)
Stars: ✭ 194 (+312.77%)
Mutual labels:  hash, hashing-algorithm
Hashapi Lib Node
Tierion Hash API client library for Node.js
Stars: ✭ 20 (-57.45%)
Mutual labels:  hash, timestamp
Crypto Async
Fast, reliable cipher, hash and hmac methods executed in Node's threadpool for multi-core throughput.
Stars: ✭ 161 (+242.55%)
Mutual labels:  hash, hmac
View All Similar Projects ➔

Nginx HMAC Secure Link Module

Description:

The Nginx HMAC secure link module enhances the security and functionality of the standard secure link module.
Secure token is created using secure HMAC construction with an arbitrary hash algorithm supported by OpenSSL, e.g.: blake2b512, blake2s256, gost, md4, md5, mdc2, rmd160, sha1, sha224, sha256, sha3-224, sha3-256, sha3-384, sha3-512, sha384, sha512, sha512-224, sha512-256, shake128, shake256, sm3.

Furthermore, secure token is created as described in RFC2104, that is, H(secret_key XOR opad,H(secret_key XOR ipad, message)) instead of a simple MD5(secret_key,message, expire).

Installation:

You'll need to re-compile Nginx from source to include this module.
Modify your compile of Nginx by adding the following directive (modified to suit your path of course):

Static module (built-in nginx binary)

./configure --add-module=/absolute/path/to/ngx_http_hmac_secure_link_module

Dynamic nginx module ngx_http_hmac_secure_link_module.so module

./configure --add-dynamic-module=/absolute/path/to/ngx_http_hmac_secure_link_module

Build Nginx

make
make install

Usage:

Message to be hashed is defined by secure_link_hmac_message, secret_key is given by secure_link_hmac_secret, and hashing algorithm H is defined by secure_link_hmac_algorithm.

For improved security the timestamp in ISO 8601 the format 2017-12-08T07:54:59+00:00 (one possibility according to ISO 8601) or as Unix Timestamp should be appended to the message to be hashed.

It is possible to create links with limited lifetime. This is defined by an optional parameter. If the expiration period is zero or it is not specified, a link has the unlimited lifetime.

Configuration example for server side.

location ^~ /files/ {
    # Variable to be passed are secure token, timestamp, expiration period (optional)
    secure_link_hmac "$arg_st,$arg_ts,$arg_e";

    # Secret key
    secure_link_hmac_secret "my_secret_key";

    # Message to be verified
    secure_link_hmac_message "$uri|$arg_ts|$arg_e";

    # Cryptographic hash function to be used
    secure_link_hmac_algorithm sha256;

    # In production environment, we should not reveal to potential attacker
    # why hmac authentication has failed
    # - If the hash is incorrect then $secure_link_hmac is a NULL string.
    # - If the hash is correct but the link has already expired then $secure_link_hmac is "0".
    # - If the hash is correct and the link has not expired then $secure_link_hmac is "1".
    if ($secure_link_hmac != "1") {
        return 404;
    }

    rewrite ^/files/(.*)$ /files/$1 break;
}

Application side should use a standard hash_hmac function to generate hash, which then needs to be base64url encoded. Example in Perl below.

Variable $data contains secure token, timestamp in ISO 8601 format, and expiration period in seconds

perl_set $secure_token '
    sub {
        use Digest::SHA qw(hmac_sha256_base64);
        use POSIX qw(strftime);

        my $now = time();
        my $key = "my_very_secret_key";
        my $expire = 60;
        my $tz = strftime("%z", localtime($now));
        $tz =~ s/(\d{2})(\d{2})/$1:$2/;
        my $timestamp = strftime("%Y-%m-%dT%H:%M:%S", localtime($now)) . $tz;
        my $r = shift;
        my $data = $r->uri;
        my $digest = hmac_sha256_base64($data . "|" . $timestamp . "|" . $expire,  $key);
        $digest =~ tr(+/)(-_);
        $data = "st=" . $digest . "&ts=" . $timestamp . "&e=" . $expire;
        return $data;
    }
';

A similar function in PHP

$secret = 'my_very_secret_key';
$expire = 60;
$algo = 'sha256';
$timestamp = date('c');
$unixtimestamp = time();
$stringtosign = "/files/top_secret.pdf|{$unixtimestamp}|{$expire}";
$hashmac = base64_encode(hash_hmac($algo, $stringtosign, $secret, true));
$hashmac = strtr($hashmac, '+/', '-_');
$hashmac = str_replace('=', '', $hashmac);
$host = $_SERVER['HTTP_HOST'];
$loc = "https://{$host}/files/top_secret.pdf?st={$hashmac}&ts={$unixtimestamp}&e={$expire}";

Using Unix timestamp in Node.js

const crypto = require("crypto");
const secret = 'my_very_secret_key';
const expire = 60;
const unixTimestamp = Math.round(Date.now() / 1000.);
const stringToSign = `/files/top_secret.pdf|${unixTimestamp}|${expire}`;
const hashmac = crypto.createHmac('sha256', secret).update(stringToSign).digest('base64')
      .replace(/=/g, '')
      .replace(/\+/g, '-')
      .replace(/\//g, '_');
const loc = `https://host/files/top_secret.pdf?st=${hashmac}&ts=${unixTimestamp}&e=${expire}`;

Bash version

#!/bin/bash

SECRET="my_super_secret"
TIME_STAMP="$(date -d "today + 0 minutes" +%s)";
EXPIRES="3600"; # seconds
URL="/file/my_secret_file.txt"
ST="$URL|$TIME_STAMP|$EXPIRES"
TOKEN="$(echo -n $ST | openssl dgst -sha256 -hmac $SECRET -binary | openssl base64 | tr +/ -_ | tr -d =)"

echo "http://127.0.0.1$URL?st=$TOKEN&ts=$TIME_STAMP&e=$EXPIRES"

It is also possible to use this module with a Nginx acting as proxy server.

The string to be signed is defined in secure_link_hmac_message, the secure_link_hmac_token variable contains then a secure token to be passed to backend server.

location ^~ /backend_location/ {
    set $expire 60;

    secure_link_hmac_message "$uri|$time_iso8601|$expire";
    secure_link_hmac_secret "my_very_secret_key";
    secure_link_hmac_algorithm sha256;

    proxy_pass "http://backend_server$uri?st=$secure_link_hmac_token&ts=$time_iso8601&e=$expire";
}

Embedded Variables

  • $secure_link_hmac -
  • $secure_link_hmac_token -
  • $secure_link_hmac_expires - The lifetime of a link passed in a request.

Contributing:

Git source repositories: http://github.com/nginx-modules/ngx_http_hmac_secure_link_module/tree/master

Please feel free to fork the project at GitHub and submit pull requests or patches.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].