使用哈希进行身份验证

【问题标题】:Authentication with hashing使用哈希进行身份验证
【发布时间】:2020-07-06 13:32:50
【问题描述】:

我需要使用我不理解的复杂身份验证过程连接到 API。 我知道它涉及多个步骤,并且我试图模仿它,但我发现文档非常混乱......

我的想法是我向端点发出请求,该端点将返回一个令牌给我,我需要使用它来建立 websocket 连接。

我确实得到了一个我不知道其语法的 Python 代码示例,但我可以将其用作将其转换为 C# 语法的指南。

这是 Python 代码示例:

import time, base64, hashlib, hmac, urllib.request, json

api_nonce = bytes(str(int(time.time()*1000)), "utf-8")
api_request = urllib.request.Request("https://www.website.com/getToken", b"nonce=%s" % api_nonce)
api_request.add_header("API-Key", "API_PUBLIC_KEY")
api_request.add_header("API-Sign", base64.b64encode(hmac.new(base64.b64decode("API_PRIVATE_KEY"), b"/getToken" + hashlib.sha256(api_nonce + b"nonce=%s" % api_nonce).digest(), hashlib.sha512).digest()))

print(json.loads(urllib.request.urlopen(api_request).read())['result']['token'])

所以我尝试将其转换为 C#,这是我目前得到的代码:

    static string apiPublicKey = "API_PUBLIC_KEY";
    static string apiPrivateKey = "API_PRIVATE_KEY";
    static string endPoint = "https://www.website.com/getToken";

    private void authenticate()
    {
        using (var client = new HttpClient())
        {
            ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;


            // CREATE THE URI
            string uri = "/getToken";


            // CREATE THE NONCE
            /// NONCE = unique identifier which must increase in value with each API call
            /// in this case we will be using the epoch time
            DateTime baseTime = new DateTime(1970, 1, 1, 0, 0, 0);
            TimeSpan epoch = CurrentTime - baseTime;
            Int64 nonce = Convert.ToInt64(epoch.TotalMilliseconds);


            // CREATE THE DATA
            string data = string.Format("nonce={0}", nonce);

            // CALCULATE THE SHA256 OF THE NONCE
            string sha256 = SHA256_Hash(data);


            // DECODE THE PRIVATE KEY
            byte[] apiSecret = Convert.FromBase64String(apiPrivateKey);



            // HERE IS THE HMAC CALCULATION

        }
    }

    public static String SHA256_Hash(string value)
    {
        StringBuilder Sb = new StringBuilder();

        using (var hash = SHA256.Create())
        {
            Encoding enc = Encoding.UTF8;
            Byte[] result = hash.ComputeHash(enc.GetBytes(value));

            foreach (Byte b in result)
                Sb.Append(b.ToString("x2"));
        }

        return Sb.ToString();
    }

所以下一部分是我真正挣扎的地方。需要进行一些 HMAC 计算,但我完全迷路了。

【问题讨论】:

  • 您能提供文档链接吗?
  • 你不能用HMACSHA512类吗?
  • 您需要在 python 中调试一个静态示例,以便您可以检查进度并查看它在 C# 实现中的偏差。使用将在 Python 示例和 C# 实现中使用的硬编码时间值。您应该只需要运行一次 Python 示例并在此过程中打印出关键变量,然后将其保存以与您的 C# 实现进行比较。

标签: c# python hash hmac sha


【解决方案1】:

这里的主要任务是逆向API-SignSHA-512 HMAC计算。使用DateTimeOffset.Now.ToUnixTimeMilliseconds获取APInonce,它将返回一个Unix时间戳毫秒值。然后这一切都归结为连接字节数组并生成哈希。我使用硬编码的api_nonce 时间只是为了演示结果;每次计算 API-Sign 键时,您必须取消注释 string ApiNonce = DateTimeOffset.Now.ToUnixTimeMilliseconds 以获取当前的 Unix 时间戳毫秒。

PythonAPI-Sign代:

import time, base64, hashlib, hmac, urllib.request, json

# Hardcoce API_PRIVATE_KEY base 64 value
API_PRIVATE_KEY = base64.encodebytes(b"some_api_key_1234")

# time_use = time.time()
# Hardcode the time so we can confirm the same result to C#
time_use = 1586096626.919

api_nonce = bytes(str(int(time_use*1000)), "utf-8")

print("API nonce: %s" % api_nonce)

api_request = urllib.request.Request("https://www.website.com/getToken", b"nonce=%s" % api_nonce)
api_request.add_header("API-Key", "API_PUBLIC_KEY_1234")

print("API_PRIVATE_KEY: %s" % API_PRIVATE_KEY)

h256Dig = hashlib.sha256(api_nonce + b"nonce=%s" % api_nonce).digest()

api_sign = base64.b64encode(hmac.new(base64.b64decode(API_PRIVATE_KEY), b"/getToken" + h256Dig, hashlib.sha512).digest())

# api_request.add_header("API-Sign", api_sign)
# print(json.loads(urllib.request.urlopen(api_request).read())['result']['token'])

print("API-Sign: %s" % api_sign)

将输出:

API nonce: b'1586096626919'
API_PRIVATE_KEY: b'c29tZV9hcGlfa2V5XzEyMzQ=\n'
API-Sign: b'wOsXlzd3jOP/+Xa3AJbfg/OM8wLvJgHATtXjycf5EA3tclU36hnKAMMIu0yifznGL7yhBCYEwIiEclzWvOgCgg=='

C#API-Sign代:

static string apiPublicKey = "API_PUBLIC_KEY";
// Hardcoce API_PRIVATE_KEY base 64 value
static string apiPrivateKey = Base64EncodeString("some_api_key_1234");
static string endPoint = "https://www.website.com/getToken";

public static void Main()
{
    Console.WriteLine("API-Sign: '{0}'", GenApiSign());
}

static private string GenApiSign()
{
    // string ApiNonce = DateTimeOffset.Now.ToUnixTimeMilliseconds().ToString();
    // Hardcode the time so we can confirm the same result with Python
    string ApiNonce = "1586096626919";

    Console.WriteLine("API nonce: {0}", ApiNonce);
    Console.WriteLine("API_PRIVATE_KEY: '{0}'", apiPrivateKey);

    byte[] ApiNonceBytes = Encoding.Default.GetBytes(ApiNonce);

    byte[] h256Dig = GenerateSHA256(CombineBytes(ApiNonceBytes, Encoding.Default.GetBytes("nonce="), ApiNonceBytes));
    byte[] h256Token = CombineBytes(Encoding.Default.GetBytes("/getToken"), h256Dig);

    string ApiSign = Base64Encode(GenerateSHA512(Base64Decode(apiPrivateKey), h256Token));

    return ApiSign;
}

// Helper functions ___________________________________________________

public static byte[] CombineBytes(byte[] first, byte[] second)
{
    byte[] ret = new byte[first.Length + second.Length];
    Buffer.BlockCopy(first, 0, ret, 0, first.Length);
    Buffer.BlockCopy(second, 0, ret, first.Length, second.Length);
    return ret;
}

public static byte[] CombineBytes(byte[] first, byte[] second, byte[] third)
{
    byte[] ret = new byte[first.Length + second.Length + third.Length];
    Buffer.BlockCopy(first, 0, ret, 0, first.Length);
    Buffer.BlockCopy(second, 0, ret, first.Length, second.Length);
    Buffer.BlockCopy(third, 0, ret, first.Length + second.Length,
                     third.Length);
    return ret;
}


public static byte[] GenerateSHA256(byte[] bytes)
{
    SHA256 sha256 = SHA256Managed.Create();
    return sha256.ComputeHash(bytes);
}

public static byte[] GenerateSHA512(byte[] key, byte[] bytes)
{
    var hash = new HMACSHA512(key);
    var result = hash.ComputeHash(bytes);

    hash.Dispose();

    return result;
}

public static string Base64EncodeString(string plainText)
{
    var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(plainText);
    return System.Convert.ToBase64String(plainTextBytes);
}

public static string Base64Encode(byte[] bytes)
{
    return System.Convert.ToBase64String(bytes);
}

public static byte[] Base64Decode(string base64EncodedData)
{
    var base64EncodedBytes = System.Convert.FromBase64String(base64EncodedData);
    return base64EncodedBytes;
}

将输出:

API nonce: 1586096626919
API_PRIVATE_KEY: 'c29tZV9hcGlfa2V5XzEyMzQ='
API-Sign: 'wOsXlzd3jOP/+Xa3AJbfg/OM8wLvJgHATtXjycf5EA3tclU36hnKAMMIu0yifznGL7yhBCYEwIiEclzWvOgCgg=='

您可以在 .NET Fiddle 中看到它的工作和结果。

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2016-06-06
    • 2014-02-05
    • 2020-08-17
    • 2014-02-15
    • 1970-01-01
    • 1970-01-01
    • 2012-05-03
    • 2011-03-04
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode