There are several devices on the local network that may have unpredictable (dynamic or may change in the settings) ip address. The whole mechanism for controlling this device is via http using json. For authorization on the device I plan to use the login and password. The essence of the problem is that in this local network there can not always be access to the Internet, and the fact that there can be "outsiders" in this local network.

I am looking for an adequate way to protect the data transmitted between the browser (or another program) and this device.

Offer something sane, please, what a day I break my head!

  • I wonder ... why the word strangers in quotes. aliens chtoli))) - Dmitry Gvozd

2 answers 2

If you need to transfer messages from the application to the application, then use JWT, if you want to encrypt all traffic between machines, and ensure the integrity and authenticity of the data, then use an encryption system with public and private keys.

I suggest using JWT

Json Web Token. This is an open standard RFC 7519 for filing (claims) between two participants.

It is a structure of the form: Header.Payload.Signature, where the header and payload are packed hashes in base64 json. Here it is worth paying attention to payload. It can contain anything, in principle, it can be just a client_id and some other information about the user, but this is not a good idea, it’s better to transfer only the key identifier, and store the data somewhere else .

Here are a few notes to help improve security when using JWT:

  1. When creating a token, you must enter the user's IP address into his body. Then, with each request, verify this field with the address where the request came from. Thus, even with a token, the attacker will not be able to use it. This method imposes some additional inconvenience for the user, for example, you will have to log in again every time his IP changes. However, in most cases this does not happen very often and should not cause much discomfort.

  2. You can, of course, with each request, pull your database and check the data from the token with the data in the user's record. In other words, with each request to access the database, get the user and make sure that the request can be executed, while what and how to check depends only on your idea. It is possible to check if the user is blocked, if he has changed the password since the issuance of the token, if his role is appropriate, etc. This method is rather rough, but as efficient as possible. However, there is a more practical and interesting way to check that does not force your main database - see item 3.

  3. Storing a list of current tokens (the so-called “white list”) in a separate high-performance database, such as Redis or Memcahed. With each request, after a normal check of the token for validity, we also check its presence in this database. If for some reason it was not there - then the request cannot be executed and you need to get a new token. Thus, after some critical actions with the account (change of password, change of role, ban, etc.), we simply remove from the white list all tokens related to this account.

    Use https with self-signed certificates. Read for example https://habrahabr.ru/post/192446/

    • Not quite suitable, since the ip address can change at the request of the user or dhcp. Of course, as an option, you can create a script for automatic key regeneration when the IP address is changed, but then you need to re-throw them into the clients, etc. - ErrorMan
    • no matter what ip. Make a certificate for the domain. How to hang up a domain to dozens of dynamic ip solutions - hardworm
    • Moreover, fixed ip in dhcp is not a problem at all. Yes, the blonde in pictures can do on his router - hardworm
    • about a hundred devices, devices do not have access to the Internet, there is no controlling single server for them. IP can change under different circumstances already at the site. The device will not be able to update your domain, and the blonde will not be asked to rewrite all domains for all devices - ErrorMan
    • Well, it means you have not a technical problem, but an organizational one. There is not the slightest technical reason not to make a fixed ip inside the local network for a specific device. - hardworm