-
Notifications
You must be signed in to change notification settings - Fork 1
Packages
For this project we use multiple packages for encryption and decryption. All methods that have to do with integrity can be found in the KeyUtils.ts file in the libs folder in the monorepo and rtpstreamer/utils/KeyUtils.java in the Android application. The monorepo is where the front-end angular project and the back-end node API server can be found. There are many outdated, incomplete or depricated packages for RSA encryption/decryption or packages which don't suport encryption by private key and decryption with the public key.
The packages we decided to use in the monorepo are:
- node-rsa
- sha1
- uuid
We decided to use node-rsa as our main packages for encryption and decryption. This package is perfect for us to use in the monorepo because we can use the same methods for encryption and decryption. We can easily create our Public and Private keys in the PKCS8 encryption scheme and encode it in base64 to send to our java android app. To make sure we can use a Node package in angular we had to add some properties in the polyfills.ts and in the tsconfig.json since it is a package that was made to be used with nodejs stack.
To make sure that our requests and responses can be checked on integrity, we hash the object in sha1 and send the hash with an uuid. These two variables will be encrypted by the private key and decrypted by the public key to secure authenticity. When we decode this message we can check the integrity by comparing the decrypted hash with the hash of the object.
To make sure that we aren't vulnarable for a replay attack we have to send a random generated unique string with the packages. For this, we use a v4 UUID that we encrypt together with the object hash. After decrypting we can store the UUID in the database in the backend or localstorage in the front-end and check if we have already recieved a request or response with the same UUID. If it is the same we know we are being attacked with a replay attack and can respond to this attack by denying login or making sure the request returns an error.