Validate server-side code using hash?
If you have a client-side script (e.g client.py) communicating with a server-side script (e.g server.py). Using SSL certificates the identity of the server is automatically verified.
But how do you verify that the code of server.py isn't tampered with? When for example using a VPS you never know if a employee of the hosting provider with bad intentions has edited server.py to intercept data or whatever.
I was thinking of maybe using a hash to validate the code of server.py. Before deploying server.py to the server I'd generate a hash of the file. This hash is placed in client.py. When the client connects, a code in server.py is called:
# pseudo code
def return_hash_of_server_script():
with open('server.py', 'rb') as f:
file_content = f.read()
hash = sha256(file_content)
client.response(hash)
The client would do something like this:
# pseudo code
def validate_hash_of_server():
hash_of_serverpy_before_deployment = "e2ioj23njwo"
hash = retrieve_hash_from_server()
if hash != hash_of_serverpy_before_deployment:
return False
return True
But I think the problem with this is, that someone with access to the VPS could just generate a hash of server.py before he edits it and alter the function return_hash_of_server_script() like this:
# pseudo code
def get_hash_of_server_script():
# hash generated before altering
client.response("e2ioj23njwo")
Resulting in the client thinking the code of server.py is valid.
So I was thinking about the following:
- The client has a hex representation of
server.pybefore deployment in a file. We'll name thisserver_py_hex. - There is a hardcoded secret "abc123".
- There is a RSA-keypair. The server has the private key and the client the public key.
- The first thing the client does is generating a hash:
sha256(server_py_hex + "abc123" + current_date_and_hour). - The client sends the hardcoded secret to the server encrypted in RSA with his public key.
- The server decrypts the request to get the hardcoded secret and returns the hash
sha256(content_of_server_py_in_hex + decrypted_secret + current_date_and_hour).
This way a malicious person with access to the VPS can't generate a hash of server.py before tampering it because he doesn't know the secret. And if he is able to intercept the response of a valid hash the server returns to the client and he tries to tamper server.py in returning that hash to fool the client, it'd only work for a hour because the current date and hour is included in the hash.
Is this a solid implementation to validate code authenticity? Of course on the condition that client.py is only distributed to a limited set of trusted users, and is not publicly accessible for download.
I bet that someone has came up with an a lot better and smarter way to tackle this issue. What is the official way to verify the code on a server?
