Paydesk scratchbook

From XtConcordia

This is our scratch book te redesign xtPaydesk in Perl. Please be free to adjust and add your comments ;-)

Table of contents

1 Messages

1.1 XML Primer
1.2 Message parsing

2 Login process

2.1 step1
2.2 step2
2.3 step3
2.4 step4
2.5 step5
2.6 step6

3 I/O

3.1 Input
3.2 Output

4 Startup

[edit]

Messages

[edit]

XML Primer

<?xml version="1.0" encoding="ISO-8859-1"?>
<xtpaydesk>

 <msg>
  <version>#</version>
  <type>#</type>
  <code>#</code>
  <auth>xxx</auth>*
 </msg>
 

 <data>
   This content should be encrypted using a shared key, but 
   after decryption is should also contain valid xml tags
 </data>

</xtpaydesk>

Each message should containt the msg tag defining the version, a type and code. The auth tag is only present after authentication.

The first thing to check is that both server & client are using the same version.

Type/code example:

type 0 -> session password changes
 code 1 -> server to client: new password
 code 2 -> client to server: accepted new password
type 1 -> login process (mutual authentication)
 code 1 -> client to server: client authenticator
 code 2 -> server to client: server authenticator
 code 3 -> client to server: shared key exchange
type 2 -> initialisation
 code 1 -> CtoS: get products
 code 2 -> StoC: product listing

Once authenticated, all other messages should contain an authenticator with replay prevention enclosed in <auth>. Details about authentication and encryption scheme comming up ...

Make a parser for every type/code message to scan first for required tags inside <msg> and <data>

[edit]

Message parsing

Every incoming packet should be processed in this manner. If it doesn't meet a requirement, make a log entry for it containing source ip, version #n type/code # and timestamp (create a plain and stupid logging mechanism to a text file):

check version
check type/code:
- does it exist ?
- is encryption required for it ? (1)
- check if all required xml-fields are present in data
- lauchn specific code for this type/code which handles the rest of the message

(1) in case encryption is required:

check if <encrypted> tag is present
lookup current shared secret
decrypt everything between <encrypted> tags
return decrypted data

[edit]

Login process

[edit]

step1

send login request to server so we send our client_name

<?xml version="1.0" encoding="ISO-8859-1"?>
<xtpaydesk>
 <msg>
  <version>0.0.1</version>
  <type>1</type>
  <code>1</code>
 </msg>
 <data>
   <id>client_name</id>
 </data>
</xtpaydesk>

[edit]

step2

lookup client information
check if IP-address matches
generate random number and hash it -> sha(random) = challenge
send challenge to client

<?xml version="1.0" encoding="ISO-8859-1"?>
<xtpaydesk>
 <msg>
  <version>0.0.1</version>
  <type>1</type>
  <code>2</code>
 </msg>
 <data>
   <challenge>sha(random)</challenge>
 </data>
</xtpaydesk>

[edit]

step3

create response: xxx = sha(sha(client_id) + sha(client_ip) + challenge)
encrypt it with hash from Client Password -> sha(password)[xxx]
... and send it

<?xml version="1.0" encoding="ISO-8859-1"?>
<xtpaydesk>
 <msg>
  <version>0.0.1</version>
  <type>1</type>
  <code>3</code>
 </msg>
 <data>
   <id>client_name</id>
   <response>sha(password)[xxx]</response>
 </data>
</xtpaydesk>

[edit]

step4

calculate the same thingy and compare with the received result

   - if the same got to step 6 (login ok)
   - if not the same go to step 5

[edit]

step5

inform client of bad login credentials
close tcp connection and to let the client start again from scratch (plain & easy ;-)

<?xml version="1.0" encoding="ISO-8859-1"?>
<xtpaydesk>
 <msg>
  <version>0.0.1</version>
  <type>1</type>
  <code>4</code>
 </msg>
 <data>
   <auth>failed</auth>
 </data>
</xtpaydesk>

[edit]

step6

inform client of succesful login

<?xml version="1.0" encoding="ISO-8859-1"?>
<xtpaydesk>
 <msg>
  <version>0.0.1</version>
  <type>1</type>
  <code>5</code>
 </msg>
 <data>
   <auth>ok</auth>
 </data>
</xtpaydesk>

[edit]

I/O

[edit]

Input

Create an input parse so we can read from stdin. Should be determined if we need CR/LF or not, but keep in mind that this depends of which input we suspect. But I suspect we should "enter" every value.

[edit]

Output

The screen output should also be standardised, if possible colors would be great ! The first line should always contain some the same product information (maybe with a blue background and white foreground color ?):

               -= xtPaydesk version 0.0.1 (client) - part of xtConcordia =-

[edit]

Startup

The client should not be pre-configured with a configuration file. So at startup the system should ask for a validation string which contains the following information:

ipaddress of the server
clientnumber
clientpassword

This will be one big number (which can be scanned using a bar code scanner): i.e.: 0102542540030112345678

being:

ip = 10.254.254.3
client id = 01
client password = 12345678

All other configuration settings are passed during login from server to client (to do ...)

Retrieved from "http://www.xtconcordia.org/wiki/index.php/Paydesk_scratchbook"

Paydesk scratchbook

From XtConcordia

Messages

XML Primer

Message parsing

Login process

step1

step2

step3

step4

step5

step6

I/O

Input

Output

Startup

Views

Personal tools

Navigation

Search

Toolbox