vkscript – & nbsp; This is a JavaScript-like language, a completely trimmed, supporting only a few designs and operators. It is executed on the VKontakte side, and its code can be stored in the settings of the application, making it hidden from users.
I need to protect a certain parameter transmitted from my server to the browser of visitors, and from there – to call the methods of VK API.
Plan Simple: On the server, you count the hash from this parameter, the secret and the user ID, which cannot be faked when contacting the VKontakte API. And in the code of the procedure Execute check this signature. All would be good, but md5 () in VKScript, probably not to be implemented due to the restrictions of the language, the number of repetitions in cycles, etc.
Tell me the hash function , let, not enough safe for banks, but not primitively cracked by schoolchildren – & nbsp; which can be implemented within vkscript.
VKScript supports only such things:
- Arithmetic operations
- logical operations
- Creating arrays and lists ([x, y])
- Parseint and Parsedouble
- Concatenation (+)
- IF
- Massif filter by parameter (@.)
- API method calls, Length
- cycles using the WHILE
- JavaScript methods: Slice, Push, Pop, Shift, Unshift, SPLICE, SUBSTR
- Operator Delete
- assigning macsiv elements, for example: row.user.action = “test”;
Design
parameter
statement
From bit operations only & amp; , | , ~ , & lt; & lt; and & GT; & GT; . But Xor’a ^ , which would help, no. Also limited Number of repetitions in cycles and the total time of execution – complex algorithms are not implemented.
UPD. Xor, how can I suggested , it is realized: A XOR B == (A | B) & amp; ~ (A & AMP ; b) , just like a fill shift: A & GT; & gt; & gt; b == (A & gt; & gt; b) & amp; (A & LT; & LT; (32 - b)) , provided B & LT; 32.
Answer 1
a xor b = (a and! b) or (! a and b)
Answer 2
Actually, everything decided Hesh Jenkins approximately in such an implementation. Code of the stored procedure VK:
var secret = 123456
, uid = api.users.get () [0] .id
, Param = Parseint (args.param)
, Signature = Parseint (args.signature)
, TOCRYPT = [PARAM, UID, SECRET]
, B.
, hash = 0
;
While (TOCRYPT.LENGTH) {
hash = hash + toocrypt.pop ();
hash = hash + (hash & lt; & lt; 10);
B = hash & gt; & gt; 6;
hash = (hash | b) & amp; ~ (hash & amp; b);
}
hash = hash + (hash & lt; & lt; 3);
B = hash & gt; & gt; eleven;
hash = (hash | b) & amp; ~ (hash & amp; b);
hash = hash + (hash & lt; & lt; 15);
If (Hash! = Signature) Return {"Error": "Bad Signature"};
RETURN {"RESULT": "Some $$$ DATA"};
From the server, a parameter and a signature is transmitted to the client, calculated as a 32-bit hash from an important parameter, a user ID (it logs on to the site via VK), and the secret (32-bit number). In the stored procedure, you can check that the parameter is not formed.
For example, the parameter may be timestamp, to which the user has paid a paid subscription. You can get the current time on the VC side by API.utils.getServerTime () .