Chat User Authentication

You can identify the sender by creating a Unique Identifier , as well as a Name attached to the chat message payload. This is similar to IRC strategies, but a bit more simplified.

 var user_id = PUBNUB.uuid(); var user_name = name.value; var user_message = input.vaule; 

Here is a complete example that includes HTML elements for entering UserName. Also note that I added the safe_text() method to prevent XSS attacks.

 <form id="message_form"> Name: <input id="name_input" value="John" type="text"/><br> Message: <input id="message_input" value="Hi" type="text"/><br> <input type="submit" value="send"> </form> <div id="chat"></div> <script src="http://cdn.pubnub.com/pubnub-dev.js"></script> <script> var userid = PUBNUB.uuid(); var pubnub = PUBNUB({ publish_key : 'demo', subscribe_key : 'demo', uuid : userid }); function safe_text(text) { return (''+text).replace( /[<>]/g, '' ); } pubnub.subscribe({ channel: 'chat', message: function(message){ var div = document.createElement("div"); div.textContent = safe_text(message.name) + ": " + safe_text(message.text); var chat = document.getElementById("chat"); chat.appendChild(div); } }); var form = document.getElementById("message_form"); form.onsubmit = function(e) { var input = document.getElementById("message_input"); var name = document.getElementById("name_input"); pubnub.publish({ channel: 'chat', message: { name : name.value, text : input.value, userid :userid } }); input.value = ''; e.preventDefault(); }; </script> 

While this demo provides you with a quick and easy application to run, you will want to add additional advanced chat security systems and chat authentication systems .

For additional resources for creating chat applications, see the guide for creating real-time chat in 10 lines of code , as well as Creating an application for the main chat .

Chat Access Control Tier

You will need to add a Security ACL Access Control Layer . With PubNub Access Manager (PAM), you can control who has access by granting users permission with access tokens.

 // =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= // Grant Chat Access to Secured Conversations // All server-side data is stored according to defined security policies. // =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= var pubnub = PUBNUB({ publish_key: "PUBLISH_KEY", subscribe_key: "SUBSCRIBE_KEY", secret_key: "SECRET_KEY" }) pubnub.grant({ channel : "CHANNEL", callback : receiver, error : receiver, ttl : 60, // Minutes read : true, write : true, auth_key : "AUTH_KEY" }); 

It is recommended that you use this level of ACL code for trusted systems, such as your own data center servers.

Sending / receiving secure encrypted messages

PubNub client libraries offer built-in 256-bit Advanced Encryption Standard (AES) encryption. To use message encryption, just use cipher_key when initializing.

To enable transport layer encryption using TLS and the ssl flag.

Then publish / sign as usual.

 var pubnub = PUBNUB({ subscribe_key: 'sub-c-f762fb78-...', publish_key: 'pub-c-156a6d5f-...', ssl: true, cipher_key: 'my_cipherkey' }); 

Checking messages to identify the sender

Attaching user information to each message is effective and provides a very powerful level of flexibility in your application. However, malicious users may try to fake the identity of users and, therefore, impersonate other users. In the sample application, we showed that it is easy to impersonate another by changing your name in the "message_form" field. This is the same situation you encounter with email and SMTP, where arbitrary email aliases are possible if you do not provide a way to verify the identity of the sender. There is a solution! 😄

Digital signatures are fingerprints with built-in secure cryptographic hashes of key components of the message payload, including salt (sometimes a timestamp), and then signing / encryption using an asymmetric secret key, which is used to verify the identity of the sender. This process is used to block spoofers and avatars.

A digital signature is a mathematical circuit to demonstrate the authenticity of a digital message or document.

Checking Messages for Chat Applications

To begin with, only chat users are allowed access, and they can publish and subscribe to chat channels using the grant and revoke methods available in your PubNub Access Manager implementation. The challenge here is that in the chat group, your chat users were provided with auth_tokens , but they can still impersonate other chat users on the channel.

The goal here is to check two things when a client receives a message.

• Sender ID
• Message integrity.

Using asymmetric cryptography, you can provide a level of verification and security for the messages of your users by creating a digital signature . A valid digital signature gives the recipient reason to believe that the message was created by a known sender, that the sender cannot deny the message was sent (authentication and rejection) and that the message was not changed during transmission (integrity). Digital signatures are commonly used for financial transactions and message-oriented communications, such as e-mail and chat , as well as in other cases where it is important to detect falsification or falsification.

You will start by issuing to each of your users a chat of the key set of the generated server , with a public key (asymmetric) algorithm, such as ECC / RSA, through your server after logging in. I recommend ECC because the key size is much smaller than RSA with comparable cryptographic strength. Each chat user in the chat learns about the public key of the common chat user through a secure read-only channel. Your users should only receive the Public Key from the READ-ONLY shared channel controlled by the reliable and secure environment of your server. Your server will be able to record each public key of the user in this READ-ONLY channel. Your users will read from this channel.

Your user can get each other by public keys by calling PubNub history before joining the chat. They must also open a subscription to the same channel in order to receive the public key of new chat users who have joined the chat.

The user's private key should not be accessible to anyone except the verified owner. This can be done when entering the system by e-mail and password, and you can send the secret key to the user being verified as soon as they enter the system.

Sending a chat message with a digital signature

 { userId: 123456, profilePic: "http://www.chats.com/user1234.jpg", message: "Hello World", signature: "tnnArxj06cWHq44gCs1OSKk/jLY" } 

You will create a signature by concatenating the next base line (userId+profilePic+message) . Then you need to calculate the message digest using SHA1(signature_base_string) or SHA256(signature_base_string) . Now you can use this cryptographically generated hash for signing with the user's private key using the asymmetric ECC / RSA algorithm.

Now attach this digital signature to the chat message, as shown in the example above, and in the last step, Check the chat messages .

Check chat messages

When you subscribe to a chat channel, you will receive a sent chat message with an attached digital signature. You will use this signature to authenticate the chat message. If the message was an attempt to cheat, you completely discard the message.

 // Digitally Signed Chat Message { userId: 123456, profilePic: "http://www.chats.com/user1234.jpg", message: "Hello World", signature: "tnnArxj06cWHq44gCs1OSKk/jLY" } 

To verify the signature, you will create a signature by concatenating the next base line (userId+profilePic+message) . Then you need to calculate the message digest using SHA1(signature_base_string) or SHA256(signature_base_string) . Now, using the public key of the chat user that you already have for userId 123456, you can verify / decrypt the digital signature to get the original message collection that you just created, which was also created by the sender.

Compare the current message digest with the original message digest. If they match, then the message is genuine, and you have successfully verified the sender's message using message verification through digital signature. If the digests do not match, this is a fake message, and you can ignore the simulator.

Build PKI Public Key Infrastructure Using PubNub

You will need a way to securely pass public keys through read-only PKI. PubNub provides you with a way to publish a secure, read-only PKI for your chat users. It is important to note that PKI requires an asymmetric key algorithm such as ECC or RSA. We also use these cryptographic algorithms to create digital signatures, and not to encrypt data. This means that we can identify and verify the sender by successfully decrypting the signature with the public key and confirming the salty signed string.

• The public key is used as the decryption key and Verify key .
• The private key is used as the encryption key and signature key .

It is important to note that you should only print the username obtained from a trusted public key source, and not from the message content. The content of the message is used only for signing and verifying Identity. If the identifier is changed, it must be relayed through PKI using the PubNubs broadcast and storage and playback mechanism for secure authorization.

Access agents, identifier / photo name, and asymmetric keys should only be generated from reliable runtimes on your servers and transmitted through PubNub PKI authorized read-only data channels.