Rule of Silence: When a program has nothing surprising to say, it should say nothing.
npm install
(this will install node-sodium)This walkthrough follows a client-server model. The goal is to see how a client can send a message to the server, and how the server can trust that the message had come from the client (without usernames or passwords)!
For brevity, we are not setting up a real server. Instead, this repo just contains a "client" directory and a "server" directory. They interact with each other through the file system.
client
gen.js
node gen
Here we are generating a key pair, which consists of a public key and a secret (or private) key. Everyone is allowed to know your public key, but you have to keep your secret key a secret.
gen.js
stores your keypair in the client
directory and sends your public key to the server
directory. The server will use your public key to verify any messages you send it that are signed with your secret key.
sign.js
node sign
In sign.js
, we pull your secret key from your keypair. I also wrote a small message; you can change it if you want. With your secret key and your message sign.js
will generate a detached digital signature. Anyone with you public key can verify that you sent that message by testing it against your digital signature. After your signature has been created a payload object containing your message and signature is sent to the server.
server
verify.js
node verify
The server can verify the message in the payload object by testing the detached digital signature against the public key the client had sent earlier. If the signature is verified, then the server will trust that the message in the payload had truly come from the client. If the signature can not be verified, the server will not trust and reject that message.