The un-official Amazon Echo User Forums

Alexa request signature verification

0 Members and 1 Guest are viewing this topic.

Alexa request signature verification
« on: December 13, 2016, 04:07:16 am »
I've been hacking together a server-based skill & doing verification in PHP. The Alexa request comes in with HTTP headers including a signature such as:
 
dWgWTtAdG3RIB/54Q1XJ86Wy7G2iesJUIuMNbAtptiVPMV0Q415iMLJ2/50Ii1nxx3IftOytWDNu4HX
dZZhUDp11Qk4rXeIFY+Plofdj4sLrTDvySCEzsGee7H2kdQ1ExG2sEmiv4D84EVgfqI9THR9Ig3NTl2YTw
yXbCWWZVMa1VAGCTSsTGHD3HptS7jvv1XvkZMrsU7k8dABOAKA1083REkX3ccuLyAeuDhi5PWWFYR
CGYz4cQbXd8pAEp55NII0KWoK+gvARnn2qMraZAn6WCw2blQ9v87khr86ibtAHAhYlNmuc4xmNZ2OE
I+tkau38PRXiFyttw1Z9xjMDYA==


Converting that to binary with base64_decode() and decrypting with openssl_public_decrypt()  gives this, after bin2hex():

3021300906052b0e03021a0500041433518d943e1851830b2e596a1c025b8f9be55d74

The SHA-1 hash of the request body (JSON data) in this case is:

33518d943e1851830b2e596a1c025b8f9be55d74

So it appears that the decrypted signature is the 40-character SHA-1 hash of the JSON data prepended with 30 characters of something else:

3021300906052b0e03021a05000414
33518d943e1851830b2e596a1c025b8f9be55d74  matches the SHA-1 hash of the JSON data

So what is the 30-character first part?