Echo & Alexa User Discussions and Support Forums

When a person is not breathing, permanent brain damage begins after 4 minutes and death in 6 minutes after that. Can you count on help arriving before that time? Learning proper CPR techniques is easy and you can learn it in 30 minutes at CPR Test Center.

Alexa request signature verification

0 Members and 1 Guest are viewing this topic.

Alexa request signature verification
« on: December 13, 2016, 07:07:16 am »
I've been hacking together a server-based skill & doing verification in PHP. The Alexa request comes in with HTTP headers including a signature such as:
 
dWgWTtAdG3RIB/54Q1XJ86Wy7G2iesJUIuMNbAtptiVPMV0Q415iMLJ2/50Ii1nxx3IftOytWDNu4HX
dZZhUDp11Qk4rXeIFY+Plofdj4sLrTDvySCEzsGee7H2kdQ1ExG2sEmiv4D84EVgfqI9THR9Ig3NTl2YTw
yXbCWWZVMa1VAGCTSsTGHD3HptS7jvv1XvkZMrsU7k8dABOAKA1083REkX3ccuLyAeuDhi5PWWFYR
CGYz4cQbXd8pAEp55NII0KWoK+gvARnn2qMraZAn6WCw2blQ9v87khr86ibtAHAhYlNmuc4xmNZ2OE
I+tkau38PRXiFyttw1Z9xjMDYA==


Converting that to binary with base64_decode() and decrypting with openssl_public_decrypt()  gives this, after bin2hex():

3021300906052b0e03021a0500041433518d943e1851830b2e596a1c025b8f9be55d74

The SHA-1 hash of the request body (JSON data) in this case is:

33518d943e1851830b2e596a1c025b8f9be55d74

So it appears that the decrypted signature is the 40-character SHA-1 hash of the JSON data prepended with 30 characters of something else:

3021300906052b0e03021a05000414
33518d943e1851830b2e596a1c025b8f9be55d74  matches the SHA-1 hash of the JSON data

So what is the 30-character first part?