User talk:Erot
For H.O'C
re: <Pusher Channels> HMACs
From the top:
- The Channels protocol is secured by app-key HMACing
- The Channels server library requires Node.JS :-(
- Hence, driving Channels from a browser requires raw HMACing
- There is no JS sample for this (but there are some in Ruby, eg at end of <https://pusher.com/docs/channels/library_auth_reference/rest-api/>, and also on previous page there).
re: crypto.subtle (JS/TS)
See eg <how-to-get-hmac-with-crypto-web-api (on stackoverflow)>.
re: DH to HMAC
(shared secret) AS DH_KEY HMAC(APP_ID)(DH_KEY) AS TMP_KEY (secret) TMP_KEY XOR APP_KEY AS ALT_KEY (public)
TMP_KEY is unique to app (ie APP_ID is unique), so knowing ALT_KEY provides no knowledge of APP_KEY without (some) knowledge of DH_KEY.
NB: I have comparable code that masks ECDH private keys.