Interfridge
Donald documented his design for interfridge on a Megadodo. This was used with some modifications.
Interfridge accounts
Interfridge associations are made peer-to-peer for each pair of fridges which wish to allow interfridge transactions between them. Each fridge in the pair must have a special local user account for the other fridge. The name of this account must match the interfridge name which the other fridge is configured with.
Database changes
Three extra columns were added to the users table to support interfridge:
- isinterfridge is a boolean which is true iff the account is an account representing a remote fridge rather than a normal user.
- interfridge_password holds the password used to login to the remote fridge. This is only set if isinterfridge is true; otherwise it should be NULL.
- interfridge_endpoint holds the endpoint URL for the interfridge server of the remote fridge. This is only set if isinterfridge is true; otherwise it should be NULL.
There is also an extra table, nonces, used to hold generated but as yet unused nonces as discussed below.
Interfridge protocol
In the following documentation the ‘.’ operator in pseudocode represents string concatenation. md5(x) gives the MD5 of the given bytestring, encoded as lowercase hexadecimal.
Interfridge consists of a server and a client. The server is part of fridgeweb (written in PHP), and the client is part of the Java fridge client. The client talks to the server by making HTTP requests. Each server is known by an endpoint URL, such as http://memphisfridge.interface.org.nz/interfridge.php. Calls are made by GET requests to this URL with particular parameters. Results are returned as an XML document with the root element <interfridge>. On success the values listed below will be returned; on failure an <error> element containing a string describing the error will be returned instead. Currently there are two methods used:
generate_nonce
Request
<endpoint URL>?method=generate_nonce&cnonce=<cnonce>×tamp=<unix_time>&fridge_name=<fridge_name>&fridge_hmac=<fridge_hmac>
Return value
<nonce>snonce</nonce>
<hmac>fridge_response_hmac</hmac>
To prevent replay attacks a nonce is used with each purchase request. This method asks the server to generate such a nonce and return it. The nonce is an arbitrary random string of printable characters. The server stores the nonce when it is generated and then checks it and deletes it when it is used to prevent reuse of old nonces. Nonces older than a certain age (currently 10 minutes) are also deleted to prevent the database from filling up.
cnonce is a client nonce generated by the client to prevent replays of the generate_nonce request filling up the server’s database.
unix_time is the current time in seconds since the Unix epoch. The server will reject the request if this is too old, to prevent replays.
fridge_name is the username of an interfridge user on the server which represents the client fridge.
fridge_hmac is an HMAC-MD5 to authenticate the client to the server and prevent unrecognised clients from filling up the server’s database. It is generated as hmac_md5(cnonce . unix_time . fridge_name, md5(fridge_password)).
fridge_response_hmac is an HMAC-MD5 to verify the response, generated as hmac_md5(snonce . cnonce, md5(fridge_password)).
purchase
Request
<endpoint URL>?method=purchase&nonce=<snonce>&fridge_name=<fridge_name>&user_name=<user_name>&amount=<amount>&fridge_hmac=<fridge_hmac>&user_hmac=<user_hmac>
Return value
<balance>balance in cents after purchase</balance>
<hmac>fridge_response_hmac</hmac>
The amount parameter is an integer; the rest are strings.
The snonce must match a server nonce previously generated and not yet used.
fridge_name is the username of an interfridge user on the server which represents the client fridge.
user_name is the username of the user on the server who wishes to make a purchase or login.
amount is the value of the transaction in cents. A positive value is a debit (e.g. a purchase), while a negative value is a credit (e.g. a top up). A purchase request with an amount of 0 is used to authenticate the user without actually making a transaction, for logging in to fridge and obtaining their current balance.
fridge_hmac is an HMAC-MD5 signing the request by the interfridge user. It is generated as hmac_md5(snonce . fridge_name . user_name . amount, md5(fridge_password)). This prevents man-in-the-middle attacks where the message is altered between the client and the server, such as changing the amount. It also authenticates the client fridge to the server.
user_hmac is an HMAC-MD5 signing the request by the purchasing user. It is generated as hmac_md5(snonce . fridge_name . user_name . amount, md5(user_password)).
The server returns the new balance for the user. It also returns the fridge_response_hmac, which is generated as hmac_md5(snonce . fridge_name . user_name . balance, md5(fridge_password)). This prevents a man-in-the-middle faking a successful response.
