A Proof of Key (PoK) process has been implemented to strengthen the security of the protocol and is used to validate the messages received by the HAS from the PKSA, but also to validate the data that is exchanged between the different nodes participating in the HiveAuth network.
Indeed, all the data exchanged between the APP and the PKSA are encrypted. Therefore, a HAS node has no way of knowing its content. However, to ensure that the data received has indeed been generated by the account associated with a request, the HAS will require the PKSA to also sign either arbitrary data or something that it knows.
A PoK is built by encrypting:
the actual UNIX time when sending a register_req message
the request uuid when replying to any request
The encryption is done using both the account's private key and the Server Encryption Key. The PKSA can use any account key that is available to it (posting, active or memo) to perform the encryption.
The PoK will accompany each message sent by the PKSA to the HAS. The HAS will then:
decode the PoK using its own private key
ensure the message has been encrypted by the account by matching the public key retrieved from the encrypted PoK with the account public key retrieved from the blockchain.
In the case of account registration, check that the provided UNIX time is within a 10 seconds boundary from its actual time. This check is performed to avoid malicious actors to reuse PoK they could have got their hands on.
In the case of a request-related message, check that the decrypted uuid matches the uuid of the request.