Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Browser Exam Key - Request Hash specs

SEB 2.0
Eric
2014-02-19
2014-03-28
  • Eric
    Eric
    2014-02-19

    I am trying to integrate the Safe Exam Browser header/request hash check into my test system and have a couple of questions.

    1. What hashing algorithm are you using to generate the HTTP header value; and
    2. What strings are you concatenating and hashing?

    I checked the docs and didn't find what I was looking for so I tried looking at the SEB source code (MAC), but 2.0 is not available and this is a 2.0 feature so...

    I looked at Tim Hunt's SEB Moodle plug-in and was led to believe that the X-SafeExamBrowser-RequestHash is a SHA256 hash of the Start URL+Browser Exam Key (concatenated). However, my hashes aren't matching.

    Could someone confirm?

    Thanks for any help and for such a great product.

     
  • Eric
    Eric
    2014-02-20

    UPDATE: I've been testing with the MAC 2.0pre2 stable preview version and my hashes don't match.

    I just got ahold of a Windows machine, installed the Windows 2.0RC Release candidate version 2 that was updated today and my hashes match the X-SafeExamBrowser-RequestHash value without changing any of my code.

    It would seem that the MAC version is computing hashes differently/incorrectly. Any thoughts?

    Thanks again.

     
    Last edit: Eric 2014-02-20
  • Looks like in the Mac 2.0pre2 version computing the hashes doesn't work after saving and then loading the settings in a .seb file (it works only before saving settings). Anyways 2.0pre2 is outdated, not using the latest version of the .seb data format. Please wait for the 2.0RC release for Mac which got delayed because we had to concentrate on finalizing the .NET Windows version. I may release an interim 2.0pre3 tomorrow to solve this problem quickly as in my development Mac version everything is working.

     
  • Eric
    Eric
    2014-02-20

    An interim patch would be great but I understand if it has to wait. Thanks Daniel.

     
  • As testing and bug fixing of the Windows SEB 2.0 release candidates is taking more time than expected and our development resources are currently limited due to some staff changes, I released a SEB 2.0pre3 version with the most urgent updates today, making it compatible with the Windows 2.0RC versions. We will release the SEB 2.0 release candidate for Mac OS X with a similar feature set as the Windows RC in a few weeks.

    In SEB 2.0pre3 for Mac OS X the request header check is working correctly now. Please note that if you want to use the same .seb file with Windows and Mac clients, you should not alter the file anymore when you're copying the Browser Exam Key hashes to your exam settings in your quiz module. Re-saving it (especially in the Windows version) will change the Browser Exam Key of that file also in the SEB version on the other platform. The keys for the Mac and the Windows version will in any case be different, so you have to load the final .seb file into both versions and copy both keys to your quiz settings.

     
    Last edit: Daniel Schneider 2014-03-22
  • Jarle Presttun
    Jarle Presttun
    2014-03-26

    Is this the permanent solution, that the keys will be different for mac and windows? Asking as I'm currently implementing support for seb files in our assessment system.
    I find it a bit unpractical that person who sets up an exam will have to have access to a windows and mac computer. This might be a big issue for us. Or is there something I don't get here?

     
  • Yes, there is a very good reason that the keys will be different on each platform. In the final SEB 2.x version (not yet implemented in 2.0 RC), also the code signature of the SEB binaries will be included in the Browser Exam Key. Like this you can assure that people use the right and official version of SEB, not an outdated version which maybe had security holes which were later fixed or just didn't support some new security features. It would also make it a bit harder to compile your own manipulated SEB version...

    But I get your point. Latest with SEB Server it won't be necessary to have access to the physical Windows and Mac computers, as SEB Server would take over the task of generating the Browser Exam Keys and communicating it to the assessment system and the clients.

    Maybe for now we can implement a switch for less security (code signatures not included in Browser Exam Keys, same key for each platform) or more security (separate key for each platform). Or separate the keys for authentication of settings and application/code signature, which would make it easier to communicate the code signature key for each platform/SEB version.

     
    Last edit: Daniel Schneider 2014-03-26
  • Jarle Presttun
    Jarle Presttun
    2014-03-26

    Thanks for your answer. I understand why its implemented like it is now, but it still is a complicated workflow.

    I think separating might be a good idea anyway, it would make it much easier for us and the institutions using our system with SEB. It would also give us possibility to give more precise error messages like "Wrong seb file" or "You need to update Safe Exam Browser".
    That would solve our problem here, but of course I see it from our side and what suits us best :-)

    Has there been any work on the SEB Server yet?

     
    Last edit: Jarle Presttun 2014-03-27
  • Jarle Presttun
    Jarle Presttun
    2014-03-27

    As we need to get the support up and running quite fast, we found a workaround for this that we have decided to implement, so please don't have this high on your list if you didn't plan to change it anyway.

     
    Last edit: Jarle Presttun 2014-03-27
  • After spending some thoughts on this I don't think that we should do any changes in the Browser Exam Key/request header check for now. We just finished plugins for Moodle and ILIAS and somehow established a new "standard", would be a bit awkward to change it already. Having multiple keys for settings and for checking the code integrity would complicate SEB, the exam system plugins and whole process of setting up an exam and there would be one more key to fill into the exam settings.

    Besides that, I would strongly recommend to test an exam with its settings at least shortly on both platforms before conducting it. In case third party applications would be used, this is definitely a must! And if you test it, you can also get the exam keys from both a Windows and a Mac computer. I expect an organization expecting students to show up with computers running both OS should have testing devices for both platforms available...

    What I will definitely have a look into is the version question. SEB itself should in future display a warning or error when it loads a exam setting .seb file which demands a specific SEB version.

    We will also have to deal with the question what happens when students install SEB 2.0 directly from the Mac App Store. The question is what happens if a new version is published just shortly before an exam and gets updated on students' Macs. The solution will most likely be that the Mac App Store version will use the code signature which is specific for a publisher and not for a software version. The same would be possible with the Mac version in general, as the Mac version anyways needs to be signed with the Developer ID which Apple assigned us. On Windows dealing with code signing is a bit more complicated.

    Publishing SEB 2.0 in the Mac App Store will take some time, as this is only possible with a final version and we have to deal with some restrictions which apply there. So for now people will have to download the Mac version of SEB 2.0 from our website.

     
  • Tim Hunt
    Tim Hunt
    2014-03-28

    I was thinking about this a bit, but I can't remember enough of the technical details to be sure of what I am saying.

    1. Can you use the same .seb file to launch either the Windows or Mac version of SEB? (Obviously it would be nice if you only had to make one configuration file for both browsers.)

    2. How are the various hashes put together? We have a hash of the executable, and a hash of the .seb file, and information from the URL that are combined the hash sent in the HTTP header. Does that mean we could change the Moodle plugin so that we store the allowed hashes in two parts:

    A. The admin puts in a list of browser executable hashes, that are the versions of the SEB application that are allowed to be used.

    B. The teacher in the quiz settings puts in the hash of the .seb file.

    We think combine those on the server-side when checking the HTTP header, just like they get combined on the client side.

    That way, when a new version of the SEB code is released, only the admin has to add one more hash to a list.

    The teacher only has to add one hash for the .seb file to the quiz, and the same hash will cover windows and Mac.

    If this is workable, then I am very happy to update the Moodle add-on to work that way.

     
    • Tim Hunt
      Tim Hunt
      2014-03-28

      Oh, I just had a nasty thought. If it is too easy to get the signature of the executable, rather than the executable mixed with the configuration hash, it probably becomes too easy for a hacker to fake things. Pity.

       
      • Yes, I had the same thought. I guess this is an argument against separating the hashes...

         
    • Yes, you can use the same .seb file to launch either the Windows or Mac version of SEB. In the SEB 2.0pre3 version for Mac I recently released the .seb format is the same as in the Windows 2.0 RC version.

      Most key/values are the same for both platforms, but there are those keys which only apply for one of both platforms (because they simply don't make sense on the other one). I will update the Mac version's preferences window to also allow to enter all Windows specific settings for the final Mac 2.0 version (the Windows config tool already includes all Mac specific settings). But besides generating the browser/exam key it will make sense to use both a Windows PC and a Mac to add specific information to the same .seb file, for example when using third party applications which have platform specific parameters.

      To clarify: If you create a .seb file with the SEB Windows config tool (including Windows specific parameters) and load it into the SEB MacOSX 2.0pre3 version, then the Windows specific key/values are preserved even if you make some changes and re-save it in the Mac version. But it's important to remember that with every change the Browser Exam Key of the re-saved .seb file would change in both versions (as all keys, also the ones from the other version are used to calculate the key).

      So always copy the Browser Exam Key only from final .seb files, after making all necessary changes in both SEB versions on the same file.

       
      Last edit: Daniel Schneider 2014-03-28