I am using asymmetric encryption algorithm in my web application. The loophole is if some unauthorized person comes to know my public key , then he could make a malicious WebService call. How can I prevent this?
Asked
Active
Viewed 30 times
1 Answers
2
The public key in an asymmetric algorithm is expected to be exactly that - public and therefore expected to be known by everyone. If you are trying to implement authentication by only distributing the public key to "authorized" users then your mechanism is fundamentally flawed.
A more usual way to do this would be to have your clients each generate their own asymmetric key-pair and provide you with the public key, whilst keeping the private key secure. The clients can then authenticate themselves by signing a message with their private key, which you would validate with their public key.
This being said I would strongly suggest using something like TLS with client certificate authentication to implement secrecy, integrity and authentication at the transport level rather than attempting to roll your own cryptosystem at the application level. It's likely to be far more secure than anything you'd implement yourself as well as being far easier for your clients to implement.
Iridium
- 23,323
- 6
- 52
- 74