0

I have an application running as user 'U' that accesses multiple web services (hosted on different web servers) S1, S2, etc. I want a secured way to authenticate the User 'U' on all the services S1, S2 etc. I have control over both the application and services. Below is the design that I have thought for authentication for this scenario.

I plan to have a pair of asymmetric keys. The Private key will be secured and accessible only to application/user while the Public key will be shared with all services S1, S2. While accessing the services, it will send a message encrypted using the Private key and if the service is able to decrypt the message successfully using the Public key on server side, it authenticates/identifies the user as U.

Please suggest if this looks a good approach. Any feedback is welcome.

Thanks in advance

Varun
  • 51
  • 1
  • 5
  • PKI works oposite way. You can encrypt using a public key and decrypt using the private key. So Chantanya made a good suggestion, you may look into TLS with mutual/client authentication ensuring confidentiality, integrity and authentication. – gusto2 Feb 21 '18 at 20:10

1 Answers1

1

There is a standard way of doing this, known as Mutual Authentication/ Client Authentication / 2-way SSL. https://www.codeproject.com/Articles/326574/An-Introduction-to-Mutual-SSL-Authentication

Chaitanya
  • 201
  • 2
  • 9