Reputation: 2185
Private and Public Key
When I create a user I will create a private and public key. The public key is the token id for the user. The private key will be used for encrypt and decrypt of data.
When the user login, my Android app will call a REST Web Service and after validation will return the private and public key. Then using private key the app can create a signature.
Is this a correct way? I am just using HTTP not https.
Upvotes: 0
Views: 281
Answers (2)
Reputation: 310903
Is this a correct way?
No.
I am just using HTTP not https.
Why? I can't see why you don't just use HTTPS like everybody else. It's a solved problem.
To correct your mis-statements:
- The private key is used to decrypt data only, and create digital signatures.
- The public key is used to encrypt data and verify digital signatures.
- The public key is of no use as a user token, because it is, err, public.
You need to learn a lot more about PKI than you presently appear to know.
Upvotes: 3
Reputation: 42595
The short answer: No
First you are transmitting an private key over unprotected HTTP.
Second it is totally unclear what you want to achieve using a public/private key. From your description I read that you want to use it for authentication and signature. But why is the private key stored on the server?
usually it is the other way around: The client has public and private key. It sends the public key to anybody who wants but th private key NEVER LEAVES THE DEVICE!
Upvotes: 2
Related Questions
- Android public key encryption
- How to secure secret keys in Android App?
- PEM to PublicKey in Android
- encrypt with public key in android
- Android - Storing private keys in keystore
- Protect Private Keys
- Android: Securing Your Private Key
- Android private signed key
- Public Key Cryptography on Android
- PublicKey and PrivateKey constructor in Android (Java)