Reputation: 355
How to encrypt http response using RSA encryption
I am developing a web service for which I am using RSA encryption to encrypt request-response. I have shared the public key with the client and I am able to decrypt the incoming request using my private key. Now my question is how can I encrypt the response which is to be returned to the client. I have two options for this:
(1) Use my private key to encrypt the response and client will decrypt it using already shared public key.
(2) Ask clients to provide their public key and encrypt the response with that public key.
Kindly suggest which strategy to use for encrypting response?
Upvotes: 0
Views: 1950
Answers (1)
Reputation: 93998
You cannot encrypt with the private key, as the public key is supposed to be public. Encryption with the private key is inherently unsafe and programming API's generally disallow the use of it.
So (2) is really the only option: have the clients public key and let them decrypt with the private key. However that's not all of the story:
- the public keys need to be trusted, and you may need to setup a full PKI to trust the keys;
- larger messages cannot be easily encrypted with RSA, so you may need hybrid encryption (encryption of a random AES key and encrypting the messages with that);
- padding oracle attacks are very real, and do apply to RSA, so just performing RSA is pretty dangerous.
This is why it is generally advisable to rely on TLS (only). TLS is not always secure, but it is almost always more secure than a self-made scheme.
Upvotes: 2
Related Questions
- How to encrypt decrypt with RSA keys in java
- Java - Encoding message to String
- RSA Encryption / Decryption using Java
- RSA Encryption and Decryption Java
- Java, rsa encryption
- How to implement RSA encrypt and decrypt in Java
- RSA Encrypting and Decrypting JAVA
- Simple RSA encrypt and decrypt message in JAVA
- Encrypt and Decrypt a String with RSA
- RSA encryption in Java