Reputation: 19
Need of Encryption/Decryption of REST API request/response?
In what situations is it needed to encrypt the REST API HttpRequest at the client-side before sending it to the server and to encrypt the HttpResponse at the server before sending it to the client-side?
I read that HTTPS encrypts the data when data is in transit, so do we really need an extra layer of encryption on our own?
One difference I could notice that using additional encryption I will not be able to see the data in the original form in the Network tab of the browser. What is the significance of this from a security perspective?
Please consider the question for both mobile and web platforms.
Upvotes: 1
Views: 2426
Answers (1)
Reputation: 1
My solution (need to be commented)
General purpose: to avoid stealing(scraping) data client-side (e.g. with Network tab of the browser etc.), not only in transit (this well done by SSL)
To encrypt small requests
- generate RSA key pair and keep public key on client and private key on server
- encrypt your req body on client by public key
- decrypt it on server by private key
To encrypt small responses
- before request -generate RSA key pair on client
- add public key to req to send it to server
- after getting req on server -encrypt res by public key on server
- decrypt response by private key on client
- delete key pair on client
Hybrid cryptosystem (for over rsa size limitation)
To encrypt big requests
- generate RSA key pair and keep public key on client and private key on server
- before request -generate AES symmetric key on client
- encrypt symmetric key by public key on client
- encrypt req body by symmetric key on client
- add encrypted symmetric key to req to sent to server
- decrypt encrypted symmetric key by private key on server
- decrypt req body by decrypted symmetric key
To encrypt big responses
- before request -generate RSA key pair on client
- add public key to req body to send to server
- after getting req on server -generate AES symmetic key
- decrypt response body by symmetric key on server
- decrypt symmetric key by public key on server and add it to res (+iv/counter)
- decrypt encrypted symmetric key by private key on client
- decrypt response body by decrypted symmetic key on client
- delete key pair on client
To avoid reverse engineering
due to open nature of js in browser it is possible to get js code and repeat approach and then decrypt data -so some additional locks are required:
- use request host check on server
- use CORS
- use request ip check on server (for dev and build requests from node)
Useful links:
Upvotes: -1
Related Questions
- API key encryption in RESTful API?
- Restfull webservice encryption and decryption
- API Key content encryption
- Do I still need OAuth or API Key with HTTPS for Restful webservice
- API security question: SSL or more?
- What more do I need than SSL? Why
- Using a RESTful API - Is it secure?
- Rest API encryption with SSL
- Is HTTPS protocol relevant for REST API Webservices?
- Do I need to secure the body of a REST request using oAuth?