Sharing only the public key Is secure?

 

I need to secure a REST request knowing who is doing it. I know the HMAC method but I wouldn't like not store the client private key on my server. This is my approach:

  • The SERVER creates a private and public key for the client
  • The SERVER sends the private key and a client id to the client
  • The CLIENT stores its private key
  • The SERVER stores only the public client key
  • The CLIENT makes a RESTful request by encrypting its client id with its private key (ecryptedData) and sends the pair clientID:encryptedData to the SERVER
  • The SERVER looks for the public key of the given client id and decrypt the encryptedData
  • The SERVER checks if the decrypted data contains the same client id. If the client id is the same then the SERVER trusts on the sender otherwise it rejects the request.

    • Maybe this method already exists but I don't know it.

    Is it secure this method?

    EDIT

    I reformulate the question:

    if I care only about who is the sender and not about what he is sending in a monodirectional communication (CLIENT -> SERVER), can I use RSA in this way?

    ONE TIME

  • SERVER creates the RSA pair key for the client
  • SERVER stores the client public key (I doesn't matter if the key is stolen..it's public!)
  • SERVER sends the client private key to the client

    • DURING THE CLIENT -> SERVER COMMUNICATION

  • CLIENT encrypts a known word + timestamp (to prevent replay attack) by its private key ex. SIGNATURE = encrypt(RSA, 'FOO:1234234')
  • CLIENT sends the message with the API KEY and singature ex. 54545345:SIGNATURE
  • SERVER looks up the public key of the given API KEY
  • SERVER decrypts the message with the public key found
  • SERVER checks the correctness of the known word FOO and the timestamp
  • SERVER rejects the message if the previous step fails

    • Is it secure this method?

    Thanks a lot!
    aGO!

    "SERVER sends the client private key to the client": this does not seem very secure. If malicious clients intercept this communication, they can get client's private-key and can send messages as if they were sent by the actual client. You should let the client generate the two keys, without sharing the private one.

    链接地址: http://www.djcxy.com/p/21774.html

    上一篇: 如何将RSA私钥存储在客户端的浏览器中以获得更好的用户体验?

    下一篇: 只共享公钥是安全的吗?