Securing information on a public service from man

How to secure information on a public service that provides private information?

The service provides some information based on the username and password the client sends to it. For example:

Request

<get-my-info>
 <username>username</username>
 <password>password</password>
</get-my-info>

Response

<your-info>
 <private-info-a>private-info-a</private-info-a>
 <private-info-b>private-info-b</private-info-b>
</your-info>

The service should be fairly easy to use and to allow new clients to emerge, so forcing the client to register a key associated with it is not an option.

Would it be enough to put a private key on the server and send out public keys for clients to encrypt the sensitive information? So only the server could decrypt the message from clients and all clients would use the same public key, making it easier to create new clients.

The service is interfacing a legacy database that provides all the information the service needs: username/password and private information lookup. Maintaining the username/password approach and avoiding database changes (for example to store user's sign key) are preferred.


If you use standard https you are safe from man in the middle attack provided that you have some kind of authentication and authorization step starting each conversation. You could also send a security token with each request.


you are close....

you are probably confusing two concepts here, authenticating a user, and protecting (encrypting) the data. without going into much details about how secured protocols work (https, SSL).. the Server where your service is hosted needs a Certificate, like you said, the server will have a private key that no one else knows, and a public key that anyone can know... now your clients will encrypt the data using the server public key (the browser will take care of this), this will ensure that only the service can decrypt the data (using the private key), thus the data is secured...

to insure (origin integrity), the service needs to authenticate the clients using (username and password)

in short you will need to purchase and register a Certificate for your server. the clients will have to authenticate themselves

链接地址: http://www.djcxy.com/p/3704.html

上一篇: TLS中间人安全证书

下一篇: 确保来自男性的公共服务信息