this post was submitted on 22 Aug 2023
2 points (100.0% liked)

Cryptography @ Infosec.pub

438 readers
1 users here now

Questions, answers, discussions, and literature on the theory and practice of cryptography

Rules (longer version here)

##Related resources;

founded 2 years ago
MODERATORS
[email protected]
[email protected]
2
Can RSA be used for web API authentication? (lemy.lol)
submitted 2 years ago* (last edited 2 years ago) by [email protected] to c/[email protected]
3 comments fedilink hide all child comments
 

I need to

  • encrypt JSON payload (not just sign)
  • not share private key
  • verify the payload is generated with the shared public key and RSA fitting all of these.

As I've only made auth with JWT so far, I'm not sure. If I use RSA, I guess I have to put the encrypted text in the body.

Do you think it can be used? Any other suggestions?

top 3 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 2 years ago

Sounds like you’re proposing WebAuthn which already exists. Keep in mind that there are attacks against RSA with PKCS1 padding. I’d use a more secure cryptographic primitive than RSA (I.e. elliptic curves) - there’s a reason cryptographic experts don’t look towards RSA these days.

[–] [email protected] 1 points 1 month ago (1 children)

Is there a particular reason you want to use your own implementation instead of JWT? If you just want an alternative to JWT, there is also PASETO.

[–] [email protected] 2 points 1 month ago

I wanted to let my users encrypt their payload with my public key so only I can decrypt that payload. Just like how PGP works. Eventually I've used hybrid encryption with AES for encrypting the payload and RSA for encrypting AES secret key.

Just to let you know this post is almost 2 years old :)