0

I am developing a web service for which I am using RSA encryption to encrypt request-response. I have shared the public key with the client and I am able to decrypt the incoming request using my private key. Now my question is how can I encrypt the response which is to be returned to the client. I have two options for this:

(1) Use my private key to encrypt the response and client will decrypt it using already shared public key.

(2) Ask clients to provide their public key and encrypt the response with that public key.

Kindly suggest which strategy to use for encrypting response?

Improve this question
3
  • 2
    There is an easy button that does all this and more for you. It's called TLS/SSL. All you need to do is run your service over https. Commented Feb 3, 2020 at 13:12
  • Is this some kind of assignment? Becase as @JamesReinstateMonicaPolk rightly said, SSL/TLS is used for the same purpose. Why should one re-invent the wheel! Commented Feb 3, 2020 at 13:14
  • But is not SSL/TLS is different in the aspect that it uses symmetric encryption? Commented Feb 3, 2020 at 15:40

1 Answer 1

Reset to default
2

You cannot encrypt with the private key, as the public key is supposed to be public. Encryption with the private key is inherently unsafe and programming API's generally disallow the use of it.

So (2) is really the only option: have the clients public key and let them decrypt with the private key. However that's not all of the story:

  1. the public keys need to be trusted, and you may need to setup a full PKI to trust the keys;
  2. larger messages cannot be easily encrypted with RSA, so you may need hybrid encryption (encryption of a random AES key and encrypting the messages with that);
  3. padding oracle attacks are very real, and do apply to RSA, so just performing RSA is pretty dangerous.

This is why it is generally advisable to rely on TLS (only). TLS is not always secure, but it is almost always more secure than a self-made scheme.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you for taking your time to answer the question.This has helped me to understand the problem better and to reach to a conclusion. Hopefully, that will also be helpful to many out there.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.