Menu
I want to use asymmetric encryption of headers in RESTful requests to verify the identity of the system sending the request: i e System A encrypts it's name, timestamp, and the service name using it's public key in a request to System B. System B then uses the public key of System A to decrypt, proving the authenticity of the request.
1) Does php-mcrypt support this?
2) Has anyone benchmarked this type of operation?
893
Asymmetric encryption is used in key exchange, email security, Web security, and other encryption systems that require key exchange over the public network. Two keys (public and private), private key cannot be derived for the public, so the public key can be freely distributed without confidentially being compromised.
Symmetric encryption uses the same key to perform both encryption and decryption functions. Symmetric encryption uses a shared private key while asymmetric encryption uses a public/private key pair. Another difference between asymmetric and symmetric encryption is the length of the keys.
Asymmetric encryption is a data encryption method that uses two keys: a public key and a private key. The public key is used to encrypt the data and can be distributed widely and openly. The private key is used to decrypt the data encrypted with the public key.
Asymmetric encryption, also known as public key encryption, uses a public key-private key pairing: data encrypted with the public key can only be decrypted with the private key. TLS (or SSL), the protocol that makes HTTPS possible, relies partially on asymmetric encryption.
No, mcrypt is just symmetric block ciphers.
However the PHP OpenSSL extension supports asymmetric operations. The ones you want are openssl_sign and openssl_verify.
(You have a slight terminology issue - in asymmetric systems, encryption is done with public keys and decryption with private keys; signing is done with private keys and verification with public keys. Do not confuse signing with encryption or decryption - although the underlying operations are often similar, it is not the same thing, and the confusion can lead to insecure implementations).
Of course, you could just do your REST over SSL, using client certificates for authentication.
124
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
