To find ASP.NET Web API, it seems like the solution is very scattered, so I have my own public / private key encryption plan Please take a look at my workflow and help me answer a question which I Finally I got stuck. (Again, this is typical for the .NET 4.0 Web API framework.)
- Register the user at my web mvc 4.0 website
-
Once registered, My website does 4 things
a) Generate an RSA Server public key
b for this user). Generate an RSA server private key for this user
c). Generate an RSA Customer public key
d for this user. Generate an RSA Customer private key for this user
I save all 4 keys to this user account in the database and provide the user with a public key , "API", as well as a client private, called "Secret", is called. This is for future handshake purposes. The user never knows about the server private key nor the client public key
Once the user confirms that they have keys , Then I delete the "client private key" from my database for security purposes.
User's Public Key (or APII) + ":" + "(Encrypted) Message Password (Username, Password) My WebAP authentication using RSA Server Public The key (APIKey) starts requesting the service
The server receives APIKey + ":" + + encrypted message, find private key, decrypt message, user Get names, passwords, and make sure to Use a subscription provider if they are correct
If not correct, create a disapproved response. Otherwise, it receives the client's public on the record for the user, a unique Create a time-sensitive session token (expires in 5 minutes), created it database + time, and use the client's public to encrypt the token and send it back to the customer.
per customer The process is received, use its "client private key" or "secret key" to decrypt the response, get the token.
User encrypts the following service The server makes other requests using the public key
a) session token b) timestamp (That's why I can make sure replay is not attacked) C) Data
and the server has its API + + ":" Send encrypted messages
but step 9 and above
Is it still to use public / private keys to communicate on step 9 Is it necessary to? I am asking that because the browser communicates with the server via SSL, in the end, when once the hands are joined, then they use a valid cipher suite symmetric algorithm to send back and forth messages. Is it fast? But if we do this, will it be safe from this point on the wards?
In that case, where I can exchange this agreement between my web API and client to use a symmetric algorithm to encrypt my workflow / decrypt information forward and behind?
Thank you!
EDIT: If you see a flaw in this workflow, please let me know! Very appreciate
Please do not roll your own plan . Cropto is very difficult to get the right, even the experts too. A very subtle error can completely remove all the security provided by the plan. For example, just look at the attacks on SSL / TLS in the last few years.
You refer to "Web API" but it is not clear what protocol you are using. If you are using SOAP, use "Web Security" (WS), which is well-defined for SOAP. If you are communicating over HTTP (EX REST), use HTTPS. If you are communicating on a connected channel, use TLS or SSH.
Edit: per,
ASP.NET Web API is a framework that is HTTP such services that reach a wide range of customers including browsers and mobile devices. ASP.NET Web API is an ideal platform for creating a restible application on
This means that you might want to use HTTPS.
No comments:
Post a Comment