Geek Answers Handbook

Confused with API signatures for public and private keys

I created an API that needs authorization with a signed request.

I am using the php functions openssl_sign and openssl_verify.
I understand the concept of public and private keys (DSA algorithm). But basically, I have no idea how to implement it.

I am working from this example from http://uk.php.net/manual/en/function.openssl-sign.php

<?php $data = "Beeeeer is really good.. hic..."; // You can get a simple private/public key pair using: // openssl genrsa 512 >private_key.txt // openssl rsa -pubout <private_key.txt >public_key.txt // IMPORTANT: The key pair below is provided for testing only. // For security reasons you must get a new key pair // for production use, obviously. $private_key = <<<EOD -----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBANDiE2+Xi/WnO+s120NiiJhNyIButVu6zxqlVzz0wy2j4kQVUC4Z RZD80IY+4wIiX2YxKBZKGnd2TtPkcJ/ljkUCAwEAAQJAL151ZeMKHEU2c1qdRKS9 sTxCcc2pVwoAGVzRccNX16tfmCf8FjxuM3WmLdsPxYoHrwb1LFNxiNk1MXrxjH3R 6QIhAPB7edmcjH4bhMaJBztcbNE1VRCEi/bisAwiPPMq9/2nAiEA3lyc5+f6DEIJ h1y6BWkdVULDSM+jpi1XiV/DevxuijMCIQCAEPGqHsF+4v7Jj+3HAgh9PU6otj2n Y79nJtCYmvhoHwIgNDePaS4inApN7omp7WdXyhPZhBmulnGDYvEoGJN66d0CIHra I2SvDkQ5CmrzkW5qPaE2oO7BSqAhRZxiYpZFb5CI -----END RSA PRIVATE KEY----- EOD; $public_key = <<<EOD -----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDiE2+Xi/WnO+s120NiiJhNyIButVu6 zxqlVzz0wy2j4kQVUC4ZRZD80IY+4wIiX2YxKBZKGnd2TtPkcJ/ljkUCAwEAAQ== -----END PUBLIC KEY----- EOD; $binary_signature = ""; // At least with PHP 5.2.2 / OpenSSL 0.9.8b (Fedora 7) // there seems to be no need to call openssl_get_privatekey or similar. // Just pass the key as defined above openssl_sign($data, $binary_signature, $private_key, OPENSSL_ALGO_SHA1); // Check signature $ok = openssl_verify($data, $binary_signature, $public_key, OPENSSL_ALGO_SHA1); echo "check #1: "; if ($ok == 1) { echo "signature ok (as it should be)\n"; } elseif ($ok == 0) { echo "bad (there something wrong)\n"; } else { echo "ugly, error checking signature\n"; } $ok = openssl_verify('tampered'.$data, $binary_signature, $public_key, OPENSSL_ALGO_SHA1); echo "check #2: "; if ($ok == 1) { echo "ERROR: Data has been tampered, but signature is still valid! Argh!\n"; } elseif ($ok == 0) { echo "bad signature (as it should be, since data has beent tampered)\n"; } else { echo "ugly, error checking signature\n"; } ?>

But I'm struggling to figure out how this can be implemented in a URI request.

Private and public keys seem quite large for use in http get requests, and also how can a client generate a signature that can be verified by the server?

+4
source share
2 answers

Basically there are three things in encryption:

  • Generating a public key and a pair of private keys
  • Encrypt data using private key 1 and public key
  • Decrypt data using public key and private key 2

Step 1 is performed only once, you can generate a public key (or [RSA] keys) and private keys for two clients (either server and client)

Before sending data, you need to sign the data using your private key (only for you) and the public key (known to both), this will create cybertext (or it’s called a digest), and you can send it to another person (another client or server). On the other hand, they decrypt cybertext with a public key, and then with their private key to extract the actual data.

These are actually the basics of private key encryption-decryption.

Various versions of this encryption and decryption are available, so it is useful to use Wikipedia.

+2
source

It seems that it is not recommended to pass the key along with the HTTP request request that you want to sign.

It is better to have a public key already stored on the server side (for example, in the client database) and look for it from some identifier sent with the request (for example, username).

Your request url will look like this:

 rtp://api.example.com/username=User1&method=XML&product=shoes&size=5&sex=male&signature=x1cvGgtRfJs4FgG

The client will use the private key (and any DSA implementation) to sign the important part of the request URL.

(The private key should never be transmitted at all.)

+1
source

More articles:


All Articles