this post was submitted on 22 Aug 2023
3 points (100.0% liked)

Cryptography

309 readers
16 users here now

Questions, answers, discussions, and literature on the theory and practice of cryptography

founded 1 year ago
MODERATORS
SqueamishOssifrage@infosec.pub
3
Can RSA be used for web API authentication? (lemy.lol)
submitted 1 year ago* (last edited 1 year ago) by iso@lemy.lol to c/crypto@infosec.pub
6 comments fedilink hide all child comments
 

I need to

  • encrypt JSON payload (not just sign)
  • not share private key
  • verify the payload is generated with the shared public key and RSA fitting all of these.

As I've only made auth with JWT so far, I'm not sure. If I use RSA, I guess I have to put the encrypted text in the body.

Do you think it can be used? Any other suggestions?

you are viewing a single comment's thread
view the rest of the comments
[–] colossus@infosec.pub 2 points 1 year ago

Sounds like you’re proposing WebAuthn which already exists. Keep in mind that there are attacks against RSA with PKCS1 padding. I’d use a more secure cryptographic primitive than RSA (I.e. elliptic curves) - there’s a reason cryptographic experts don’t look towards RSA these days.