I have developed a 'REST-like' XML API that I wish to expose for consumption by third-party web applications. I'm now looking to implement a security model for the exchange of data between a third-party application and the 'REST-like' XML API. I would appreciate suggestions for a suitable asymmetric encryption model.
-
What's wrong with HTTPS / SSL? Or is the "REST-like" not HTTP at all?Jonas Elfström– Jonas Elfström2009-01-29 12:43:13 +00:00Commented Jan 29, 2009 at 12:43
-
Why the non-descriptive title?yfeldblum– yfeldblum2009-01-29 12:47:19 +00:00Commented Jan 29, 2009 at 12:47
-
@jonelf - nothing wrong with https/ssl - I wanted stackoverflow's opinion before I get down to work. thanks :)Izmoto– Izmoto2009-01-29 13:04:16 +00:00Commented Jan 29, 2009 at 13:04
-
@Justice - sorry, forgive my english skills.Izmoto– Izmoto2009-01-29 13:04:58 +00:00Commented Jan 29, 2009 at 13:04
Add a comment
|
3 Answers
If you want encryption why not just use SSL to encrypt the connection rather than encrypting the response data? If 128-bit SSL isn't sufficient, then you'll either need to integrate some existing PKI infrastructure using an external, trusted authority or develop a key distribution/sharing infrastructure yourself and issue your public key and a suitable private key/identifier to your API consumers. Choose one of the cryptography providers in System.Security.Cryptography that supports public/private key exchange.
Comments
HTTPS works with asymmetric key encryption. It is well-known protocol easy to implement. It protects against 3p intrusion in your communication.
All you need to implement "below" is authentication - to make sure your user known to you.
Common thing to do is to provide users with key that needs to be sent with every request.
Comments
Most common is to implement the OAuth protocol. This is what is used for the OpenSocial providers that checks authorization with 2-legged and/or 3-legged oAuth
Just do some google search and you will find a lot of implementations.
