How to perform encryption/decryption in a RESTful system?
I'm not a crypto/security expert and have designed an architecture for encryption/decryption. I'm not sure if its full proof and want to know what people use as industry standard?
I'm trying to perform encryption/decryption in RESTful api where client sends encrypted payload and server decrypts it and does some processing. The server then sends encrypted response which the client decrypts and does some processing.
The architecture I've decided is:
- One of the server periodically(once in 24hrs) generates a RSA keypair and uploads encrypted private key to redis so that other servers can get it and use decrypted private key from a master key.
- create an api to share current active public key.
client:
- get current active public key from server as raw text
- generate new symmetric key
- encrypt request with symmetric key
- encrypt symmetric key with public key
- encrypt iV with public key
- send request
server:
- decrypt iV with private key
- decrypt symmetric key with private key
- decrypt payload with symmetric key
- encrypt response with symmetric
- send response
client:
- decrypt response with symmetric key
I'm using java.security and javax.crypto for all the key generation, cipher encryption/decryption.
The transformations I'll be doing is
- RSA transformation
RSA/ECB/OAEPWithSHA-256AndMGF1Padding - AES transformation
AES/GCM/PKCS5Padding
Is this architecture okay to use? The reason for creating an api to get public key is so that we can do key rotation periodically. Also, I'll create an admin only api to force change the RSA key pair incase private key leak.
My major concern is the api that shares naked public key. Is this a valid approach and what are its problems? What are my options otherwise? Any help would be greatly appreciated because this is a very new topic for me and I am finding it very interesting!
Update
- I'm using TLS/SSL for communication and want to add additional level of encryption
