views:

101

answers:

1

I want to use asymmetric encryption of headers in RESTful requests to verify the identity of the system sending the request: i e System A encrypts it's name, timestamp, and the service name using it's public key in a request to System B. System B then uses the public key of System A to decrypt, proving the authenticity of the request.

1) Does php-mcrypt support this?

2) Has anyone benchmarked this type of operation?

+1  A: 

No, mcrypt is just symmetric block ciphers.

However the PHP OpenSSL extension supports asymmetric operations. The ones you want are openssl_sign and openssl_verify.

(You have a slight terminology issue - in asymmetric systems, encryption is done with public keys and decryption with private keys; signing is done with private keys and verification with public keys. Do not confuse signing with encryption or decryption - although the underlying operations are often similar, it is not the same thing, and the confusion can lead to insecure implementations).

Of course, you could just do your REST over SSL, using client certificates for authentication.

caf