views:

30

answers:

3

I have to implement something similar to PayPal IPN / Return URL. In my scenario , PayPal Gateway => My Server && Online Store => My Customer

I have to push a very small piece of information through the Return URL in an encrypted format. I would like to generate something like Public Key and Private Key for each customer, and give the Private Key to them. The info will be encrypted using the Public Key at my server and sent via URL.

The developer managing the customer's site would have to use his Private key to decode the information and do some stuff based on that.

Which is the best encryption available on popular languages by default so that the life of the developers at my customer's end is made simpler.

A: 

You should do RSA Encryption. Thats basically the standard and all languages have some sort of package for it.

PyCrypto in python

PHP has it builtin

Java Example

JiminyCricket
A: 

For C, C++ and other languages supporting C-calls, you should look at the OpenSSL library. But first consult the manual to see if no encryption is already included in your languages native system libraries.

UnixShadow
A: 

You've got it backwards. Each customer generates a keypair and sends their public key to you.

You also generate a keypair and send your public key to them.

Then you encrypt with their public key and sign with your private key (or in the reverse order), and they verify with your public key and decrypt with their private key. They know you generated it, and they are the only ones who can decrypt it.

Of course, all this RSA and padding makes everything huge. Ugh. It's far more common to set up a shared secret, and then just encrypt and MAC. If you're going to do this, you should be using AES.

In fact, the usual way to use RSA is to encrypt a symmetric key and sign a hash, so you should be using AES regardless.

Ultimately, secure protocol design is hard. Have you thought about replay attacks?

tc.