3
Can RSA be used for web API authentication?
(lemy.lol)
I need to
- encrypt JSON payload (not just sign)
- not share private key
- verify the payload is generated with the shared public key and RSA fitting all of these.
As I've only made auth with JWT so far, I'm not sure. If I use RSA, I guess I have to put the encrypted text in the body.
Do you think it can be used? Any other suggestions?
Sounds like you’re proposing WebAuthn which already exists. Keep in mind that there are attacks against RSA with PKCS1 padding. I’d use a more secure cryptographic primitive than RSA (I.e. elliptic curves) - there’s a reason cryptographic experts don’t look towards RSA these days.