Hello
My product needs to send data from server A to server B. Where server A will host the main product, and server B will store info about the users etc.
Few points to note:
How to achieve the above?
Thanks for any help.
You can use OpenSSL PHP extension
It allows to encrypt and decrypt data using public and private keys stored on both servers
ok but How do I make sure the request is coming from Server A and not Server Z?
Server Z must know your RSA public key to send correct message.
Also you can add additional signature with another key, for example:
Server A:
Server B:
Thank you so much for the detailed explanation. I ahve few queries, kindly reply.
a). Where does the generation of private/public key happen? because I believe the private/public key are generated by only 1 source? Or am I missing something here?
b) How would server B know the secret key? Or you mean both server A and server B will store a common secret key?
These keys generated just once and stored on each server. (Public key on Server A and Private key on Server B). To generate them you can use ssh-keygen tool on Linux or even online generator.
It should be hardcoded on both servers. Like $secret_key = 'sdfsdfwessf'; at the beginning of the file.
These keys generated just once and stored on each server. (Public key on Server A and Private key on Server B). To generate them you can use ssh-keygen tool on Linux or even online generator.
Wouldnt it be safe to generate the public/private key on every request? That way if a public key is leaked somehow, it cannot be reused.
It should be hardcoded on both servers. Like $secret_key = ‘sdfsdfwessf’; at the beginning of the file.
is hardcoding the right approach? Shouldnt dynamic secret keys be more safer?
You can’t generate them separately. They must be generated as pair.
I don’t think so. If someone will get your source code where secret key is stored that means he also can see an algorithm of dynamic generation. So no matter how this key is produced (statically or dynamically). You just should make it safe. Another problem with dynamic generation is how to sync result key between two servers.
You can’t generate them separately. They must be generated as pair.
Yes i know, and thats what my question is. I was asking if a new pair can be generated on every request, will that be safe?
Again, if someone will hack your server then he’ll see how you generate that pairs.
And no matter what he’ll actually do - just copy existing key or use your algorithm to generate new one.
This is a question of server security.
Hmm, understood. So basically you are saying that just one pair of Public/Private key is safe enough for the lifetime of the application?
Wouldn’t it be kind of like passwords? i.e. a good idea to change them once in a while
I think so. But i’m not an expert so you could ask someone more professional in cryptography than me 
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.