私钥和公钥
[英]Private and Public Key
问题描述
When I create a user I will create a private and public key. 
创建用户时,我将创建一个私钥和公钥。 The public key is the token id for the user. 公钥是用户的令牌ID。 The private key will be used for encrypt and decrypt of data. 私钥将用于加密和解密数据。
When the user login, my Android app will call a REST Web Service and after validation will return the private and public key. 当用户登录时,我的Android应用将调用REST Web服务,并在验证后返回私钥和公钥。 Then using private key the app can create a signature. 然后,使用私钥,应用可以创建签名。
Is this a correct way? 这是正确的方法吗? I am just using HTTP not https. 我只是使用HTTP而不是https。
2 个解决方案
解决方案1
3 2013-07-11 08:19:35
Is this a correct way?
No. 没有。
I am just using HTTP not https.
Why? 为什么? I can't see why you don't just use HTTPS like everybody else. 我不明白为什么您不像其他所有人一样使用HTTPS。 It's a solved problem. 这是一个已解决的问题。
To correct your mis-statements: 要更正您的错误陈述:
- The private key is used to decrypt data only, and create digital signatures. 私钥仅用于解密数据并创建数字签名。
- The public key is used to encrypt data and verify digital signatures. 公钥用于加密数据和验证数字签名。
- The public key is of no use as a user token, because it is, err, public. 公用密钥没有用做用户令牌,因为它是公共的。
You need to learn a lot more about PKI than you presently appear to know. 您需要学习的知识远不止目前。
解决方案2
2 2013-07-11 08:03:57
The short answer: No 简短的回答:否
First you are transmitting an private key over unprotected HTTP. 首先,您正在通过不受保护的HTTP传输私钥。
Second it is totally unclear what you want to achieve using a public/private key. 其次,还不清楚您要使用公钥/私钥来实现什么。 From your description I read that you want to use it for authentication and signature. 从您的描述中,我读到您想将其用于身份验证和签名。 But why is the private key stored on the server? 但是为什么私钥存储在服务器上?
usually it is the other way around: The client has public and private key. 通常情况是相反的:客户端具有公钥和私钥。 It sends the public key to anybody who wants but th private key NEVER LEAVES THE DEVICE ! 它会将公钥发送给任何想要的人,但私钥永远不会离开设备 !
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.