I developed a simple application that does not use (at least at the beginning) any third-party authorization. I want to create a RESTful api for use by iOS / Android / by any clients, so I read a bunch of information about the implementation of the RESTful API. However, conventional ways to implement them include sending a kind of secure "token" that is used to sign requests; this leaves the API vulnerable to a man-in-the-middle attack, and it is recommended to use it for HTTPS.
However, reading all this, I wondered why private / public keys (for example, RSA) are not used for this. Thus, the client will generate private and public keys from the password, send the public key during registration and store the private key on the client, and even if someone takes possession of all messages between the server and the client, t be able to impersonate the client.
But I know almost nothing about cryptography and security, so there must be reasons why this method is not used, which I could not think of, right?
source
share