Securing data from one server to another

Hello

My product needs to send data from server A to server B. Where server A will host the main product, and server B will store info about the users etc.

Few points to note:

  1. The data content may change in each request.
  2. Server B needs to make sure that the date is coming from server A and not any other source.
  3. The data should be encrypted from server A and decrypted in server B

How to achieve the above?

Thanks for any help.

You can use OpenSSL PHP extension
It allows to encrypt and decrypt data using public and private keys stored on both servers

ok but How do I make sure the request is coming from Server A and not Server Z?

Server Z must know your RSA public key to send correct message.
Also you can add additional signature with another key, for example:

Server A:

  1. Create message
  2. Make signature with md5(message + secret_key) and add it to original message
  3. Encrypt result with RSA public key
  4. Send to Server B

Server B:

  1. Receive message
  2. Decrypt with RSA private key
  3. Extract signature from message
  4. If md5(message + secret_key) != signature from original message then message is invalid
  5. Else message is valid

Thank you so much for the detailed explanation. I ahve few queries, kindly reply.

a). Where does the generation of private/public key happen? because I believe the private/public key are generated by only 1 source? Or am I missing something here?

b) How would server B know the secret key? Or you mean both server A and server B will store a common secret key?

These keys generated just once and stored on each server. (Public key on Server A and Private key on Server B). To generate them you can use ssh-keygen tool on Linux or even online generator.

It should be hardcoded on both servers. Like $secret_key = 'sdfsdfwessf'; at the beginning of the file.

These keys generated just once and stored on each server. (Public key on Server A and Private key on Server B). To generate them you can use ssh-keygen tool on Linux or even online generator.

Wouldnt it be safe to generate the public/private key on every request? That way if a public key is leaked somehow, it cannot be reused.

It should be hardcoded on both servers. Like $secret_key = ‘sdfsdfwessf’; at the beginning of the file.

is hardcoding the right approach? Shouldnt dynamic secret keys be more safer?

You can’t generate them separately. They must be generated as pair.

I don’t think so. If someone will get your source code where secret key is stored that means he also can see an algorithm of dynamic generation. So no matter how this key is produced (statically or dynamically). You just should make it safe. Another problem with dynamic generation is how to sync result key between two servers.

You can’t generate them separately. They must be generated as pair.

Yes i know, and thats what my question is. I was asking if a new pair can be generated on every request, will that be safe?

Again, if someone will hack your server then he’ll see how you generate that pairs.
And no matter what he’ll actually do - just copy existing key or use your algorithm to generate new one.
This is a question of server security.

Hmm, understood. So basically you are saying that just one pair of Public/Private key is safe enough for the lifetime of the application?

Wouldn’t it be kind of like passwords? i.e. a good idea to change them once in a while

I think so. But i’m not an expert so you could ask someone more professional in cryptography than me :smiley:

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.