所以我现在正在开发一个移动应用程序,它将向使用 Django 构建的 REST API 发出请求。
为了保护 API,我计划使用私钥/公钥对身份验证系统。
我想到的工作流程是这样的:
现在我的问题在于步骤 3,其中必须以某种方式在移动应用程序和服务器之间共享私钥。如何安全地发送私钥?
I would start by asking why the server part of your app needs to know the private key. If it only wants to authenticate a user, it only needs the public key and the user id, and the user id cannot iself be the public key (you need a way to find out which public key to use).
For instance, the process of sharing the key, your step three, could look something like this:
Maybe the integration into Facebook is the part that makes this impossible. I do not quite understand how Facebook comes into this whole process.
One thing that can make the transfer of a key slightly more secure is to use multiple channels to transfer it.
For instance, your application could send the private key that was generated using your REST API but encrypting it with a symmetric encryption scheme. The symmetric encryption key can be sent via some other medium, such as email, or through SMS since this is a mobile app, or maybe even an automated phone call placed to a number provided by the registering user. The key can be a random passphrase that generates the actual symmetric encryption key, to make sure it is something that can be typed in by the user. Then, to unlock the app, the user needs to type in this passphrase into a screen and the secret key is unlocked.
Again, this only improves the security of the transfer by a small margin, especially considering the fact that if you can intercept the transmission of the private key, you can probably intercept the email containing the passphrase. In my opinion, not sending the private key to the server would not only be optimal but required.