RSAEncrypter not accepting private key
Issue #73
invalid
Hi,
Is tehere a reson why RSAEncrypter does not accept a RSAPrivateKey parameter?
I am facing with a situation that the OAuth token should be an encrypted, self-contained bearer token. I wan to encrypt with a single private key as an emitter authority but the token needs to be decrypted by anyone who owns the public key.
I'm wondering why the API doesn't allow this however the Java cyptography API allows. Is there a security concern with this approach?
Comments (2)
-
-
- changed status to invalid
- Log in to comment
Hi Jozsef,
Citing from http://en.wikipedia.org/wiki/RSA_%28algorithm%29#Key_generation
RSA involves a public key and a private key. The public key can be known by everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted in a reasonable amount of time using the private key.
To encrypt the OAuth token the issuing authority must use the public RSA key of the token recipient. The recipient can then decrypt it with their private RSA key. The problem of this approach is that you must encrypt for each recipient individually, or let the recipients share the same private RSA key.
In our OAuth 2.0 server we only sign the issued tokens, which doesn't hide their content, but it does allow them to be verified by anyone holding the public RSA key of the server.
An alternative solution is to have a shared key between server and recipients, and for that the DirectEncrypter / Decrypter can be used.
I hope I that helps.