How to encrypt data being sent using API

Question

I am developing a project using APIs. Now I am trying to encrypt the data so no one can edit it. I thought of using a public key to encrypt data and a private key to encrypt both public key and the (encrypted Data). But I couldn't send this encrypted data using the API uri since it contains '/' character.
What is the best way to to encrypt my JSON data so no one can edit it?
Here is an example of the Json:

{
        "Name": "HP Laptop",
        "Category": "Laptop",
        "Price": 300,
        "Currency": "OMR",
        "details": "core i 5 ",
        "productID": 1,
        "Quantity": 10
    }

Can you please show us post method? If you add your encrypted string request body then, there will not be any url issue.. Okay please show us your method. — Power Star, Jul 31 '17 at 09:28
If the issue is just a / in the data then did you encode it using System.Uri.EscapeDataString() ? — jason.kaisersmith, Jul 31 '17 at 09:28
You can encode data with base64 [How do I encode and decode a base64 string?](https://stackoverflow.com/questions/11743160/how-do-i-encode-and-decode-a-base64-string) (in C#) and in javascript you use atob or btoa functions. — jcubic, Jul 31 '17 at 09:29
in fact i tried to encrypt and decrypt using the code here > https://stackoverflow.com/questions/26305650/system-security-cryptography-cryptographicexception-when-wrong-password-given @PowerStar — Mohammed AlAamri, Jul 31 '17 at 09:39
Who are you trying to prevent from editing it? Hackers? Admins of the server? The user whose browser is creating the data? — Quentin, Jul 31 '17 at 09:48
@jcubic — That isn't encryption! It's there to transfer binary data over ASCII protocols. It provides zero security. — Quentin, Jul 31 '17 at 09:48
@Quentin I know but OP said that he already have encryption. — jcubic, Jul 31 '17 at 09:57
@jcubic Default Base64 is not enough. It's important to use either a url-safe Base64 alphabet or additionally use urlencoding on the Base64-encoded string, because the default Base64 alphabet contains `/` and `+`. — Artjom B., Jul 31 '17 at 17:46
@MohammedAlAamri Encryption doesn't prevent somebody from editing existing ciphertext in some way. Many ciphers and public key cryptosystems are malleable. You need to use an authenticated encryption scheme (either signature or MAC). You really should use something like libsodium, because it contains everything you need in a single package. — Artjom B., Jul 31 '17 at 17:47

Tr1gZer0 · Answer 1 · 2017-07-31T10:08:44.850

For any security protocol it's always best to stick to standards. Never try to invent your own protocol.. You may end up doing more harm than good. If this data is over HTTP, then feel free to use SSL (HTTPS) to guard against MiTM attacks, e.g. eavesdropping and tampering. However, I think you are looking for something different.

While SSL should ensure that the data is not tampered with on travel, you may be performing this operation yourself, e.g., someone hands you some data and you are unsure that it has not been tampered with. To do this operation free to leverage a digital signature of that data, where the private key of the digital signature is held by you.

Something like this:

Generate key pair (private, public).
Sign the json with the private key Sign(json, private) -> signedDocument.
Now, later when you want to verify that no one has tampered with it: Verify(public, signedDocument, json) = True if the document has not been tampered with (with extremely high probability) and False if the document has been tampered with (again with probability being extremely high).

Here is great first read on digital signatures for the reasonably technically inclined: https://en.wikipedia.org/wiki/Digital_signature

I believe this might be a good place to get started for JS: http://www-cs-students.stanford.edu/~tjw/jsbn/ (I expect Stanford to do a decent job at implementing RSA, but feel free to look around for something more standard.. if this was Java, then it might be easier... Maybe write a CryptoWebServer to support this operation?)

For further reference, I believe this library is now maintained here: https://github.com/kjur/jsrsasign/wiki/Tutorial-for-Signature-class

I've taken an example of signing+verifying directly from the Library's tutorial. Please note this only solves the problem of signing and verifying, you still need to generate public/private key pairs.

Signing message 'aaa' (you would use a .json payload here):

// initialize
var sig = new KJUR.crypto.Signature({"alg": "SHA1withRSA"});
// initialize for signature generation
sig.init(rsaPrivateKey);   // rsaPrivateKey of RSAKey object
// update data
sig.updateString('aaa')
// calculate signature
var sigValueHex = sig.sign()

Here is a example for signature validation:

// initialize
var sig = new KJUR.crypto.Signature({"alg": "SHA1withRSA"});
// initialize for signature validation
sig.init("-----BEGIN CERTIFICATE-----(snip)"); // signer's certificate
// update data
sig.updateString('aaa')
// verify signature
var isValid = sig.verify(sigValueHex)

thanks my friend, I am new with cryptography so I am facing a lot of difficulties. However, I believe that you are hitting the point so can you help me plz to finding a source to learn how to do that solution you suggest? — Mohammed AlAamri, Jul 31 '17 at 09:44
@MohammedAlAamri Please feel free to check out that GitHub link sent. They have excellent classes for creating and verifying the signature. You will need to dig a bit deeper on how to generate your private and public key pairs. I would generally do this with `ssh-keygen`. Keep your private key hidden from public eyes! You do not need to encrypt the public key.. share it with anyone! — Tr1gZer0, Jul 31 '17 at 09:48

How to encrypt data being sent using API

1 Answers1