Digital digest in Rails

Rails
1

Hi guys,

I need a secure data transfer mechanism between my server (APIs and
normal HTMLs) and clients (normal users or other servers).

Is digital digest using Hash + public and private keys mechanism a
correct way?

Is there any tutorial or pointer in setting up digital digested return
for my server responses?

Any help is appreciated!
Arthur

2

Arthur C. wrote:

Hi guys,

I need a secure data transfer mechanism between my server (APIs and
normal HTMLs) and clients (normal users or other servers).

Is digital digest using Hash + public and private keys mechanism a
correct way?

Is there any tutorial or pointer in setting up digital digested return
for my server responses?

Why can’t you use SSL/TLS? It would be a lot less effort than rolling
your own.

3

Hi Robert,

Thanks for the info first.

Actually, I have the question after reading “Php and Web development
4th edition” (Addison-Wesley) p354:

Digital Signatures Digital signatures are related to public key cryptography but reverse the role of public and private keys.A sender can encrypt and digitally sign a message with her secret key. When the message is received, the recipient can decrypt it with the sender’s public key. Because the sender is the only person with access to the secret key, the recipient can be fairly certain from whom the message came and that it has not been altered. Digital signatures can be really useful.The recipient can be sure that the message has not been tampered with, and the signatures make it difficult for the sender to repudiate, or deny sending, the message. It is important to note that although the message has been encrypted, it can be read by anybody who has the public key.Although the same techniques and keys are used, the purpose of encryption here is to prevent tampering and repudiation, not to prevent reading. Because public key encryption is fairly slow for large messages, another type of algo- rithm, called a hash function, is usually used to improve efficiency.The hash function calculates a message digest or hash value for any message it is given. It is not important what value the algorithm produces. It is important that the output is deterministic—that is, that the output is the same each time a particular input is used, that the output is small, and that the algorithm is fast. The most common hash functions are MD5 and SHA. A hash function generates a message digest that matches a particular message. If you have a message and a message digest, you can verify that the message has not been tam- pered with, as long as you are sure that the digest has not been tampered with.To this end, ** the usual way of creating a digital signature is to create a message digest for the whole message using a fast hash function and then encrypt only the brief digest using a slow public key encryption algorithm.The signature can now be sent with the message via any normal unsecure method.**

When a signed message is received, it can be checked.The signature is
decrypted using the sender’s public key.A hash value is then generated
for the message using the same method that the sender used. If the
decrypted hash value matches the hash value you generated, the message
is from the sender and has not been altered.

I don’t understand how to work with the “**… **” parts in Rails

Then the book goes on next section: “Digital Certificates” which
should be the SSL. Therefore, as the books separate the idea. So I
don’t know whether I should implement both.

Indeed, as I remembered, mostly, the session keys sensitive items
should be using https, e.g. login, signup.

Please correct me if I am wrong.

Thanks a bunch.
Arthur

4

More info from the book for the question:

It said that SSL is a layer between Transport Layer (TCP/udp) and
Application Layer.

And it seems that the digital signatures is in the Application Layer.

Agreed?

Arthur