I have a REST API which clients connect over SSL (self signed cert 2048bit)
I was thinking of implementing the following security
- The client requests a RSA public key from the server
- Encrypts the username / password
- Adds these to the header of EVERY REST call allowing the server to be stateless
The application involves users adding credit cards (the numbers themselves are encrypted) and purchasing products so security is critical
We also have very limited time from a iphone client point of view so I was hoping if the above would be suitable?
Usually, when it comes to security, one doesn’t want to reinvent the wheel. It’s way better to use state-of-the-art technologies, so you’ll benefits from others’ (likely more skilled than you) work.
If you have a RESTful API on SSL, I don’t think you have written your own custom TCP protocol. Likely you’ll use HTTP, so since it’s on SSL, you are on HTTPS.
When using HTTPS, your browser makes sure that the request is signed and encrypted so that only the other end (the service) can authenticate the client and decrypt the message. So there is no need to encrypt data and using custom headers. A simple cookie-based session is enough so you don’t send users’ passwords in every request.