I have clients that communicates with my server. Clients sends it unique id (guid) to server with its request over a secure https channel. Also to increase security I use my own private-public key pair to encrypt requests & responses.
If someone find this public key (it comes with client software) and reverse-engineer the software I think they can send handmade requests with a custom id. I want to prevent this kind of attacks. I have couple of questions:
- Is generating private-public key pair for each client is a good practice? Since every client sends it's requests with their own public key, it will be easy to detect this kind of anomalies.
- Is it possible to give clients sertificates that identifies only them? I see this client sertificate thing everywhere but there is no clear explanation. Can you guys explain me how client sertificates works? I think this is what I need but I have no idea about it.
Thank you for your answers and I'm sorry if I'm not clear enough.
Aucun commentaire:
Enregistrer un commentaire