I have 2 servers that communicate each other in HTTP and they are both behind an API gateway. Between the servers and their API gateways the communication is in HTTPS with mutual authentication using certificates, and the same between the 2 API gateways. Considering that the data is very sensitive this is not enough, because I want to avoid that someone can read it when it is in clear-text on the API gateways. So I was thinking about an E2EE protocol to encrypt the body of HTTP messages between the 2 servers. Another important point is that I would like to use an ephemeral key, different for every session.
I know PGP but I don't like the fact that the ephemeral encryption key is sent through the network. I'm reading about the Signal Protocol because I think that my situation is more or less what happens in WhatsApp or Signal itself, but maybe this is even too much for my specific case.
I was also thinking about to implement RSA because I would have the following advantages:
- E2E authentication, because RSA sends the parameters signed with the recipient public key, and in my case the other sender/receiver is known, so we can exchange the public keys "in person".
- Ephemeral key generation without sending it in the network, then the HTTP body can be encrypted with AES using this ephemeral key.
With this solution I should implement the RSA session initialization via HTTP (e.g. exchanging parameters in HTTP variables) so I'm a little afraid because it doesn't seem a good idea to reinvent the wheel, I would prefer to rely on known and tested libraries. Is there something already implemented or some "standard" solution?
In general, what do you think? Any suggestion?
