What is the best way to verify the authenticity of the downloaded file in server-to-server scenario?
Possible option: Generate checksum and then compare it. But how can servers then securely exchange the hashes for matching, if the network is assumed to be compromised?
Are there any other ways to verify authenticity? I’ve read about signatures, but don’t really undestand how they work. Is it something to consider?
I am trying to make sure that no one has tampered with files. Any advise or tips greatly appreciated!
Edit: I do use HTTPS for the traffic between servers, but would like to rely on alternative methods too.
I do use HTTPS for the traffic between servers, but would like to rely on alternative methods too.
HTTPS does protect the communication but not the authenticity of the message. So you are doing the right thing looking ways to authenticate the message.
I suggest you sign the file with the sender's private key and validate the signature at the destination with the public key. Deploy the public key on the server manually before going live so that it cannot be spoofed in transfer.
So in practice one simple working solution would be to use ECDSA or RSA (PSS) signing algorithm to sign a secure hash of the file (e.g. SHA-256).
Another approach could be to use HMAC if you can protect the key on both ends.