# How to sign messages with Ruby's OpenSSL RSA algorithm

In this post I’ll talk about signing and verifying messages. Imagine that I’m building a chat application. Messages will be sent via a pub/sub system like Pusher or Pubnub. Here is a simple JSON message object:

```
{
"user_id": "123",
"message": "Hello world!"
}
```

The problem with this implementation is that any user can be impersonated by changing the `user_id`

. To solve this problem, each user can sign their messages with a key that only they poses. One way to build this is to use RSA, an asymmetric cryptographic algorithm. Asymmetric algorithms generate two keys: one public and one private. The private key is used for signing messages and the public key is used for verifying messages. Here is how to write it in Ruby:

First, each user needs a public and private key:

```
rsa_key = OpenSSL::PKey::RSA.new(2048)
private_key_pem = rsa_key.to_pem #=> "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqd9paLELcSsdMA....\n-----END PUBLIC KEY-----\n,
public_key_pem = rsa_key.public_key.to_pem #=> "-----BEGIN RSA PRIVATE KEY-----\nMIIEogaY4wKPUV31NCZ\nYrJs+g47/zzHV5GYx5/Wv4zRhDyTi95....\n-----END RSA PRIVATE KEY-----\n,
```

Once keys have been generated, a message can be signed using the private key.

```
private_key = OpenSSL::PKey::RSA.new(private_key_pem)
signature = private_key.sign(OpenSSL::Digest::SHA256.new, 'Hello world!') #=> "\x04\xEC\xCC?\xDE\x8F\x91>G\..."
```

After the signature has been generated it can be sent along with the message.

```
{
"user_id": "123",
"message": "Hello world!",
"signature": "\x04\xEC\xCC?\xDE\x8F\x91>G\..."
}
```

A user can verify any message signature using the senders public key.

```
public_key = OpenSSL::PKey::RSA.new(public_key_pem)
public_key.verify(OpenSSL::Digest::SHA256.new, signature, message) #=> true/false
```

If the decoded signature matches the message then `#verify`

will return true. If not, the user’s public key does not match the one used to sign the message.

Of course, there must be a mechanism for distributing public keys to all users. In the case of a chat application, there could be an API that returns a list of participants with their public keys.

### Subscribe to get articles like this in your inbox, every week.

You'll get my latest blog posts as well as article, book and podcast recommendations. All about tech.