I am using Ruby on Rails 3 and I would like to send 'email' and 'password' values (I know, I should not, but I need that) over the HTTP protocol. I need to send user credentials from a my client application to a my service application*.

I can use a public a private RSA key to accomplish that but, if so, I must don't send the public key to the recipient over HTTP, otherwise an hacker can steal the key and decrypt contents. On other hands, the HMAC encryption (if I understood that) is good only to verify the data integrity and the authenticity of a message.

I heard of AES... is it good for my purposes? If so, where I can find a tutorial on how to use that with Ruby\Ruby on Rails? I "simply" need to encrypt user credentials on the client side and decrypt that on the server side.

P.S. I: If I'm wrong about something I wrote, let me know.

P.S. II: If you suggest other methods, let me know!

UPDATE I

*The client is a web application (a site web, for example 'www.site1.com), the server is another web application (another site web, for example 'www.site2.com).

UPDATE II

Using RSA encryption...

Client-I-service steps:

1. Client generates public\private key paris

2. I (a real person) copy-paste manually the public key from the client to the service

3. Client sends to the service the message including encrypted user credential (client doesn't send\append the public key to the HTTP request)

4. Service, using the public key (that only the service knows), decrypts user credentials and proceed to the login of the user

Now, if I send the public key instead of doing the step 2, and so the client must send the public key in step 3 over the HTTP protocoll, an hacker can

1. intercept the message

2. take the public key

3. decrypt the user credentials and steal those

So, should I encrypt user credential (those are important and private information) using a RSA encryption if I send the public key to the service?

I can use a public a private RSA key to accomplish that but, if so, I must don't send the public key to the recipient over HTTP, otherwise an hacker can steal the key and decrypt contents.

1) Send the public key to the recipient over HTTP.
2) The client uses it to encrypt the data.
3) No hacker can decrypt the contents with the public key.
4) In your server, use the private key do decrypt the contents.

Example: Encrypting Sensitive Data with Ruby (on Rails)

"In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt."

EDIT

Background:

• The public key is used to and only to encrypt data.
• The private key is used to and only to decrypt data.

If a hacker intercepts the public key, the only thing she can do is encrypt data.
Even HTTPS works this way.

Obs: Only the server should know the private key.

Obs2: By all means, try to enable HTTPS. It will make your life far easier.

HTTPS with TLS/SSL.

http://en.wikipedia.org/wiki/Https

This is a solved problem.