I want to send data from server software to client software, encrypted in such a way that only the server (private software) could have encrypted that specific data, but any client can decrypt it.
At first I thought RSA would be a solution, but as I understand it I want to use it backwards: I could encrypt data with the public key on the server, and decrypt on the clients with the private key. That would work fine, except someone could derive the public key from the private key. Is that correct? If so, is there an alternative option?
Thanks in advance.
What you want to do is to digitally sign the data the server sends. All clients can verify this digitial signature to prove that only the server could have created it.
Here's how it works: Your server computes a hash of the data and encrypts the hash using some private key on the server (The Signing Key). Then the server sends the message (in plain text) and the hash to then client. When the client gets the two pieces of data, they decrypt the encrypted hash using the server's public key (The Verify Key). Now the client can compute the hash of the plain text message themselves, and compare that to the hash the server sent. If the two hashes match, then the client knows that the message must have come from the server and no one else.
Note: You are sending the message in plain text, so there is no confidentiality in this system. This signing mechanism only guarantees integrity and authenticity. If you need confidentiality as well, you can use traditional encryption to encrypt the message instead of sending it in plain text.
TLS does this sort of thing, so you might consider using it as a data channel.