The basic idea is to encrypt the message from party 1 and sent to party 2 and the party 2 decrypts the messsage and verify they received message from the right party (ie. no man in middle attack is done)

For this we are going to choose RSA Key pairs (asymmetric Key Cryptography) to be generated by both parties for their identity. Refer OpenSSL for how to get RSA key pairs.

As the name suggests Public key is the key indented to be shared for communication and the private key is to be kept secret with themselves.

Party two share their public key to Party one and Party one will share their public key to Party two (for this sample we are not going to consider how they communicate it securely, we can consider this for now as done offline)

var msg = new Buffer('sample text');
var enc = crypto.publicEncrypt(public_party2, msg);

var signer = crypto.createSign('SHA256');
signer.update(msg.toString());
var sig = signer.sign(private_party1, 'hex');

We don't care how we do it for now. Lets consider Party 2 receives it

var clr = crypto.privateDecrypt(private_party2, enc);

Party 2 will get the clear text on decrypt. But still we aren't safe since we are not aware whether the Party 1 is sending the message. Since some man in middle who has Party 2's public key can still encrypt and send message by acting as Party 1.

 var verifier = crypto.createVerify('SHA256');
 verifier.update(clr.toString());
 var result = verifier.verify(public_party1, sig.toString(), 'hex');

Here the result will be true if Party 1 is the sender, since Party 1 alone owns their private key and the signature will be valid only for Party 1's public key pair.

All the security concept expained above are considered secure until they don't share their private key. In any case the private key is stolen or predicted, the security can be compromised. So never ever share private keys and keep it more secured.

The sample code is for demonstration purpose only feel free to use it at your own risk.