Socket Server with Encryption help

Hi all,

I've started to develop a server and client socket classes with encryption.
The main communication/transport classes is working fine and now I will
write some encryption process.
After reading a lot of papers about Symmetric, Asymmetric, Hash, Envelope
and Signature I still have somes doubts and I will explain what I calling
the "Authenticate Flow" in client/server socket communication:

1. Client connects into Server and Server accepts the connection.
2. Server send his encryption public-key to Client.
3. Client creates a new symetric session-key, encrypt it using the Server
encryption public-key and send it to Server plus the Client sign public-key.
4. Server decrypt Client symetric session-key and simply replies to Client,
telling "Ok, I have the symetric session-key and your sign public-key".

Now, every time Client need send some data, it does the following:

5. Client encrypts data with symetric session-key, sign (hash) the result
with sign private-key. Client then sends the hash result and the encrypted
data to server.
6. Server sign (hash) the encrypted data with the same Client hash algoritm
and save it in Hash1. After, it decrypt the sign (hash) sended by client
using Client sign public-key to obtain the Hash2. If Hash1 and Hash2 are the
same, then is the correct Client. Otherwise, closes the connection.
7. If ok, Server then decrypt data with symetric session-key.

Well, que questions now:

A - The hash algoritm is know by the Client and Server since it's my
implementation of both and I don't need to send the hash algoritm
information. Is this acceptable?
B - Sendind the Client sign public-key to Server is ok. But, after that, I'm
sending some data using Client sign private-key to Server. Is this secure?
Is a normal way to do it?
C - Do I need to do the 5, 6 and 7 steps every time Client needs send some
data to Server and vice-versa? Or these steps it's executed only once only
certify the Client and, after that, both sides can send messages encrypted
only with symetric session-key?

Sorry for the long post. Any help will be apreciated

TIA,

--
Andre Azevedo





.

Relevant Pages

  • Re: Socket Server with Encryption help
    ... Before the client ... Authentication protocols are fiercely difficult to get right. ... by Needham and Schroeder "Using encryption for authentication in large ... Client connects into Server and Server accepts the connection. ...
    (microsoft.public.dotnet.security)
  • Re: public key vs passwd authentication?
    ... > original salt and the sequence number. ... the client might possibly want to keep a log of all server "salts" ... if any client hash value leaks that is for an iteration less than ... currently be used by a server. ...
    (comp.security.ssh)
  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • Question on client/server application
    ... (one will act as a simple TCP server and the other will be a simple ... TCP client). ... What is the simplest way for me to implement a secure connection ... There are plenty of encryption libraries out ...
    (comp.lang.pascal.delphi.misc)
  • RE: Implementing RSACryptoServiceProvider *and* JavaScript
    ... JavaScript: hashing, synchronous encryption, and asynchronous ... This will enable me to ensure security between the client ... Send these back to the server. ...
    (microsoft.public.dotnet.framework.aspnet.security)