Re: Socket Server with Encryption help
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 8 Mar 2006 17:11:59 +0000 (UTC)
do you know that .NET 2.0 has support for secure channels and the NTLM, Kerberos and SSL authentication protocols?
from your post i can see that you don't have a lot of experience with crypto and secure channels?
have you read schneier/ferguson "Practical Cryptography" ?
I am sure that Valery will also provide you with more links and pointer than you can ever read :))
in general i would not recommend building your own authentication / secure communication system if you don't really have to.
It also depends how secure this protocol should be....
from what i can see you are trying to build something similar to SSL...
2/3/5. public key? so you are planning to use raw keys? how will this be protected against man in the middle attacks? You would have to use some king of trust concept, like in X509 Certificates or some other form of secure key exchange - but you can't guarantee that just with raw keys.
I am not really a crypto expert- but i can tell that won't work - again - if valery picks this up, you'll get extra special treatment :)
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi all,
I've started to develop a server and client socket classes with
encryption.
The main communication/transport classes is working fine and now I
will
write some encryption process.
After reading a lot of papers about Symmetric, Asymmetric, Hash,
Envelope
and Signature I still have somes doubts and I will explain what I
calling
the "Authenticate Flow" in client/server socket communication:
1. Client connects into Server and Server accepts the connection.
2. Server send his encryption public-key to Client.
3. Client creates a new symetric session-key, encrypt it using the
Server
encryption public-key and send it to Server plus the Client sign
public-key.
4. Server decrypt Client symetric session-key and simply replies to
Client,
telling "Ok, I have the symetric session-key and your sign
public-key".
Now, every time Client need send some data, it does the following:
5. Client encrypts data with symetric session-key, sign (hash) the
result
with sign private-key. Client then sends the hash result and the
encrypted
data to server.
6. Server sign (hash) the encrypted data with the same Client hash
algoritm
and save it in Hash1. After, it decrypt the sign (hash) sended by
client
using Client sign public-key to obtain the Hash2. If Hash1 and Hash2
are the
same, then is the correct Client. Otherwise, closes the connection.
7. If ok, Server then decrypt data with symetric session-key.
Well, que questions now:
A - The hash algoritm is know by the Client and Server since it's my
implementation of both and I don't need to send the hash algoritm
information. Is this acceptable?
B - Sendind the Client sign public-key to Server is ok. But, after
that, I'm
sending some data using Client sign private-key to Server. Is this
secure?
Is a normal way to do it?
C - Do I need to do the 5, 6 and 7 steps every time Client needs send
some
data to Server and vice-versa? Or these steps it's executed only once
only
certify the Client and, after that, both sides can send messages
encrypted
only with symetric session-key?
Sorry for the long post. Any help will be apreciated
TIA,
--
Andre Azevedo
.
- Follow-Ups:
- Re: Socket Server with Encryption help
- From: Andre Azevedo
- Re: Socket Server with Encryption help
- References:
- Socket Server with Encryption help
- From: Andre Azevedo
- Socket Server with Encryption help
- Prev by Date: RE: SecurityException
- Next by Date: Re: Socket Server with Encryption help
- Previous by thread: Re: Socket Server with Encryption help
- Next by thread: Re: Socket Server with Encryption help
- Index(es):
Relevant Pages
|
