Re: Socket Server with Encryption help

Dominick has samples of using SslStream and NegotiateStream on his blog.
I'd start there.

www.leastprivilege.com

SslStream is based on the use of certificates. However, that is a good
thing. You want a proven mechanism supported by lots of different
implementations for doing the key exchange and crypto stuff. SSPI (which is
what NegotiateStream and SslStream use under the hood) is quite capable of
doing this stuff really well. It works for IIS with tons of different
browser clients, right?

If you want more background, the book Dominick suggested is very good. I
thimk that might be useful for you as you seem to be interested in knowing
how this stuff works. That might also give you an understanding as to why
these types of problems are hard to solve and convince you that inventing
your own protocol is a terrible idea. :)

As Dominick also suggested, Valery may also stop by and tell you in great
detail what the flaws in your original proposed solution are, but you'll get
more depth from a book.

Best of luck,

Joe K.

"Andre Azevedo" <xpto@xxxxxxxx> wrote in message
news:%23$ny$otQGHA.4908@xxxxxxxxxxxxxxxxxxxxxxx
Hi Mr Kaplan

No, I don't.
But Can I generate RSA keys for each session and let the SslStream do
the job? SslStream can be my friend but it's dumb. I don't know how to
initiate a conversation it her.
Is Vs2005 help enough?

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:%23akHDHtQGHA.4344@xxxxxxxxxxxxxxxxxxxxxxx
You are trying to reinvent SSL. Why? SslStream is your friend.

Joe K.

"Andre Azevedo" <xpto@xxxxxxxx> wrote in message
news:%23U1j2DtQGHA.3192@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,

I've started to develop a server and client socket classes with
encryption. The main communication/transport classes is working fine and
now I will write some encryption process.
After reading a lot of papers about Symmetric, Asymmetric, Hash,
Envelope and Signature I still have somes doubts and I will explain what
I calling the "Authenticate Flow" in client/server socket communication:

1. Client connects into Server and Server accepts the connection.
2. Server send his encryption public-key to Client.
3. Client creates a new symetric session-key, encrypt it using the
Server encryption public-key and send it to Server plus the Client sign
public-key.
4. Server decrypt Client symetric session-key and simply replies to
Client, telling "Ok, I have the symetric session-key and your sign
public-key".

Now, every time Client need send some data, it does the following:

5. Client encrypts data with symetric session-key, sign (hash) the
result with sign private-key. Client then sends the hash result and the
encrypted data to server.
6. Server sign (hash) the encrypted data with the same Client hash
algoritm and save it in Hash1. After, it decrypt the sign (hash) sended
by client using Client sign public-key to obtain the Hash2. If Hash1 and
Hash2 are the same, then is the correct Client. Otherwise, closes the
connection.
7. If ok, Server then decrypt data with symetric session-key.

Well, que questions now:

A - The hash algoritm is know by the Client and Server since it's my
implementation of both and I don't need to send the hash algoritm
information. Is this acceptable?
B - Sendind the Client sign public-key to Server is ok. But, after that,
I'm sending some data using Client sign private-key to Server. Is this
secure? Is a normal way to do it?
C - Do I need to do the 5, 6 and 7 steps every time Client needs send
some data to Server and vice-versa? Or these steps it's executed only
once only certify the Client and, after that, both sides can send
messages encrypted only with symetric session-key?

Sorry for the long post. Any help will be apreciated

TIA,

--
Andre Azevedo











.

Relevant Pages

  • Re: Socket Server with Encryption help
    ... Before the client ... Authentication protocols are fiercely difficult to get right. ... by Needham and Schroeder "Using encryption for authentication in large ... Client connects into Server and Server accepts the connection. ...
    (microsoft.public.dotnet.security)
  • Question on client/server application
    ... (one will act as a simple TCP server and the other will be a simple ... TCP client). ... What is the simplest way for me to implement a secure connection ... There are plenty of encryption libraries out ...
    (comp.lang.pascal.delphi.misc)
  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • RE: Implementing RSACryptoServiceProvider *and* JavaScript
    ... JavaScript: hashing, synchronous encryption, and asynchronous ... This will enable me to ensure security between the client ... Send these back to the server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    (comp.os.vms)