Re: A cryptography solution for a client/server winforms app

Ok, if you want to learn crypto, I wouldn't start by trying to create a
network protocol that uses RSA key pairs to negotiate a session key and then
encrypts and signs the resulting traffic. That's a lot. SslStream is
really easy to use compared to rolling your own, so I recommended that if
you were trying to actually get work done.

I'd start by learning how to do some symmetric encryption/decryption first
and learn how to compute a hash. Then look at RSA and asymmetric crypto.
There are lots of good articles out there and some very good books that
explain how this stuff works. Build it up in pieces. You might try asking
a few specific questions about different pieces you are trying to build up.

I don't know of a good end to end example in managed code that shows
something like a complete implementation of SSL.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"DXRick" <DXRick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0F6291CF-720E-4FCF-AA59-EF3C42BD6607@xxxxxxxxxxxxxxxx
Thanks, but I am a student. I looked up SSL in the MSDN help files, and
it
looks like it is way beyond me at this point. I am trying to LEARN about
cryptography, which is the objective of item 5.4 in Microsoft's Exam
70-536
outline. I am not going to learn much without actually doing it and was
just
wondering if there was something out there that shows how to put the
pieces
together.

Thanks anyway.



"Joe Kaplan" wrote:

You really really should consider using SslStream to do this instead of
rolling your own crypto algorithm. It does exactly what you want.
Because
you control both the client and server, you don't even need to use a
"real"
certificate. You could use a self-signed cert deployed with the server
and
code the client to ignore certificate trust errors.

SSL does exactly what you want and is a very well-tested protocol.

Another option is to use NegotiateStream if Windows authentication is a
possibility, as then you can encrypt and sign the network traffic using
SSPI.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"DXRick" <DXRick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E91A3C6F-33A0-42AE-8EB7-DB3033440164@xxxxxxxxxxxxxxxx
I neglected to mention that for a possible solution to the issue of
decrypting the class data and then serialing it I am thinking of adding
hashing or signing to the mix. I could hash the unencrypted class
data,
and
the client or server could then do the same after decrypting the data
to
determine if it would be safe to attempt to serialize it. So the steps
would
be this when the client wants to send the class to the server to have
it
saved on the server:

1) serialize the UserAccount class to a memory stream.
2) generate a hash value for the data in the memory stream.
3) encrypt the memory stream.
4) send the encrypted stream and hash to the server.

5) the server decrypts the stream.
6) the server generates and compares the hash value of the stream to
the
hash value from the client.
7) if the hash matches, encrypt the data using its own symmetric key
and
save the data to file.

I realized that since the client is sending the serialized data that
the
server can just encrypt it and save it to file. Then it can read it
from
file, decrypt it with its private symmetric key and encrypt it with the
session key and send it to the client. I don't see the hash concept
being
necessary for the server to client transmission. Is this correct? I
see
the
server as being the only one vulnerable to a hacker attempt.

thx.


"DXRick" wrote:

Hi, I am learning C#, .NET 2.0, and Winforms to learn the things that
are
covered by the MCTS exam 70-536. I am writing a client server Quicken
like
application where the user's account files are saved on the server. I
am
now
looking at encryption for the sending of the user data between the
server
and
client and for the files saved on the server.

The MSDN docs talk about the strategy of using public/private key
pairs
to
have the client and server come up with a symmetric key that can then
be
used
to encrypt/decrypt the data sent back and forth. So, this symmetric
key
would just be a session key. I guess it is OK for the client and
server
to
just keep this key in memory until the session is over?

I would also like to encrypt the data saved on the server, but cannot
understand how this should be done. It would seem that the server
needs
to
create another symmetric key for this. So, it would need to save this
key
somewhere safe. However, only asymmetric keys can be stored in the
CSP.
How
would a server maintain its key for encrypting/decrypting the file
data?

Also, the data passed between the client and server is in a class.
So,
for
encryption I am thinking that I would serialize the class to a stream,
encrypt the stream, and then send it to the server. The server would
receive
the stream, decrypt it, and then deserialize the data back into a the
class
object. Would this be safe to do? How secure is deserialization in
handling
possible garbage data? I would expect it to throw an exception if the
data
was garbage due to a decryption failure or a hacker attempt. After
that,
it
would serialize the data and encrypt it with its own symmetric key to
save it
to file, and use the reverse process to read it.

I am using Winforms now, but will learn ASP .NET eventually as well.
How
does one learn about best practices for things like this? All the
info I
have seen so far just explains A, B, or C without showing how all the
parts
can be used together for a solid strategy.

THanks!






.

Relevant Pages

  • Re: file transfer with sockets
    ... confirmation from client for each chunk before sending the next? ... to server, server interprets command, executes it, then simply returns ... files (hence the reading in chunks). ... sending the bytes over the stream. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: How do I stop a Winsock from buffering characters?
    ... The client is just doing this to send: ... Stream s = client.GetStream; ... I just wan to send one character ... from the client code and have the server see it right away. ...
    (microsoft.public.windowsce.embedded)
  • Re: Client Server
    ... Otherwise, read a file in via a stream, make any required updates, and write ... > myself and compares it to the data that the client has sent to ... My response, though it was very general in nature, assumed exactly what you ... at some point you want the server to read this file in. ...
    (comp.lang.java.help)
  • Re: A Media Distribution Problem
    ... > A supplier wishes to sell his goods by realtime downloading ... One way to solve this is to lock each login to a MAC address at the server ... You have a MPEG stream being sent to the main distribution server. ... At the client end, each piece of software has a unique RSA private key. ...
    (sci.crypt)
  • Re: File ENcryption Problem Detail
    ... > In addition, when u encrypt remotely (client to server), which users ... We can encrypt remotely (client to server, ... >>> it is able to encrypt file locally on the DC, ...
    (microsoft.public.win2000.security)