Re: Encryption scheme using RSA
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 9 Jan 2008 12:43:42 +0000 (UTC)
How do you want to protect the clients against spoofed servers? In other words - there are no server authentication bits in your scheme.
Why don't you simply wrap the whole (clear text) protocol in an SslStream?
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Hi,
in my company we are using a proprietary clear text protocol to do the
communication between client and server for a product of ours. The
protocol requires authentication, but login and password pass on the
network in clear text.
We want to modify the protocol in order to protect at least the
password. The scheme we invented is the following:
- CLIENT connects
- SERVER generates an RSA key pair and sends the private key to CLIENT
- SERVER generates a random number and sends it to CLIENT
- CLIENT obfuscate the password bits using the random number ( in a
reversible way!), encrypt the result with the public key and sends the
encrypted stuff to SERVER
- SERVER decrypts with private key, un-obfuscate and obtain the
password of CLIENT.
- SERVER validate the password and allows/denies access
I know it not a standard way to use asymmetric encryption, but I would
like to hear from you what the main flaws are in this idea.
Thanks in advance
jaqq
.
- Follow-Ups:
- Re: Encryption scheme using RSA
- From: gianluca . ortelli
- Re: Encryption scheme using RSA
- References:
- Encryption scheme using RSA
- From: gianluca . ortelli
- Encryption scheme using RSA
- Prev by Date: Encryption scheme using RSA
- Next by Date: Re: Encryption scheme using RSA
- Previous by thread: Encryption scheme using RSA
- Next by thread: Re: Encryption scheme using RSA
- Index(es):
Relevant Pages
|
|
