Which of the encryption aproaches should I use?

I need a system to exchange very secret data (source code that is a trade secret). I will use Crypto++ so practically I can use all encryption algorithms, although I really prefer to use an industry standard.

Currently I'm thinking on these methods:

Have the server generate 2048/4096-bit RSA keys, send the public key over to the client, have the client encrypt the data then send it over to the server.
Use a key exchange method like Diffie-Hellman (Diffie-Hellman-Merkle to be correct) to exchange an AES-256 key.
Initiate a TLS connection and tell the server the AES key directly.

Which approach do you believe I should use? I'm not concerned about performance as long as it's reasonable; security is what matters. If none of them, please suggest another method.

P.S.: I might use chaining on the symmetric algorithm, like AES-Twofish-Serpent.

EDIT: Any recommended software must be in a license that won't restrict proprietary usage. LGPL is as restrictive as it must get. That rules out GPL.

Don't develop your own key exchange and/or key provisioning protocol(s). This is what historically breaks most products and, unless you are a cryoptographer (not a programmer with crypto experience), you'll likely get it wrong.

Use off-the-shelf protocols like SSL/TLS. Eg. TLS initialized with RSA keypairs for mutual authentication and AES session keys sounds appropiate for what you describe

Updated

Bruce Schneier:

"A colleague once told me that the world was full of bad security systems designed by people who read Applied Cryptography"

erickson in his post has already give you plenty of evidence why designing your own key provisioning and management protocol is flawed. I just want to drive the point home why Mallory is alive and doing quite well, thanks to overconfident developers:

You design the scheme you propose where the client encrypts with a public key and sends the document back to you. Things work great, but 1 year down the road the certificate is approaching expiration. You send an email out to your clients with the new certificate containing the public key you want your users to sign encrypts the documents with for you. Unknown to you is that over the past 4 months your ISP admin has received a bribe to route all your IP traffic through a remote machine. Your email is intercepted before distribution and your attached certificate is replaced with another one. All your clients are now sending their ultra secret documents encryted for someone else's private key. An application decrypts each one, stores it, then encrypts it with your public key and forwards the traffic to you. You won't even know is happening, untill by accident during a visit to a client's site you notice that the certificate he uses is not the one you distributed.

You mention in your post as an option to chain algorithms. Nobody is going to brute force you. Your weakness will be key management, and the attack will take some form of social engineering to fool someone is using the wrong key, or reveling the private key (again, bribes go a long way). Industry agreed protocols have steps to prevent man-in-the-middle attacks, they may rely on PKI infrastructure that recognizes designated key use and trusted authorities, they add certificate revocation list check steps to the validation etc etc. Just 'I encrypt with public key, you decrypt with private' does not make a secret safe.

+1 for the note about building from scratch.

liori 2009-10-12 22:52:26

Actually, even *if* you are a cryptographer, you'll likely get it wrong. That's why cryptographic algorithms and protocols are usually developed by groups, in the open and rigorously reviewed publicly for years, before they are deployed.

Jörg W Mittag 2009-10-13 15:30:03

I guess I'll bundle OpenSSL and just use TLS to connect in that case. However, if I encrypt my data using a public key I receive from the server why would I need to use TLS? The data encrypted with the public key can only be decrypted with the private key, which doesn't leave the server.

iconiK 2009-10-13 20:43:49

@Wikie: In theory you're right (omitting all public key provisioning issues like root of trust and handling revocation etc etc). In practice nobody encrypts data using an RSA key. You encrypt it using a session key and you encrypt the session key using an RSA key. If is a channel encryption (coupled, online, synchronous), a protocol like TLS does the key management for you (derivation and exchange of the session key). If is a document encryption (decoupled, offline, asynchronous), there are protocols like S/MIME or PGP that solve this.

Remus Rusanu 2009-10-13 21:05:40

Why should I encrypt the master key using the RSA key? That sounds pointless IMO.It's document encryption AFAIK.

iconiK 2009-10-14 11:15:00

Where are you going to store the symmetric key associated with the document? Are you going to use one single key for all your documents? How are you going to handle a key renewal, re-encrypt all documents existing?

Remus Rusanu 2009-10-14 19:40:19

@Remus: The symmetric key will be stored in a centralized storage server which only be connected to the central server. The only way to get the key would be to steal the HDD and try to break the AES XTS encryption.

iconiK 2009-12-03 13:15:38

The ISP can't possibly intercept it, since the key will be embedded directly in the application executable, and it will verify itself against the server for modification. Isn't it possible to have a certificate without an expiration date or a really long expiration date?

iconiK 2009-12-03 13:16:33

Crypto++ looks like an industry standard, at least to me. The algorithm most likely won't change, and even if it will, all the stored files will have meta-data accompanying them, so a changing algorithm isn't an issue.

iconiK 2009-10-13 20:45:32

Which is why I am asking here, to be sure I actually use it correctly.

iconiK 2009-12-03 13:17:35

ansaurus

tags:

views:

answers:

Which of the encryption aproaches should I use?

related questions