tags:

views:

40

answers:

1
+1  Q: 

C# Public Key verify Perl Private key and use as AES key ? Possible and/or viable ?

Hi,

i was thinking if it is possible and/or viable for obfuscation and security to do as the follow:

  • Client start session with Server (which means a valid login and password was sent and accepted)
  • Server encrypt a random password with it is Private Key that will then be used into a data encryption using Rijndael's method and send both back to the client (The password which is the encrypted random password and the Rijndael's encrypt data which is what we want for the client to work)
  • Client will receive both, verify the password to see wether it was encrypt with our pair of keys or not if so it will be used to decrypt the data.

From what i see, Rijndael has some restrictions as of the password size, so would this be even possible (considering the output of the encrypted random password) ??

Is there antoher approuch that would be close to what i was thinking or trying to describe here ?

Is this even worthed ?

The reason i wanted something like this is mostly to make it harder for anyone trying to reproduce what our server communicates with the client, aside from that we use Smart Assembly. I would like you guys to focus on the questions above and forget about packing my code etc. Think of this as a client / server communication security messure if possible.

Best regards.

+1  A: 

I can address the first part. If the server encrypts a key with their private key, ANYONE with their public key will be able to decrypt it. This leaves a gaping hole open for a man-in-the-middle attack. In other words, if I intercept the same token you do, I now know the same key that you know. This means that I can see all the traffic that is going back and forth.

The crux of security has always been this initial key-exchange problem. You may want to employ an industry-standard approach, like Diffie-Helman for the actual key exchange. Hope that helps

Robert Seder  2010-06-24 06:14:15
@Rob hi, i might have said something wrong or got you wrong, what i meant by server private key is that using my PERL code i have generated a pair of private and public keys which i have setted by default to be used on my client and server (with that given private key i am generating an encrypted random password) also is it even possible to intercept SSL data it is where all this data is sent thru https requests ? Please do correct me if i said something odd or so i might have got you wrong.
Prix  2010-06-24 06:47:37
@Prix - in that case, what you are describing, is basically what SSL already does. In other words, when you establish an SSL connection, the public/private keys on both sides are only used to negotiate a symmetric key to use. All other traffic is sent encrypted with a symmetric algorithm.So first, I don't think you'd need to worry about any of this, if you are already using SSL anyhow. And no, I don't know of any practical method of breaking SSL. If there was, then we couldn't go to banks/credit card companies online anymore! I think SSL alone with handle what you want - right?
Robert Seder  2010-06-24 07:02:25
Another idea too - if all you want is obsfucation, you could base64 encode the data, you could use binary serialization, you could use a compression algortihm, etc. I guess it all depends on how much security you really need.
Robert Seder  2010-06-24 07:04:58
@Rob that's true, but what i am trying to figure out is just some way to prevent people from replicating a fake server that will send the same response, which is why i was in first place questioning if it is possible to use an encrypt a password using a private key and then use the result as the password to encrypt the data i want to send using the Rijndael's method...
Prix  2010-06-24 08:13:44
@Prix it comes down to how secure this needs to be. Any .NET code can be decompiled and changed. Unless you encrypt with pre-defined/hard-coded certs only available on your server, I don't know of any other way to accomplish what you're trying to do. You can make things more obscure, but it's not really possible to make them truly secure, I don't believe.
Robert Seder  2010-06-24 13:24:34
@Rob first of all thanks for sticking along this discuss, really appreciate it. I understand the point that some one with knowledge wants to they will be able to break it in. But like i said earlly, i do use SA for packing my code to make at least a majority of people out of it. My focus right now is really on how to obscure the data being sent in some way that it will need some match from the client and all the rest from the server, but i did not like to store any crucial information on the client, i did like to randomize it for each session with a new one or w/e...
Prix  2010-06-24 19:00:36
@Prix glad to help, if I can. I think if you focus on performance, obsfucation will be taken care of. If you use compression send over byte arrays for example, then that in itself would be a mess for hot-mess for someone to try to figure out. Other than that, what you put above will work. In theory, if that key exchange is done within SSL, that should help limit what a would-be attacker could glean from your service. Hope that helps and good luck! -Rob
Robert Seder  2010-06-24 22:47:50
Thanks for the side ideas ... you've been helpfull.
Prix  2010-07-03 11:29:55

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?