tags:

views:

50

answers:

4
+3  Q: 

Backwards HTTPS; User communicates with previously generated private key

I am looking for something like https, but backwards. The user generates their own private key (in advance) and then (only later) provides the web application with the associated public key. This part of the exchange should (if necessary) occur out-of-band. Communication is then encrypted/decrypted with these keys.

I've thought of some strange JavaScript approaches to implement this (From the client perspective: form submissions are encrypted on their way out while (on ajax response) web content is decrypted. I recognize this is horrible, but you can't deny that it would be a fun hack. However, I wondered if there was already something out there... something commonly implemented in browsers and web/application servers.

Primarily this is to address compromised security when (unknowingly) communicating through a rogue access point that may be intercepting https connections and issuing its own certificates. Recently (in my own network) I recreated this and (with due horror) soon saw my gmail password in plain text! I have a web application going that only I and a few others use, but where security (from a learning stand point) needs to be top notch.

I should add, the solution does not need to be practical

Also, if there is something intrinsically wrong with my thought process, I would greatly appreciate it if someone set me on the right track or directed me to the proper literature. Science is not about finding better answers; science is about forming better questions.

Thank you for your time, O∴D

+2  A: 

If a rogue access point can sniff packets, it can also change packets (an ‘active’ man-in-the-middle attack). So any security measure a client-side script could possibly provide would be easily circumvented by nobbling the script itself on the way to the client.

HTTPS—and the unauthorised-certificate warning you get when a MitM is trying to fool you—is as good as it gets.

bobince  2010-08-05 18:25:29
Because the communication is being encrypted with the prenegotiated keys, any meddling with the bits (unless they had access to the key) would cause things to break. Content would suddenly be all whacky. A change that would be meaningful is unlikely.
Octoberdan  2010-08-05 18:42:44
+1  A: 

SSL and there for HTTPS allows for client certificates. on the server side you can use these environment variables to verify a certificate. If you only have 1 server and a bunch of clients then a full PKI isn't necessary. Instead you can have a list of valid client certificates in the database. Here is more info on the topic.

Implementing anything like this in JavaScript is a bad idea.

Rook  2010-08-05 18:26:45
Those are fantastically useful and informative links, thank you! This also answers my question.
Octoberdan  2010-08-05 22:44:03
+2  A: 

This is already done. They're called TLS client certificates. SSL doesn't have to be one-way; it can be two-party mutual authentication.

What you do is have the client generate a private key. The client then sends a CSR (Certificate Signing Request) to the server, who signs the public key therein and returns it to the client. The private key is never sent over the network. If the AP intercepts and modifies the key, the client will know.

However, this does not stop a rogue AP from requesting a certificate on behalf of a client. You need an out-of-band channel to verify identity. There is no way to stop a man in the middle from impersonating a client without some way to get around that MITM.

Borealid  2010-08-05 18:30:07
The system I am trying to describe precludes the requesting of a certificate on behalf of a client. Keys have previously been exchanged.
Octoberdan  2010-08-05 18:44:58
I would like to know why someone marked this -1.
Octoberdan  2010-08-05 18:45:34
@Octoberdan: The issue is with the sending of the public key; if the *whole certificate* hasn't been exchanged (or verified by a trusted third party) in advance, you have no way to know that the public key isn't coming from the MITM. I also have no idea why I was downvoted for this - did I say something wrong?
Borealid  2010-08-05 18:52:09
Is SSH with keys vulnerable to MITM attacks?In my hypothetical system, the public key is transfered over some (assumed) secure medium _once_ on registration or some other time. We could even go so far as to say it's handed off in person. The point is that it happens once.
Octoberdan  2010-08-05 19:00:21
@Octoberdan: OK then. From your question I didn't realize that the client key was transmitted out of band. To quote from my answer, "you need an out-of-band channel to verify identity".
Borealid  2010-08-05 19:01:13
Sorry, I misunderstood that chunk of your answer. I appreciate the clarification! I will update my question.
Octoberdan  2010-08-05 22:30:43
Done. Your response is EXACTLY what I was looking for. I feel a little foolish now, but that's alright.
Octoberdan  2010-08-05 22:37:44
+1  A: 

I don't see, why you are using assymetric encryption here. For one, it is slow, and secondly, it is vulnerable to man in the middle anyhow.
Usually, you use an asymmetric encryption to have a relatively secure session negotiation, including an exchange of keys for a symmetric encryption, valid for the session.

Since you use a secure channel for the negociation, I don't really understand why you even send around public keys, which themselves are only valid for one session.
Asymmetric encryption makes sense, if you have shared secret, that allows verifying a public key. Having this shared secret is signifficantly easier, if you don't change the key for every session, and if the key is generated in a central place (i.e. the server and not for all clients).

Also, as the rook already pointed out, JavaScript is a bad idea. You have to write everything from scratch, starting with basic arithmetic operations, since Number won't get you very far, if you want to work with keys in an order of magnitude, that provides reasonable security.

greetz
back2dos

back2dos  2010-08-06 11:48:46
Thank you for the response! Could you please shed light on one chunk: "if the key is generated in a central place (i.e. the server and not for all clients)" ?
Octoberdan  2010-08-06 19:02:41

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security