I am developing a client server app that uses ssl (openssl) to establish a secure communication channel between the client and the server. I believe I have two options now for secure data transfer between the client and the server. One option is to continue with the data transfer on the established secure ssl channel between the client and the server even though the encryption/decryption process will be slow because of the use of asymmetric keys. The other option is to transfer a symmetric key on the ssl channel and close the ssl channel once the symmetric key is delivered to the client. Communication thereafter will happen on a regular TCP channel using the symmetric key which I believe will be much faster than using asymmetric keys. Are there any downsides to this approach? One thing that is obvious with the symmetric key approach is the process of key management which I am thinking of handling by not storing the keys on the client at all. Symmetric key will be delivered to the client on start up over an SSL channel. Key will NOT be stored in the client at all. Any thoughts?
+5
A:
You are mixing things up. Ssl uses an asymetric key (defined in the certificate) to pass a autogenerated symetric key between the client and the server. This symetric key is then used throughout the secure session (the channel).
So basically, you already have a fast symetric encryption when using ssl. The only asymetric encryption takes place at the very beginning of the communication.
Don't try to manage your symetric keys on your own. It will not work.
Yann Schwartz
2009-06-02 13:55:42
A:
Keep using the SSL connection because SSL uses a symmetric cypher after the initial phase.
Daniel Brückner
2009-06-02 13:56:55