I am working to make a secure chat application for Windows Phone 8.
I am planning to use ASMX SOAP Services and I have decided to use Public Key Encryption technique to encrypt data but i am very new to network security.
My approach is :
Now what I want to know is that for the responses that the server will send to the client, how will those be encrypted and decrypted?
If the private key on the server is used to encrypt the responses, then it can be decrypted by anyone as the "public" key is public.
Do this means that I have to generate two public-private key pairs, one generation on server and one generation on client.
One pair will encrypt and decrypt data that is sent to the server and other pair(generated at client) will be doing the same thing when data is sent from the server in response.
Yes, you can generate a key pair on the client, and send the client's public key to the server. But if you use public key encryption to encrypt messages you are (a) limited to small messages -- a 1024 bit RSA key encrypts less than 128 bytes, and (b) going to pay in performance because public key encryption is much more costly than symmetric key encryption, such as AES encryption.
Now that you have a way to secretly send something from the client to the server, by encrypting with the server's public key, you can generate a random symmetric key on the client, and send that to the server, secretly. Now both sides have a symmetric key, which can encrypt much, much larger messages, and is much more efficient, especially on a phone.
Look into AES, for example, and authenticated encryption modes where the messages are not only secret, but tamper-proof.
You have the problem that somebody can easily impersonate the client, once they've seen the server public key, but that's a risk of implementing your own crypto. :^) Outside of a college project, where you are asked not to use SSL, you should not implement your own crypto.