Secure communication using encrypted messages
I have a question about how to encrypt messages between users. Note i will only talk about cryptography theory and not platform dependent code like C++ with Windows Cryptography. I am talking about system programming and not web programming encryption with TLS, SSL, etc...
Also, ignore Certificates and Signing of messages, so just think of the Public keys as already being verified as not fraudulent and messages as being from the correct user.
I believe the best way to reach fast and secure encryption communication between users is to have both users with a session key because symmetric encryption is faster than asymmetric, and using asymmetric encryption (RSA) for the secure transfer of the session key.
I know there are other key agreement algorithms like Diffie-Hellmans, but lets stick with RSA which is what i've chosen.
Please tell me if you see where this might be a insecure (man-in-the-middle attack) or drastically inefficient way of performing encrypted communications.
Theory steps:
i.) Parties = {Server, Client}
ii.) Server: Generate session key (RC4)
iii.) Client: Generate private/public key pair (RSA)
iv.) Client: Send public key to Server
v.) Server: Encrypt session key with Client's Public Key, then send encrypted session key to Client
vi.) Client: Decrypt session key using Client's Private Key
vii.) Both parties now hold the session key for fast encrypted communications
Server(Server's Session key) <--> Session Key's encrypted packet (Communication medium) <--> Client(Server's Session key, Client's Public/Private key pair)
Thanks!
Assumptions:
- Public Key Tampering is not possible.
- I think you mean this, by "ignore Certificates and Signing of messages"
- Cryptosystem is not broken.
- Symmetric cipher is not broken (RC4 is broken, for example)
- Asymmetric cipher is not broken
- One-way Hash function is not broken
- Random number generator is not broken
Under these conditions, that's perfectly safe. In fact what you described in your question is how PGP works.
If you are willing to learn more about attacks against PGP, go here. And if you are willing to learn basics of cryptology, this is an excellent beginner tutorial.
- Sizeof vs array size
- How to make copilot not leak secret credentials with Neovim plugin?
- Does the client knowing all the endpoint names pose a security risk?
- Securing a client-side API
- How to disable security in Quarkus
- SNC name of ABAP System
- Is MD5 a good way to generate account verification code
- Is there any relationship between Secure Boot and Kernel Lockdown?
- CryptographicException: Access denied - How to give access on User store?
- How to use an API from my mobile app without someone stealing the token
- Symfony security component - Unable to find key \"username\" in the token payload
- Is it a good praxis to secure an webservice endpoint with a simple token string?
- Can using access token alone prevent CSRF attack, since browser prevents accessing cookies of another site?
- Are there CSRF attacks that don't use cookies?
- How does Double Submit Cookie Pattern Prevent against CSRF attacks?
- vulnerable Tomcat 10.1.31 embedded in Artifactory 7.98.13
- Why CSRF token should be in meta tag and in cookie?
- How can I prevent SQL injection in PHP?
- How/why is login page redirect required?
- Do Electron apps enforce CORS restrictions in the renderer process?
- How can i use a reverse shell over global Internet?
- Should I Manually Patch the Pandas DataFrame.query() Vulnerability or Wait for an Official Update?
- C# - Securely storing a password locally
- how to secure keys for API calls from android device to amazon services
- Should I add application.properties to .gitignore if the Git repository is private and both the server and DB are on an internal network?
- Understanding the port numbers of a network connection strings in systemd output of an ubuntu device
- Disable firefox same origin policy
- SecurityError: Blocked a frame with origin from accessing a cross-origin frame
- Securely decoding a Base64 character array in Java
- Is There a Security Risk Using ADB Over TCP/IP for Wireless App Development in Expo?