Databases
StackOverflow2013
Postsdbo
POHTTP based authentication/encryption protocol in a custom system
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHTTP based authentication/encryption protocol in a custom system
    primarykey
    data
    text
    <p>We have a custom built program that needs authenticated/encrypted communication between a client and a server[both in Python].</p> <p>We are doing an overhaul from custom written Diffie-Hellman+AES to RSA+AES in a non-orthodox way. So I would be very interested in comments about my idea.</p> <p>Prequisites: Klient has a 128bit RegistrationKey which needs to remain a secret during the authentication - this key is also the only shared secret between the server and client.</p> <ol> <li>Client contacts the server over an insecure channel and asks the servers RSA PubKey</li> <li>Client then queries the server:<br/> [pseudocode follows]</li> </ol> <p><pre><code> RegistrationKey = "1dbe665ac7a944beb67f106f779e890b" clientname = "foobar" randomkey = random(bits=128) rsa_cp = RSA(key=pubkey, data=randomkey+clientname) aes_cp = AES(key=RegistrationKey, data=RegistrationKey+rsa_cp) send(aes_cp)<br/> </pre></code> 3. Server then responds: [pseudocode follows] <pre><code> # Server decrypts the data and sees if it has a valid RegistrationKey, if it does... clientuuid = random(bits=128) sharedkey = random(bits=128) rsa_cp = RSA(key=privkey, data=clientuuid+sharedkey) aes_cp = AES(key=randomkey[got from client], data= rsa_cp) send(aes_cp) </pre></code> Now both sides know the "clientuuid", "sharedkey" which the client can use later to authenticate itself. The method above should be secure even when the attacker learns the regkey later since he would have to crack the RSA key AND man-in-the-middle attacks(on RSA) should stop the auth. from completing correctly. The only possible attack method I see would be the case where the attacker knows the regkey AND can alter the traffic during the authentication. Am i correct?</p> <hr> <p>I really want to hear your ides on what to add/remove from this method and If you know a much better way to do this kind of exchange.<br/> PS! We are currently using Diffie-Hellman(my own lib, so it probably has flaws) and we have tried TLSv1.2 with PreSharedKeys(didn't work for some reason) and we are CONSTRICTED to http protocols since we need to do this in django. And because we are doing this in http we try to keep the request/answer count as low as possible(no sessions would be the best) - 1 would be the best :)</p> <p>If you have any questions about the specifics, please ask.</p> <p>So, you crypto/security geeks, please give me a helping hand :)</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USrook
    1. USkuratkull
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHTTP based authentication/encryption protocol in a custom system
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload