Tech Off Thread

10 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Doing a simple key exchange

Back to Forum: Tech Off
  • User profile image
    Tom Servo

    Excuse me if this is a dumb question, but when I want to perform a simple key exchange, without authentication or anything, will this look like this?

    - Alice sends her public key to Bob
    - Bob generates a session key and sends it to Alice encrypted with her public key

    Is it really that simple? This is my first at that sort of stuff Perplexed

  • User profile image
    W3bbo

    Tom Servo wrote:
    - Alice sends her public key to Bob
    - Bob generates a session key and sends it to Alice encrypted with her public key


    Sounds about right.

  • User profile image
    Tom Servo

    In general with applications that communicate in realtime, is there only one session key for both sides? Or does each side exchange a key of their own, to have a different key each way?

  • User profile image
    blowdart

    Tom Servo wrote:
    In general with applications that communicate in realtime, is there only one session key for both sides? Or does each side exchange a key of their own, to have a different key each way?


    It depends Smiley

    Take a look at how HTTPS handshake works

  • User profile image
    Tom Servo

    blowdart wrote:
    Take a look at how HTTPS handshake works

    Thanks for the link.

    Right now, it looks like this:

    - Alice sends Bob the public key.
    - Bob sends his public key in response.
    (RSA-OAEP encrypted packets from here.)
    - Alice sends the supported prioritized list of symmetric ciphers.
    - Bob sends a response picking the highest prioritized supported cipher.
    - Alice sends a session key.
    - Bob sends a session key.

    From here on, everything will be sent encrypted.

    I don't think that I will try putting any sort of authentication in, it's confusing enough already. I'll be caching public keys though and tell the user when someone's key changed, as sort of pseudo-security.

  • User profile image
    blowdart

    Tom Servo wrote:
    .

    I don't think that I will try putting any sort of authentication in, it's confusing enough already. I'll be caching public keys though and tell the user when someone's key changed, as sort of pseudo-security.


    Looks about right. You have no authenication method, so you don't know if Alice is really Alice or Steve the 275lbs trucker. If public keys were truely public you'd need rovocation checks as well.

  • User profile image
    Tom Servo

    Revocation checks? How do I make sure the date hasn't been messed around with? While replying now, I figured I could add public key signing to the client, so that one side can sign the other's public key at any point and send it back.

  • User profile image
    blowdart

    Tom Servo wrote:
    Revocation checks? How do I make sure the date hasn't been messed around with? While replying now, I figured I could add public key signing to the client, so that one side can sign the other's public key at any point and send it back.


    Well using HTTPS as the example,

    Each certification from a public authority can publish a revocation lookup location (or something like that), where a client can call this well known lookup location and check that a certificate has not been cancelled.

    Of course now you need a central authority Smiley

  • User profile image
    Tom Servo

    blowdart wrote:
    Of course now you need a central authority Smiley

    Hrm. Maybe for a really later point. When I have things working adequately, I might just consider using personal digital certificates. There's surely a way to access and use those in .NET.

  • User profile image
    blowdart

    Tom Servo wrote:
    blowdart wrote: Of course now you need a central authority Smiley

    Hrm. Maybe for a really later point. When I have things working adequately, I might just consider using personal digital certificates. There's surely a way to access and use those in .NET.


    Oh yes there is, and it's all built in. There's a whole host of goodies in System.Security.Cryptography.X509Certificates

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.