1

I have moderate knowledge of programming , and currently I am writing a client-server messaging application for windows. My project is written from scratch using sockets , and all it does is data transmission from one client to the server, and then form the server to the rest of the clients in a room (I have implemented chat rooms). At the moment , my data is transmitted as a row series of bytes (using .encode('utf-8') if you are familiar with python). But obviously , I need to create a proper encryption algorithm for it. I am planning on creating my own , so that I am sure of the lack of vulnerabilities (I know it can be the opposite , but I trust myself). However , I am not sure how am I supposed to store the encryption key. If I bluntly store the key in the client , is it considered secure ? Because generating a random key and sending it to the recipient sounds horrible un-secure , since even a toddler with MITM will be able to see it. So what do I do ? How to I generate and send/store keys so that I can be sure that it is at least somewhat secure

  • 1
    Learn how to use SSL/TLS. It's built in and should solve most of your issues. And [don't roll your own crypto](https://security.stackexchange.com/q/18197/5405), it's guaranteed to have flaws. – S.L. Barth Jul 10 '17 at 14:22
  • 1
    "I am planning on creating my own , so that I am sure of the lack of vulnerabilities (I know it can be the opposite , but I trust myself)." - Sorry but unless you happen to have co-authored Applied Cryptography I think you will massively underestimate this task. Why reinvent the wheel when the industry has excellent solutions already. – ISMSDEV Jul 10 '17 at 14:56
  • 1
    you should not store passwords on the client device. – dandavis Jul 10 '17 at 19:36

1 Answers1

0

First of all, don't ever roll your own crypto for commercial software. It is very, very, very easy to make a mistake.

But if you're just doing this for a personal pet project, or perhaps as a school project, you can do something like this:

  1. Client generates random symmetric encryption key
  2. Client encrypts message using symmetric key
  3. Client encrypt the symmetric key using your server's public key
  4. Client sends both encrypted message and encrypted key to server
  5. Server can decrypt the symmetric key using its private key, then use the symmetric key to decrypt the message.

This scheme is vulnerable in a number of ways, but it solves the specific problem you are asking about in your question.

John Wu
  • 9,181
  • 1
  • 29
  • 39
  • Thank you. I can see the vulnerabilities, but I will try to work based on this approach. In fact this is what I was initially planning, but I wanted an experience third party to confirm that this would be a good approach. – Alex Leence Jul 10 '17 at 19:56