Reputation: 15881
Can I treat CryptoStream as a replacement for SslStream?
I need to send data between SilverLight applications. I've got requirement that says that data should be transmitted using secure protocol such as SSL/TLS. Data is sent using TCP sockets due to performance reasons. Unfortunately SilverLight doesn't support SslStream. If I want to transmit data over SSL/TLS I need to buy third party library e.g. SecureBlackbox. I don't want to be dependent on third party libraries when it comes to handling transport layer.
However, SilverLight has CryptoStream class. I'm thinking of exchanging the key for symmetric encryption using WCF over SSL (SilverLight supports that) and then encrypt the data with AES using CryptoStream.
Is this solution safe? Can it be compared to using SSL/TLS in terms of security? Is there some obvious security hole that I'm missing?
Upvotes: 1
Views: 700
Answers (1)
Reputation: 67296
I guess the main problems with the AES approach is key management and key verification. I'm sure you know that SSL uses a 'handshake', which uses a CA chain (Certificate Authority) to verify the validity of the SSL certificate. This all happens before an AES key is generated for the SSL session. So, by not using SSL, you miss this important step.
This means that you take on the responsibility for verifying that the keys are secure and exchanged in a secure manner.
Upvotes: 1
Related Questions
- Using CryptoStream with StreamContent c#
- Can't get C# SslStream to work with my X509 certs
- SslStream and Authentication
- SslStream equivalent of TcpClient.Available?
- Connect to Server via SSL with various Cipher strengths and algorithms in C#
- Cipher selection for sslStream in .NET 4.5
- C# SslStream Reading Issues
- C# Sockets and SslStreams
- .Net SSL/TLS Passthrough
- C# Relay on SslStream for Encryption