Htmiel
Reputation: 13
Client-Server secure connection handshake
I would like to know if there are any security concerns regarding the way I want to create a secure client-server connection.
NOTE: I know the most obvious answer to these type of questions is to just use SSL/TLS, but I would appreciate an answer to my specific case.
My connection protocol is as follows (following communication is un-encrypted plain text):
- client connects to server socket
- server sends a 2048-bit public RSA key to client
- client generates a 256-bit AES key, encrypts it with the received public RSA key, and sends it to server (server decrypts it and obtains the secret AES key)
- client generates a 256-bit HMAC key, encrypts it a client-embedded public RSA key, and sends it to server (server decrypts it and obtains the secret HMAC key)
- server sends to client the HMAC of the AES key, proving it possesses the private RSA key corresponding to the client-embedded public RSA key, and proving the authenticity of the server
All further communication is encrypted with AES and verified with HMAC.
Upvotes: 1
Views: 263
Answers (1)
Luke Joshua Park
Reputation: 9795
A man in the middle could easily send their own public key to the client and receive the original public key from the server.
It could then eavesdrop the conversation in both directions.
Upvotes: 1
Related Questions
- network connection using public key cryptography
- How to send data in secure way between client and server using only Symmetric cryptography
- Secure communication between client and service
- Encryption and authentication for client-server application where clients are known
- Authenticating a client to a server
- Client server AES encryption
- Ciphertext on server
- Using HTTPS for the client-server communication
- Secure connection between client and server
- Implementing a Handshake for a Socket Connection