asymmetric encryption

P

Paul Fi

I have this encryption scheme that I want to implement:

I have an authentication server, which takes clients' credentials to
complete authentication but first I have to encrypt the credentials, I
want to use asymmetric encryption which the server creates the key pair
(public and private keys) but to avoid round trips of the authentication
protocol instead of having the server sending the public key to clients,
I want to have the public key to be hard coded into client code and also
assign the same public key to the server as well but the problem is how
do I get the private key created on the server side in a way that gets
the public and private key mathematically linked?
 
R

Rob Teixeira [MVP]

Well, you might want to explain how this authentication algorithm/protocol
works first. With your setup, i'm not sure this follows standard procedure
for authentication via asymmetric encryption. Also note that asymmetric
encryption is typically only good at encrypting small bits of info at a
time - 8 to 32 bytes ideally. I usually recommend using it only to
sign/verify data hashes or create an envelope so a symmetric key can be
securely transmitted. Data encryption is best done with stream and block
ciphers (usually symmetric algorithms).

-Rob Teixeira [MVP]
 
N

Nick Malik

Hello Paul,

If you want the public key to be in the code, rather than in a keystore, you
will have to generate the keypair on the server first, before you compile
the client, then take the public key from that generated pair and place it
in the client code.

Note: this is an extraordinarily bad idea. No key pair is completely
immune. The moment someone discovers your private key, all of your
installed base of code is compromised.

I'd be concerned about your scheme. How will the client know that the key
has been compromised? How can the client be certain that your address has
not been compromised? How can you inform them of this? That is what the
certificate authority is for, and why they have Certificate Revokation
Lists.

The Public Key Infrastructure has been beaten around for a long time to work
out these issues in fine detail. If you go about circumventing bits of it,
you open yourself up for attack in a manner that will destroy your
credibility the moment an attack is successful.

Think about it.
--- Nick
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Asymmetric Encryption in VBA 4
Encryption, PGP, and .NET 3
Encryption large amount of data by using Asymmetric encryption. 1
Asymmetric Encryption 4
Is there any asymmetric crypto API to allow decrypting a message but not encrypting it? 7
encrypting licenses 2
Is Double Encryption in possible in C#/.NET 4
Encryption Provider with PUBLIC decryptor and PRIVATE encryptor? 1

Top