 |
12-16-2002, 04:37 PM
|
 |
Senior Contributor
* Expert *
|
|
Join Date: Nov 2002
Location: Ohio, USA
Posts: 1,828
|
|
How to create a "secure" protocol
|
I'm creating an app that will deal with sensitive information over winsock. How can i create a "secure" protocol. My current protocol is failry simple. A handshake, (used to give IP's, version number, etc.) then onto main communication.
Should i encrypt all the data before sending, then decrypt it? All that is being sent is text. Is there anything else that could help create a powerful protocol that ensures security? Rotating the key for the password depending on day? Once the connection is established, create a temp key for only the client and server connection, then trash it once they close?
Thanks for any help!
|
__________________
RandomIRC - Your neighborhood's friendly IRC channel (irc.randomirc.com - #code)
"Perl - The only language that looks the same before and after RSA encryption."
|
12-16-2002, 05:58 PM
|
 |
ISearchGoogle
Retired Moderator
* Expert *
|
|
Join Date: May 2001
Location: england
Posts: 6,321
|
|
|
"Secure" is a very vague word, and yet very complex. The level
of security you want is probably a good guide to what you should
do - if you want protection from the governments of the world,
I'd go for a 16 round implementation of IDEA, or maybe DES (bear
in mind that the NSA probably has DES crackers purpose built...).
If, on the other hand, you're just looking to protect agains the
casual eavesdropper, then any other algorithm - Blowfish,
Twofish, RC4, etc..etc.. would be suitable. Heck, you could even
create your own.
Of course, the problem with peer to peer secure protocols is that
there has to be some form of plaintext encryption to start
with in order to setup the encryption. There are lots of key
exchange protocols out there, search for "Diffie-Hellman" to get
start (sp?). Here's what I do:
Client connects to the server
Server sends an initialisation vector (random seed)
Client hashes the password using the IV
Client sends the hash to the server
Server does the same action - if they match, user is ok.
All further communications are encrypted with the original
password.
|
__________________
Chuck Norris ordered a Big Mac at Burger King, and got one.
|
12-16-2002, 07:09 PM
|
|
Senior Contributor
* Expert *
|
|
Join Date: Nov 2002
Location: Ohio, USA
Posts: 1,828
|
|
Quote:
Server sends an initialisation vector (random seed)
Client hashes the password using the IV
Client sends the hash to the server
Server does the same action - if they match, user is ok.
|
You lost me here. I searched for the Diffie-Hellman, and got completely confused trying to figure it out. Could you explain it in slightly simpler terms?
Whats the intialisation vector?
I believe i know what hashing is...you run a password through a one way math function of some sort to create a garbled hashed password, which is irrecoverable. To check the password, you run the one in question back through and see if they match. |
__________________
RandomIRC - Your neighborhood's friendly IRC channel (irc.randomirc.com - #code)
"Perl - The only language that looks the same before and after RSA encryption."
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
