I am trying to build TCP Chat application in C#. So far I managed to build working Chat application and to crypt messages that should be sent through the app with AES algorithm.
Now I would like to encrypt the password used for AES with RSA algorithm.
Related
is rational to use a digital signature when I communicate data over TLS?
I currently for a financial application use tls for communication and I want to use digital signature for integirity of request message.
Yes, as TLS encrypts sensitive data but doesn't guaarantee the authenticity or integrity of an app, website or message sender. A digital signature ensures that the message has not been altered and was sent by the expected sender.
There are various methods and technologies available for adding digital signatures to your messages, such as PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions).
I am reading all about E2EE and TLS but its mostly about the differences between them and not about if and how they should or should not be used together. So I was wondering if these two should be used together when developing a chat application using SocketIO or websockets. I have used TLS before when creating client-server communication with SocketIO so I know how this works but how does this integrate with end-to-end-encryption? Are you supposed to replace TLS with E2EE or should you send e2ee encrypted chatmessages over a TLS connection?
Does openssl have a "raw" (non-EVP) interface to do AES GCM encryption and decryption? I'm looking for something comparable to AES_cbc_encrypt() or DES_ede3_cbc_encrypt(), but for AES GCM. I found the openssl EVP interfaces for AES GCM but I can't find any information on any non-EVP interface.
I understand the EVP interface has many advantages for general purpose use, but I'm doing some tests where a non-EVP interface would be easier to use.
Once I was looking for it and I couldn't find any non-EVP implementation of it. According to the OpenSSL site 'the enc program does not support authenticated encryption modes like CCM and GCM'.
But it seems AES GCM only supported in TLS v1.2 (according to 'https://www.openssl.org/docs/manmaster/apps/ciphers.html').
I developed a secure SMS-exchange application that uses RSA (1024-bit) for session key exchange and Twofish (128bit) for SMS encryption. I used Bouncy Castle API. At this point, I need the application to be able to verify (other) users’ public key. I want this done by verification of users’ X. 509 digital certificate as in regular PKI. How do I go about generating an X.509 digital certificate that can be used on mobile phones (on the j2me application)?
I chose SSL for registration in my game client. The client communicates with the game server which stores a salted/hashed password.
If I use SSL to authenticate users on login, but the game does all of it's communication with UDP packets, how does the server know that the UDP packets it's receiving is from the authenticated user?
Potentially you can provide a token via SSL, and pass that token in your UDP packets. But this is useless without encryption: an attacker can intercept the UDP packet, grab the token and quickly do the attack using stolen token.
Another option would be to exchange symmetric keys via SSL and use those keys to encrypt UDP packets. But to do this properly you would have to also add MAC, an finally you will end up reinventing TLS :).
The best option is to employ DTLS - the flavor of TLS that works over UDP. All your communication will be authenticated and protected this way. Possibility to use DTLS depends on what language/platform you use and what external libraries (if any) you can invoke.