Geek Answers Handbook

Which encryption approach should I use?

I need a system for exchanging very sensitive data (source code, which is a trade secret). I will use Crypto ++, so I can use all encryption algorithms, although I really prefer to use the industry standard.

I am currently thinking of these methods:

  • The server generates 2048/4096-bit RSA keys, sends the public key to the client, the client encrypts the data and passes it to the server.
  • To exchange the AES-256 key, use a key exchange method such as Diffie-Hellman (Diffie-Hellman-Merkle to be correct).
  • Initiate a TLS connection and tell the server the AES key directly.

Which approach do you consider me to use? I am not worried about performance, if reasonable; safety is important. If none of them, please suggest another method.

PS: I could use a chain on a symmetric algorithm like AES-Twofish-Serpent.

EDIT: Any recommended software should be licensed that will not limit the use of its own resources. The LGPL is as restrictive as it should be. This excludes the GPL.

+4
source share
3 answers

I would recommend using an existing S / MIME (or CMS) implementation using a solid cryptographic module to encrypt your content.

The covered S / MIME data provides a good format for storing encrypted data at rest: the envelope records information about the algorithms and keys used so that information is available to authorized recipients later when necessary.

In addition, even if it does not support the “best” algorithms (for example, the ECDH key agreement), a good library is much less likely to have vulnerabilities than something written by a common programmer. Since it is much more likely that security will be violated by an implementation error than cryptanalysis, it makes sense to minimize these errors.

In legal protocols, public keys are signed by one of a small number of trusted issuers whose public keys are distributed using some out-of-band secure means. If you already have a secure means to get the public key to the sender of the message, why bother sending another? And if you do not, you are screwed.

TLS and S / MIME depend on the availability of a set of known CA certificates on each client. They are used to sign the server’s public key, so the client can detect attempts to replace the keys. The protocol cannot be downloaded independently; There should be a safe way to distribute "trusts" out of range.

Also note that RSA is incredibly slow compared to symmetric ciphers. Real protocols generate a “content encryption key” for a symmetric algorithm such as AES, and then use the RSA public key as the “encryption key” to encrypt the content encryption key for message recipients.

Thus, the main problem is to provide secure access to your public key. If you can do this, either option # 1 or # 2 is good, assuming you're just using this public key, rather than trying to send another in-band. In fact, in CMS , Option # 1 is called "key transport", and Option # 2 is called "key agreement."

In practice, the “server” can use a certificate issued by a CA that is already well known, or the client can compare the hash of the certificate with the one you tell him by phone, or cut rocks or something else in the face. Most importantly, all your security depends on the integrity of the certificate. You must protect it from fake.

While Crypto ++ is the “industry standard”, its security depends on how you use it. As Jerry told Kramer, "the door must be closed!" Using cryptographic primitives in Crypto ++ with a poorly designed protocol will not give you anywhere else. Therefore, I emphasize the use of CMS (higher level protocol) along with a good cryptographic module (cryptographic primitives).

+3
source

Do not develop your own key and / or key exchange protocol. This is what historically breaks most products, and if you are not a cryoscope (not a programmer with crypto experience), you are likely to make a mistake.

Use off-the-shelf protocols such as SSL / TLS. For instance. TLS, initialized with RSA keys for mutual authentication, and AES session keys sound so that you describe

Update

Bruce Schneier :

"A colleague once told me that the world is full of poor security systems developed by people who read Applied Cryptography."

erickson in his post already gave you a lot of evidence that developing your own key provisioning and key management protocol is wrong. I just want to find out why Mallory is alive and working well, thanks to overly self-confident developers:

You are designing the scheme that you offer when the client encrypts with the public key and sends the document back to you. Everything works fine, but after a year the certificate is nearing expiration. You send an email to your customers with a new certificate containing the public key that you want your users to sign document encryption for you. It is not known that in the last 4 months your ISP administrator has received a bribe to route all your IP traffic through a remote computer. Your email address is intercepted before distribution, and your attached certificate is replaced by another. All your clients now send their super secret documents insured for someone else's secret key. The application decrypts each of them, saves it, then encrypts it using the public key and redirects traffic to you. You don’t even know what is happening until it’s coincidental during a visit to a client’s site that you notice that the certificate that it uses is not the one that you distribute.

You mention in your post as an option for a chain of algorithms. No one is going to overload you. Your weakness will be key management, and the attack will take some form of social engineering to trick someone, use the wrong key or divulge the secret key (again, bribes go a long way). The industry-agreed protocols have measures to prevent man-in-the-middle attacks, they can rely on PKI infrastructure that recognizes the intended use of keys and trusted authorities, they add the steps of verifying the certificate revocation list to verification, etc. Etc. Just 'I am encrypting using a public key, you are decrypting using private', does not make it secret.

+11
source

What about ssh? (e.g. rsync on ssh)?

0
source

More articles:


All Articles