Geek Answers Handbook

How secure / possible to use RSA encryption in this case?

Not so long ago I discovered RSA Encryption / Decryption, and I have little experience. I am currently developing a C # application that should send some confidential information to my server. Can I encrypt this information locally in a C # program, send it to the server and decrypt it (using a PHP script)? Is this enough so that no one can see the source information except the server and client?

EDIT: the client (C # application) should not decrypt any information, so the private key will only be stored on the remote web server (of course, on the server side).

+4
source share
8 answers

Possible? Yes. Cunning? Very yes. Using RSA directly is not easy; you need to be careful to use padding correctly, sign data, to avoid data manipulation attacks, etc. etc.

I would recommend that you simply use an SSL-hard-code acceptable certificate in your client and make sure that the certificate of the server you are connecting to. Then the SSL library will take care of all the complex details for you. You might also consider calling GnuPG or using some other similar library if you are doing some kind of batch transfer.

+5
source

Assuming you have a long key (say 2048 bytes) that has not been compromised, then it should do it.

Of course, if someone is sufficiently determined and has sufficient computing power and time, they can try and rudely force the message (maybe they are lucky at an early stage, but it is unlikely).

+2
source

Yes, itโ€™s safe if you donโ€™t accidentally send private keys :) I did it and no one was able to decrypt it, at least not within a reasonable time :)

+2
source

I am currently developing a C # application that should send some confidential information to my server.

This is exactly what SSL was built. Are you reinventing it?

Can I encrypt this information locally in a C # program, send it to the server and decrypt it (using a PHP script)?

Of course itโ€™s possible, but what public key are you using? Do you embed it in your application or pull it from the server? The first approach is vulnerable, and later exactly what SSL does is returned.

Is this enough so that no one can see the source information except the server and client?

Of course, this is the whole point of transport layer security that protects information along the way. Just use the technologies that already exist to solve this problem :)

+2
source

It depends on how securely you expect your customer to be. If the key that you use to encrypt data is widely distributed in the application, it may fall into the hands of someone who can use this key to determine the encryption, and then your message will not be safe. However, if your application extends to a selected set of consumers who, as you know, will not allow an attacker to get a key, then you can be sure that your key will be safe.

The first obvious vulnerability here is a public key. RSA is generally a good protocol, assuming you are using a long key. However, if your key is open, as I said above, all bets are disabled.

+1
source

It is almost never recommended to use cryptography libraries directly, because there are many complex random situations that you are likely to miss, which then become security holes. Instead, you should try to use existing technology at the highest level. For example, if your client connects to the server using TCP, you can easily replace it with TLS, which more or less automatically performs encryption and decryption. If it connects via HTTP, you can use HTTPS. If you are unsure of the best technology to use, try telling us a little more about how your client and server communicate.

+1
source

The apparent vulnerability will depend on how you distribute the application. If it spreads openly, it can be open to humans in a medium attack. It will work something like this: an attacker will write a simulation that seems to work like yours but uses its own key to send data to its server. Then their server decrypts the data, re-encrypts it with your key and sends it to your server. Any response is handled similarly.

For the end customer, the only difference that is likely to be visible may be a bit more time to get answers - but if you leave the machine in an easy load otherwise, there will be a very good chance that they will never recognize / notice.

+1
source

You looked at XML-RPC (via https or some other ssl flavor) - this will also eliminate the need to write an analyzer for your server, since almost every programming language has some kind of client / server RCP package. It is usually best to use the established secure communication protocol. Vanilla encryption is useful for protecting data in local space (for example, encrypting a hard disk or file), but as soon as you start receiving and sending, there are a number of vulnerabilities in regular RSA. (A man in medium attacks, fake, etc.)

Also, to expand your crypto fu, find the Diffe-Helman exchange key and the cryptography of the curves of the elliptic curve

+1
source

More articles:


All Articles