0

I have a tcp server and using cms/pkcs#7 to secure the message passed between the client and server. Would it be normal practice to pass the clients public key to the server, as part of initial session? As its the public key, when the session starts up, the initial clp command, would pass the key, along with other salient details that the server needs to know about the client. It's the public, so it doesn't need to be encrypted, it public.

The client/server communication is secured with ssl/tls.

Thanks. Bob.

scope_creep
  • 4,213
  • 11
  • 35
  • 64

1 Answers1

1

Don't you trust SSL/TLS or why do you encrypt again within the secure channel? That only makes sense if the server will pass the message on to other nodes and it will be decrypted somewhere else, thereby creating end-to-end security.

In any case, you should not have the client pass just the public key to the server. Instead it should pass a certificate to the server, which should authenticate the client based on a signature made with the private key matching the public key contained in the certificate. Also, the server will need to check the certificate itself (is it from a trusted CA, do the signatures in the chain verify, etc.).

If you can, you should do all this on the SSL/TLS layer by using SSL/TLS mutual authentication (client cert authentication). If you cannot, then make sure you design a secure application layer protocol for authenticating the client and it's public key. Otherwise it may be possible to impersonate other clients.

Daniel Roethlisberger
  • 6,958
  • 2
  • 41
  • 59
  • Sounds finally like real world advice. I do trust ssl/tls. How would you pass the certificate to the server? – scope_creep Apr 20 '12 at 14:37
  • That depends on the API you are using for terminating SSL. Not sure what your options are with .NET, but I think this Microsoft KB article may help you get started: http://support.microsoft.com/kb/895971 – Daniel Roethlisberger Apr 20 '12 at 14:43