1

I would like to encrypt the bytes coming back and forth on my socket by hand, in other words, i want to do the crypting and decrypting myself in the client and the server. What is the procedure to exchange pub/priv keys in a secure way? I pretty much want to do what HTTPS does in the browser level, on the socket level, but I would like to do it myself instead of using a SSLSocket that already does that for me. I would like to understand and learn instaed of taking it for granted in a high-level SSLSocket class.

Thanks!

Wow! From the comments here it is probably better to do a SSH tunnel and forget about it, right?

JohnPristine
  • 3,485
  • 5
  • 30
  • 49
  • This is very hard and cannot be explained in a few sentences. Just look at RFC 2246 and its successors to understand this fact. – President James K. Polk Dec 19 '13 at 21:56
  • If you want to understand the key points, try to implement RSA. There is more you need for a full secure encryption layer, but RSA describes one possibility of secure key exchange via insecure channels. – Daniel Dec 19 '13 at 21:57
  • 1
    There is a class for that: [`SSLEngine`](http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/samples/sslengine/SSLEngineSimpleDemo.java) it's completely independant from how you send / receive data and it does full SSL. Key exchange: [Diffie-Hellman](http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange) – zapl Dec 19 '13 at 21:58
  • Is it important for you to implement SSL, and/or for your implementation to actually be secure, or are you looking for a learning exercise? – nexus_2006 Dec 19 '13 at 21:59
  • 1
    You don't exchange private keys; only public ones. This is the very definition of a public key cryptography system. – Elliott Frisch Dec 19 '13 at 22:01
  • Also, aes is a shared key cipher. – Elliott Frisch Dec 19 '13 at 22:03
  • Forget it. You are asking how to implement SSL. This is a major project and the fact that you have to ask how indicates that you aren't equipped to do it. In any case the question is far too broad to be answered here. – user207421 Dec 19 '13 at 22:14
  • It's not that hard to do private key encryption/decryption -- most platforms have the facilities built in (though you usually have to do some "arbitration" re the "salt", block size, etc). But negotiating a public/private key is an order of magnitude more complicated. – Hot Licks Dec 19 '13 at 22:55
  • 1
    It's not that difficult using the built in java crypto libraries, actually. There are functions you can use to create public/private and symmetric keys and encrypt/decrypt with them. – Chad Okere Dec 19 '13 at 23:58
  • @ChadOkere It all depends what 'it' is. It seems to be a moving target. – user207421 Dec 20 '13 at 00:07

1 Answers1

2

Holy s**t! You want to implement Diffie-Hellman Key Exchange? That's going to take some time. Basically, you will be using synchronous key encryption, not public-private key. Using mathematics, you can exchange a secret key over an unsecured connection. Then, once you have that secret key exchanged, you can use it to encrypt your data.

If you want to use public key cryptography, then you don't actually exchange keys. Both the server and client have a public and private key (4 keys total). You are free to broadcast the public keys, but the private key stays private. That will also take some time.

What you are trying to do will take about a week, with 2-3 class files minimum. It will likely have errors and not be cryptographically secure, FYI. Cryptography is hard.

Also see Determining a Private Key (Diffie-Hellman)

Community
  • 1
  • 1
Chloe
  • 25,162
  • 40
  • 190
  • 357
  • I think I am being dumb. All I have to do is give a public key to whoever want to talk to my server. Then they can use standard and easy Cipher java stuff to encrypt, and I would decrypt on my end with my private key. Piece of cake or am i forgetting something? :) (BouncyCastle was very easy to use last time I tried) – JohnPristine Dec 19 '13 at 23:20
  • It sounded like you wanted to implement it yourself without using libraries, possibly as a learning experience. But yes, if you use libraries, then it is much easier. Here is an example using a library: http://www.example-code.com/java/rsa_encryptStrings.asp – Chloe Dec 19 '13 at 23:34
  • Here is another Java example: http://stackoverflow.com/questions/5359259/java-public-private-key-decryption-issue – Chloe Dec 19 '13 at 23:36
  • @JohnPristine Make up your mind. You said in your question you wanted to do what HTTPS does, i.e. what SSL does. It doesn't just do public-key cryptography as you now say you want to do. Not by a country mile. – user207421 Dec 19 '13 at 23:42
  • 1
    How does it take a week to write 2-3 class files? – Chad Okere Dec 19 '13 at 23:55
  • @ChadOkere It doesn't, but if you don't want bugs, it will take a bit longer. Turns out, writing your own SSL might not be such a crazy idea, seeing as how OpenSSL has so many bugs like heart bleed. – Chloe Jun 17 '14 at 19:59
  • I'm sure OpenSSL has a lot more then 2-3 classes. Java has a built in crypto library that you could use to write something like this in 10-15 lines of code. And if you don't want to use it, all you have to do is look up the algorithm and type in the code. It would be hard to come up with a reliable cipher yourself, but just implementing code out of a textbook isn't that dangerous. (Obviously you wouldn't want to actually use it for anything important) – Chad Okere Jun 30 '14 at 02:55