following scenario: I've a client server application, the communication is crypted by aes and rsa (poor man ssl). But that's not my problem. The client itself, crypted some text (also aes), this text will be send to the server and will stored into a database. So, here's the problem: The same client can receive this text and can decrypt it. The key for this is stored in the memory. But how can decrypt a second client this data? The second client hasn't the key. These two clients, will be logged in, in the same account. But the key for decrypt the text is on client-side. How can get the second client, with the same login profil the key from the first client?
Asked
Active
Viewed 304 times
0
-
You are attempting to send encrypted data trough already (presumably) secured channel. Why would you do that? If you need to keep that data encrypted in the database then you should encrypt it at server with AES using well established keys and salts. – B0Andrew Jan 19 '15 at 12:59
-
Why I should encrypt data on the server? For me as user, I will be sure, that no one can read my data, also the server. I think it is better, if the client encrypt the data and then send it to the server. The server should not be able to see the raw data. – Marcel Hoffmann Jan 19 '15 at 14:33
1 Answers
0
If two clients must be able to read the same encrypted data then they must share the key used for encryption.
Of course the server could store this key and automatically share it between clients (same account) after authentication but this means that the server will be able to decrypt data, rendering the extra encryption layer useless.
Conclusion: If you really need to use this method, the two clients must share the key using a different channel (e.g. phone).
B0Andrew
- 1,725
- 13
- 19
-
Okay, I think it is bad, if the server has access to the keys. If the server will be attacked, they will have access to all encrypted data, because they have the keys. – Marcel Hoffmann Jan 19 '15 at 18:31