0

I have a simple C Program which is more like a "Echo" Server, for this i want to use encryption, with following requirement,

  1. From Client side after sending plain text to Server, Client will "encrypt this string" with "predefined password" and keep it ready
  2. Server will receive plain text, and encrypt this string using pre-defined password and send it back
  3. Client will receive the encrypted text, compare it with encrypted text on it's side, and if both match, no error, else show error

Been trying lot of options, but here are other requirements, which keeps failing,

  1. No external libs dependencies
  2. Encrypted text should be printable and be savable to file (HEX Is fine too)
  3. This code is run very frequently (like chat server). So needs to be as fast as possible, yet not too easy to guess.

Can i please get some help on completing this code, with Encrypted text needs to be in plain ASCII (or HEX).

Following is the sample of my existing code,

ON CLIENT SIDE

char *randomAllowchar = "abcdefghijklmnopqrstuvwxyz";
char plainStrToServer[30];      

// generating 20 char random string           
for (n = 0;n < 20;n++) {  
    key = rand() % 26;          
    plainStrToServer[n] = randomAllowchar[key];
}

... other code to send this plainStrToServer to server side

// Receiving response from server
char server_reply[200];
if( recv(sock , server_reply , 200 , 0) < 0){
    ...
}

// comparing if server response matched with sent string
if (strcmp(plainStrToServer,server_reply) != 0) { 
    // Error 
}

ON SERVER SIDE

char buffer[30];
int rc1;

while (1) { 
    rc1 = read(fd, buffer, sizeof(buffer));
    // write back original received message back to client
    write(fd , buf, strlen(buffer));    
}
Rahul
  • 23
  • 4
  • 1
    See XTEA algorithm. It is very short. In addition it will be necessary to add CBC and Base64/uuencode to make get text output. – i486 Oct 19 '16 at 12:43
  • 2
    Rule number one when doing encryption: Use a library. There are so many ways to do it wrong in ways you had never heard off, you will never get it really secure. Of course, this is not an issue if you only have low level security. – Peter Schneider Oct 19 '16 at 12:46
  • Thank you for the reply. XTEA seems to be good option, since it can be compiled independently. Any example of how to use this https://tls.mbed.org/api/xtea_8c_source.html in the current context of client server will be helpful. I am still new on how to convert encrypted response to HEX and then send it back to Client (from Server). Thanks – Rahul Oct 20 '16 at 06:25

1 Answers1

0

If you can at all relax the "no external dependencies" requirement, you should use libsodium. I described how to do this in a bit of length here: Simply encrypt a string in C. For a chat program, you probably want option 3 (Public Key Encryption).

The reason here is: You cannot reasonably expect to implement any of the currently strong encryption algorithms yourself in a way that is safe. Libsodium is a relatively small dependency which safely implements high level abstractions over algorithms that are currently considered fast and secure.

Anything you do short of actual encryption algorithms is just obfuscation and is easily readable even for low-budget attackers. A shift (or caesar) cipher, for example, leaks information about patterns in the plain text. This is especially bad if your plain text is language: With just a few (maybe 100) words being sent and "encrypted", an attacker who can sniff the traffic will be able to decrypt all past and future communication by guessing the correct key.

sonOfRa
  • 1,280
  • 11
  • 21