1

I have a server with a known public key: P. User u needs to send the server some data. Therefore, he sends (data) encrypted with P along with sha256(data) as the signature. A. is this secure? B. Is it an information leak transmitting the hash in plaintext? All types of attacks welcome. Note: man in the middle should be no better than man pretending to be.

As far as I see it, if the data is changed the attacker cannot recompute the correct hash of the new text. If new data is created to replace the given information then we have man pretending to be. If the hash is dropped or is incorrect then the server errors. Am I missing something? Should the hash be included in the encrypted information?

Thanks!

chacham15
  • 13,719
  • 26
  • 104
  • 207
  • Are you literally wanting to send a string of text from one server to another? – Martin Bean Oct 05 '11 at 16:52
  • 1
    What if the checksum is modified in a MITM attack? – Lekensteyn Oct 05 '11 at 16:53
  • @martin Not just text, any binary data. – chacham15 Oct 05 '11 at 16:54
  • @lekensteyn if it were modified then the server will see that the computed checksum doesnt match the given one – chacham15 Oct 05 '11 at 16:54
  • @chacham15 but since the "public key" is public, the data could then be faked as well. Note that it's not possible to derive the data from the checksum unless some mathematician has proved otherwise now. – Lekensteyn Oct 05 '11 at 16:57
  • @Lekensteyn yes, that is why i said that man in the middle is no better than man pretending to be. I.e. the best that he can do is replace everything. In my scheme, secret identifying information (like the password) is passed in the encrypted data, therefore, the man in the middle is nullified. – chacham15 Oct 05 '11 at 16:59
  • use a public and a private key, like ssh – Vlad Balmos Oct 05 '11 at 17:07

2 Answers2

1

I have a server with a known public key: P. User u needs to send the server some data. Therefore, he sends (data) encrypted with P along with sha256(data) as the signature.

  • A. is this secure?
  • B. Is it an information leak transmitting the hash in plaintext? All types of attacks welcome.

Note: man in the middle should be no better than man pretending to be.

What you've built here is something like MAC and encrypt, except instead of a MAC it's just a hash function. That's not a good design.

Instead, use a dedicated sealing API (sodium_crypto_box_seal(), openssl_seal(), etc.) that abstracts the complexity away and exposes simply secure public-key encryption (using an AEAD mode).

If you want to separately send sodium_crypto_sign_detached($message, $signingKey) to the server, that's fine too.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206
  • Theres nothing wrong with a hash based MAC. In fact its an entire category of MAC called HMAC (https://en.wikipedia.org/wiki/Hash-based_message_authentication_code). The main point of the question is that MACs are supposed to provide both authenticity and integrity checks, but since I have a public key and I'm fine with not authenticating the sender, all I need is to make sure that the integrity is maintained. – chacham15 Jan 04 '18 at 16:28
  • `SHA256(data)` is not a MAC though. If you wanted HMAC, you should denote it as `HMAC-SHA256(data, key)`. – Scott Arciszewski Jan 05 '18 at 17:31
-1

If it's for data transfer, check out PHP's Mcrypt extension. I used it in a project last year where a PHP-based social networking website needed to pass data securely to and from an external reporting system written in C#.

Martin Bean
  • 38,379
  • 25
  • 128
  • 201