[JDEV] Encryption
Max Horn
max at quendi.de
Wed Aug 16 15:12:39 CDT 2000
At 12:06 Uhr -0700 16.08.2000, Paul Goh wrote:
>I need to implement a simple encryption scheme on Jabber to ensure a secure
>communication channel, and I thought up a very simple scheme. I will try my
>best to explain it, please comment on the loopholes or disadvantages.
>
>Scenario:
>1. Client request to connect to server.
>
>2. Jabber server generates a key pair (Ksp - server public key and Ksr -
>server private key) and send the public key Ksp to client.
>
>3. Client generates a key pair (Kcp - client public key and Kcr- client
>private key), encrypts the message (which contains the client's public key
>Kcp) with the server's public key Ksp (EKsp(Msg)), and send the ciphertext
>back to the server. By this step, a secure channel is established, with the
>client and server holding each other's public key.
>
>4. Since different key pairs are generated by the client and the server for
>each single session, security level is pretty high.
>
>5. The client can then be authenticated with user name and password, which
>is sent through secure key encrypted channels.
>
>Please comment.
Well, this is essentially what SSL does. Only that SSL is a standard,
supports multiple key/encryption algorithms etc.
Just use SSL. It fulfills everything what you ask for above. Plus it
offers more, like server certificates (to help prevent
man-in-the-middle attacks), but you don't have to use that.
For an excellent free SSL implemention, go to http://www.openssl.org
(I use OpenSSL, too)
HTH,
Max
--
-----------------------------------------------------------
Max "The Black Fingolfin" Horn
<mailto:max at quendi.de>
<http://www.quendi.de> - please use my guestbook!
More information about the JDev
mailing list