Symmetric encryption (AES). Symmetric keys distributed using public key encryption (RSA).
GOAL: Use symmetric cryptography (AES) for client-server communication.
PROBLEM: Distribute symmetric key (AES) in a secure way.
SOLUTION: Distribute symmetric keys (AES) using asymmetric cryptography (RSA).
CLIENT
1. Client requests connection with server (e.g. TCP handshake).
SERVER
2. Server sends public key to client (asymmetric).
CLIENT
3. Client generates AES key, IV and MAC-key (for symmetric encryption).
4. Client encrypts AES key and MAC-key using server’s public key (asymmetric encryption).
5. Client encrypts initial output message (payload) using AES-key and IV (symmetric encryption).
6. Client generates MAC of the payload.
7. Client sends first message to server: AES-key, MAC-key, IV, MAC, message.
____________________________________________________________________| | || Shared secrets for | Payload: || Symmetric cryptography | Initial message ||_________________________|__________________________________________|| | | | | || AES-key | MAC-key | IV | MAC | Message || 128 bit | 128 bit | 128 bit | 128 bit | Variable size ||____________|____________|____________|____________|________________|| | | || Encrypted: | Plaintext | Encrypted: || Asymmetric (RSA) | | Symmetric (AES) ||_________________________|____________|_____________________________|[7] Initial message sent from client to server
SERVER
8. Server decrypts AES-key and MAC-key with Server’s private key (asymmetric decryption).
9. Server assigns the symmetric key variables (AES-key, MAC-key, IV).
10. Server decrypts the payload using the symmetric key variables (symmetric decryption).
11. Server verifies MAC.
ENCRYPTED CHANNEL ESTABLISHED (symmetric keys distributed)
12. The continuous communication between client and server will use symmetric cryptography (AES).
____________________________________________| | | || IV | MAC | Message || 128 bit | 128 bit | Variable size ||____________|____________|__________________|| | || Plaintext | Encrypted: Symmetric (AES) ||____________|_______________________________|[12] Encrypted messages after symmetric keys has been distributed(For CBC: IV can securely be sent in plaintext)
Chronological operations in relation to above notations.
[1-2] SERVER
Preconditions:
ServerCryptography.//Write to client: byte[] publicKey
**[3-7] CLIENT**```java//Read from server: byte[] publicKeyclientCryptography.setServersPublicKey(publicKey);clientCryptography.generateSymmetricKeys();byte[] encryptedMsg = clientCryptography.createInitialMsg("Hello World!");//Write to server: byte[] encryptedMsg
[8-11] SERVER
//Read from client: byte[] encryptedMsgString intialMsg = serverCryptography.processInitialMsg(encryptedMsg);
[12] Symmetric cryptography
AES encrypted traffic may now flow asynchronous in full-duplex, using the following methods:
SERVER// Read from client: byte[] encryptedInput;String decrytpedInput = serverCryptography.symmetricDecryption(encryptedInput);byte[] encryptedOutput = serverCryptography.symmetricEncryption("My message");// Write to client: byte[] encryptedOutput[...]CLIENT// Read from server: byte[] encryptedInput;String decrytpedInput = clientCryptography.symmetricDecryption(encryptedInput);byte[] encryptedOutput = clientCryptography.symmetricEncryption("My message");// Write to server: byte[] encryptedOutput[...]