Need advice to possiable encrytion and authentication method

Need advice to possiable encrytion and authentication method

Postby GearsGod » Mon Aug 29, 2016 6:14 pm

I just need some advice on a possible method I would implement to protect traffic.

from server:
current packet number + data makes up the packet
it then encrypts it using the user hash and current date and time down to the second and sends it

to client:
it receives the packet, it then uses the user hash and current date and time down to the second to unencrypt it.
it then checks the packet number against the packet number it expects, once passed it then processes the data.
->any packets sent with the same packet number after accepting the first one is dropped.

to go back the other way just swap the server client names up their ^

So what’s the possible weaknesses to this way of sending secure traffic, assuming they never caught the registration data.
GearsGod
 
Posts: 7
Joined: Tue Mar 01, 2016 2:30 am

Re: Need advice to possiable encrytion and authentication me

Postby Ofnuts » Mon Aug 29, 2016 8:01 pm

"it then encrypts it using the user hash": encrypts how? And what is the user hash?

If one end can find the current date-time necessary to decrypt what is sent by the other, then some snooper can, too.

What good does the out-of-order packet dropping? How do you recover from missing packets?

Why so much trouble when you can use the field-proven SSL?
This forum has been moved to http://python-forum.io/. See you there.
User avatar
Ofnuts
 
Posts: 2659
Joined: Thu May 14, 2015 9:46 am
Location: Paris, France, EU, Earth, Solar system, Milky Way, Local Cluster, Universe #32987440940987

Re: Need advice to possiable encrytion and authentication me

Postby GearsGod » Tue Aug 30, 2016 4:06 pm

Ofnuts wrote:"it then encrypts it using the user hash": encrypts how? And what is the user hash?

when the user had signed up, a user-specific hash was created only known by the server and user programs, encrypts it using the normal AES256.

Ofnuts wrote:If one end can find the current date-time necessary to decrypt what is sent by the other, then some snooper can, too.

just because they have the date-time means nothing without the secrete hash also used to encrypt (key=users hash / salt= current date and time)

Ofnuts wrote:What good does the out-of-order packet dropping? How do you recover from missing packets?

it ensures that reply attacks are useless, so capturing a packet and then resending it wont do any good, and it does not recover, if it detects to many out-of-order packets it drops the current login and requires a new one.

Ofnuts wrote:Why so much trouble when you can use the field-proven SSL?

I could, but true legit SSL cost money, and I know it sounds bad but I am cheap as junk and I also wish to maybe one day provide an alternative to secure traffic.

A better question is why not go through the trouble of trying something new?
Nothing now standard was programmed easily.
GearsGod
 
Posts: 7
Joined: Tue Mar 01, 2016 2:30 am

Re: Need advice to possiable encrytion and authentication me

Postby Ofnuts » Tue Aug 30, 2016 8:21 pm

GearsGod wrote:when the user had signed up, a user-specific hash was created only known by the server and user programs

Created how, and how to you know only the server and the user know it? if it is transferred, then it is done outside of your crypto system, so either it's in the clear, or you are using another crypto system. Or it is re-computed by one of the parties but then a 3rd party could do the same computation.

GearsGod wrote:just because they have the date-time means nothing without the secrete hash also used to encrypt (key=users hash / salt= current date and time)

The purpose of a salt is to prevent decoding because part of the contents are known (or contents are so short that you could build all the possible hashes). But it is not used to decode. Is is part of the decoded output and then discarded. For instance if you want to keep 4-digits PINs in a DB you can't just encrypt them, because you would have only 10000 possible outputs, so sooner or later specific PINs could be identified. So you "salt" the PIN with a random string and then suddenly the output of your encryptions is millions of millions of possible values. When decoding you get PIN+salt and just discard the salt. But this works because no one knows what the salt is.

GearsGod wrote:it ensures that reply attacks are useless, so capturing a packet and then resending it wont do any good

But what if I capture the first packet and prevent it from going through? Then I can replay later packets the server hasn't seen . That's what they did tp defeat remote car locks with rolling code.

GearsGod wrote:I could, but true legit SSL cost money

Uh? OpenSSL is about as legit as anything and is free. Of course they found holes in it, but that doesn't mean commercial implementations are any better.

GearsGod wrote:and I know it sounds bad but I am cheap as junk and I also wish to maybe one day provide an alternative to secure traffic.

A better question is why not go through the trouble of trying something new?
Nothing now standard was programmed easily.

But then why ask here? There are mailing lists for cryptography mavens. Asking this non-crypto forum for advice doesn't bode well, it just shows that you don't know what you are up against.
This forum has been moved to http://python-forum.io/. See you there.
User avatar
Ofnuts
 
Posts: 2659
Joined: Thu May 14, 2015 9:46 am
Location: Paris, France, EU, Earth, Solar system, Milky Way, Local Cluster, Universe #32987440940987

Re: Need advice to possiable encrytion and authentication me

Postby GearsGod » Mon Sep 05, 2016 9:41 pm

You're quite right, I have found a new correspondence to help me, he says I have a good start but theirs a few problems we to work around.
Thank you for responding, I know I am inexperienced but I want to learn more.
GearsGod
 
Posts: 7
Joined: Tue Mar 01, 2016 2:30 am

Re: Need advice to possiable encrytion and authentication me

Postby wavic » Sun Sep 11, 2016 12:23 am

Why you are trying to invent the wheel?
There are two major ways to encrypt the traffic - asynchronous and synchronous. Pick one and just use it.

Ops! I mean asymmetric and symmetric encryption.
Last edited by wavic on Sun Sep 11, 2016 1:38 pm, edited 1 time in total.
wavic
 
Posts: 165
Joined: Wed May 25, 2016 8:51 pm

Re: Need advice to possiable encrytion and authentication me

Postby Ofnuts » Sun Sep 11, 2016 12:36 pm

wavic wrote:Why you are trying to invent the wheel?
There are two major ways to encrypt the traffic - asynchronous and synchronous. Pick one and just use it.


You misspelt /(a)symmetric/, didn't you?
This forum has been moved to http://python-forum.io/. See you there.
User avatar
Ofnuts
 
Posts: 2659
Joined: Thu May 14, 2015 9:46 am
Location: Paris, France, EU, Earth, Solar system, Milky Way, Local Cluster, Universe #32987440940987

Re: Need advice to possiable encrytion and authentication me

Postby wavic » Sun Sep 11, 2016 1:36 pm

You're so right :lol:
I can't beleave :oops:
I was probably thinking about something else. Thanks! It's not misspelled but it's completely different
wavic
 
Posts: 165
Joined: Wed May 25, 2016 8:51 pm


Return to Networking

Who is online

Users browsing this forum: No registered users and 5 guests

cron