I understand the use case of Asymmetric Encryption using a private and public key. A client side Web Application can encrypt a JWE using a servers public key and the server uses its private key to decrypt the encrypted message.
Is it possible for a Web client to receive an encrypted message from a server encrypted by the Web Clients public key and have its own private key to decrypt the servers encrypted message?
From what I understand about security the browser is not a safe place to hold keys since an experienced person can read them if they wanted.
So is the encryption and decryption with JWE only possible in one (server to client) direction? Or is it possible for a Web client to hold a private key for decryption for encrypted messages from a server safely?
Related
I'm building an application and want it to securely transfer data to a server.
Thinking to use public/private keys for initial handshake to encrypt a key with which to encrypt subsequent data.
Is it reasonable to have the private key integrated in the executable which will be distributed out in the wild for anyone to reverse-engineer?
I also thought of using three-pass protocol, but read about some of its weaknesses and it probably won't work for me
I followed Martin's advice and posted to security exchange (https://security.stackexchange.com/questions/158650/distribute-private-key-with-application).
There I received an answer that I accepted, by user Serverfrog:
Generate the Private/Public Keypair on the client, encrypt this with a
password (maybe choose from the User itself).
The send the Public Key encrypted via Server Public Key to the Server
and you have your entire Public/Private Stack.
What type of certificates or keys are exchanged between a client and a server when it loads a webpage or website ?
Only the server's public key and the client's public key are exchanged.
The following occurs when a browser is connection to an HTTPS enabled website / service:
Client Hello
The client sends the SSL version number, cipher settings, session-specific data.
Server Hello
The server responds with the SSL version number, cipher settings, and the Server’s Certificate (Public Key).
Authentication and Pre-Master Secret
The client now authenticates the server certificate, and depending on the cipher the client creates a pre-master secret for the session.
The client encrypts data with the server's public key and sends the encrypted pre-master secret to the server.
Decryption and Master Secret
The server now uses its private key to decrypt the pre-master secret.
Both the server and client perform steps to generate the master secret with the agreed cipher.
Generate Session Keys
Both the client and the server now use the master secret to generate the session keys. The session keys are symmetric keys used to encrypt and decrypt information exchanged during the session.
Encryption with Session Key
At this point both server and client exchange messages to inform that future messages will be encrypted.
In short, there are 4 keys involved. The server's public and private key and the client's public and private key. The client gives it's public key to the server and the server gives it's public key to the client. The private keys are never transmitted or shared with anyone, they remain on the client and server, thus they are private.
Usually certificates are signed by a third party such as GoDaddy or Verisign. This gives the client reassurance that the server who issued the public key to the client is indeed who they say they are. (However beware, there is always the possibility of man in the middle attacks)
I'm wondering how I can guarantee that messages received by the server are definitely from a client that is running my app on their smartphone.
Messages sent by clients running my app will be secured by SSL encryption, so would a good solution be to include some sort of secret key that is stored on the device and on the server, that is then embedded within the message body? (but then this key is prone to being discovered through reverse engineering)
Well, no, if you cannot trust your code and if you do not have access to some kind of protected key store (that performs it's own encryption, e.g. a TPM or suchlike) then anybody can steal the key. If you require authentication you can of course use the normal authentication methods such as user passwords.
If you require the messages to be protected you can then derive a key from the password (using a PBKDF such as PBKDF2 for instance), decrypt a private key with it and use it to sign the messages. If that's too slow, you can use the private key to encrypt a session key, and use a message authentication code.
I am reading SSL security logic articles. I am confused a bit. Server has private key and server sends client public key. An encrypted data with public key only can be decrypted by private key.
1- Client side has not a private key. How does client solve the server data?
2- if public key sending over internet, somebody can Access the key who listened the network.
3- encrypt and decrypt should have an algorithm. Do all browsers knows that algorithm? if browser companies knows that encrypt algorithm, this is a security problem.
The public and private keys aren't used for data encryption in SSL. They are only used in the authentication phase. That's why the client doesn't need a private key, unless the server requires client authentication. The actual encryption is done via symmetric encryption using a negotiated session key.
There are resources on the Internet that state otherwise, notoriously the Linux Documentation Project page. They are wrong. The normative reference is RFC 2246.
Your remark about knowing the encryption algorithm is quite incorrect. First, the client has to know the algorithm to be able to encrypt and decrypt. Second, it was established many years ago that security-by-obscurity simply does not work. True cryptographic security comes from well-designed and well-tested algorithms, however well-known they may be, and key length.
I aks myself if it is possible to copy the server certificate to another server to misuse it. Example: An attacker visits https website X and copies the X.509 certificate. He placed the stolen X.509 certificate on his own server and would like being trustworthy.
Of course, the attacker does not have the private key, but the private key is only required to decrypt the encrypted message from the client. In terms of authentification there is no reason to be doubtfully. Or?
The server responses with the X.509 certificate. The client receives the certificate and validates successfully using the stored root certificates. Why should the server not be authentificated? Only when the client sends an encrypted message using the public key the server is not able to decrypt the message - because he does not own the private key.
It is right so far?
Only when the client sends an encrypted message using the public key the server is not able to decrypt the message - because he does not own the private key.
The server also needs the private key to sign messages being sent to the client.
The SSL/TLS handshake protocol itself effectively involves such an authenticated message being sent to the client. If the private key is unavailable then this step will fail before any 'real' payload message gets sent.
Why should the server not be authentificated?
The certificate is tied to a domain name.
The web browser will download the certificate and validate it. One of the steps in the validation is to compare the domain the certificate is for to the domain that the browser actually downloaded it from. If there is a mismatch (and there will be, since the attacker is on their own domain, not the original site's domain) then the browser will present the user with a certificate error and ask them to make the call about whether or not to accept it.
You're probably used to seeing this in action on bad web server configurations. Ever seen an error saying, "This certificate was intended for www.example.com" when you were trying to visit "example.com"?
Of course, the attacker does not have the private key, but the private key is only required to decrypt the encrypted message from the client.
Public/private key pairs have other uses than that. In this case, the private key signs the certificate and the public key verifies it. There is no encryption involved. (What you described is more like a normal encryption scheme, like RSA.)
No, the certificate is a pubic element and it is just a way to bind a public key to a name (here, a DNS name). During the authentication process (in the TLS protocol) the server sends its certificate along with signs some data with the associated private key. In order to verify that the server is the legitimate owner of the certificate, the client have to verify the validity of this signature with the sent certificate. A rogue server can try to use the certificate but without the private key it cannot prove it is the real holder.