I cant seem to find a reliable asymmetric encryption solution to secure data between a python based server application and a client over an open data channel.
I need some way for my client to prevent a man in the middle attack over an open data channel, my current exchange has me sending my clients a token they use to verify they are talking to my server application by checking the token is valid with a php script on my site.
This is far from ideal and could easily be compromised by waiting to be sent the token and passing it off to another user.
I have tried as3crypto's rsa encryption but it is an old implementation that is not supported by many libraries as well as having a known vulnerability.
I would really like a solution that lets me hard code public/private keys into both the client and server to prevent something like this from happening.
Actionscript Three Asymmetric Encryption
207 Views Asked by Jordan At
3
There are 3 best solutions below
0
On
Since decompiling swf content is not a major problem for experienced hackers, I would strongly advise against hardcoding keys. Have you thought about using SSL at all?
14
On
Hardcoding they public keys won't help you, if someone really plans an attack, because the SWF itself is transfered over an unsafe channel, thus the keys can be exchanged just as if they were transmitted individually.
There is basically nothing you can do to prevent man in the middle attacks, you can only make them harder. I think HTTPS is about the best you can get and it's also a fairly easy solution.
After doing some research I have decided to code the part of rsa I need from scratch. I found some python code that will generate raw integer keys of any length and looked up how the rsa algorithm works.
T^P = X (mod R) to encrypt
X^Q = T (mod R) to decrypt
Where T is the starting data, X is the ending data, P is the public half of the key, Q is the private half of the key, and R is the shared part of the key (all integers).
Data will have a nonice whenever possible to prevent replay attacks and the message as a whole will be converted to a long integer to prevent traditional bit by bit cryptanalysis.