1

The SSL approach of using public/private key (asymmetric) mechanisms to establish a symmetric working key for data encryption seems like it would be a good approach for end-to-end secure data transmission at the application level. Especially when one end is in an insecure (whitebox) environment such as a mobile phone.

Basically I could use the SSL protocol (How does SSL/TLS work?) to get a symmetric working key and encrypt my application data for end-to-end communication. Clearly I would need to develop client and server side components to make this work.

Is this possible? How about some pointers to examples?

Community
  • 1
Frank
  • 11
  • 1
  • why not simply use TLS in the application? – schroeder Mar 30 '15 at 21:15
  • TLS is by definition a transport layer protocol. Why not just use TLS as your transport layer security?

    Are you talking about also encrypting data at rest? If so, there are many good solutions for encrypting database or flat files. Please be more specific about what you mean by end to end.

     – Devon Holcombe Mar 30 '15 at 21:23
  • TLS uses pub/prv keys to exchange a symmetric key already.

    GPG is a protocol for doing the similar thing except on a message basis.

    Whichever programming language you're using already has libraries for this type of thing and you could move this question over to stackoverflow.

     – Jonathan Mar 30 '15 at 22:02
  • Thanks Johnathan, sounds like your GPG suggestion might be what I want so long as "message basis" means end-to-end. There seems to be a lot of GPG references. Do you have any good ones with examples for (Java) programming this? – Frank Mar 31 '15 at 14:40

1 Answers1

3

First off, an important notice:

DO NOT ATTEMPT TO WRITE YOUR OWN CRYPTO! This includes using known cryptographic routines in a way that isn't standard. if you intend to follow the standards, then you should use a library designed 8and maintained) for that specific standard.

That being said, every time you encrypt a file using a public certificate (using, for instance, PGP with public/private key pairs or AS2), you're doing what you're requesting.

The file is encrypted using a random key and a symmetrical cypher and that key is then encrypted using the public key of the recipient. Here is a picture (from wikipedia) that illustrate that process.

How PGP encryption works

This is also valid for S/MIME, EFS, etc.

Stephane
  • 18,679
  • 3
  • 63
  • 70
  • Yes, I think this is what I'm talking about. I agree 100% that I don't want to write any of my own crypto. I'm looking for some example code that does this kind of thing is a proper, secure manner. – Frank Mar 31 '15 at 14:27
  • 1
    Code samples are the realm of stackoverflow – Stephane Mar 31 '15 at 14:34