Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Mad153

is it worse to make your own encryption system

Recommended Posts

Posted · Original PosterOP

Hello,

i am creating a program that sends data over a tcp connection.

i cannot make ssl over tcp work for the life of me and i do not really understand it at all.

but i am fully capable of doing it manually by creating rsa pairs and then encrypting an aes key with the public key on the client,

and then decrypting that with the private key on the server. and then sending the aes encrypted datafrom the client  to the server, which then can decrypt it.

Is there a disadvantage to doing it manually in this way?

thanks


Please mark as helpful and informative so my profile looks better.

Thanks

Link to post
Share on other sites
2 hours ago, Mad153 said:

Is there a disadvantage to doing it manually in this way?

Yes, the disadvantage is that since you're making your own standard it won't be compatible with any normal SSL server. If you don't care then it's the same.


...is there a question here? 🤔

sudo chmod -R 000 /*

What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D Watch Netflix with Kodi on Arch Linux Sharing folders over the internet using SSH Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites

Yes, it is worse!

 

The TLS protocol (and its predecessor, SSL) has been worked on for the past 25 years. All versions of SSL have been found to have critical vulnerabilities (which are addressed in TLS), and there are a bunch of (mitigatable) issues that have been found with TLS 1.0-1.2 too. My point here is that even the cryptography experts at the IETF have included security vulnerabilities. Moreover, there are a bunch of examples of companies who said "let's design a proprietary encryption protocol because it will be simpler/more secure/...", and ended up releasing a vulnerable product. MIFARE Classic is an example of this.

 

If at all possible, I would strongly encourage you to use an existing TLS library. There will be one available for every reasonable language.

 

If you have a really good reason for not using an existing library (and just wanting to learn about the protocol is not a really good reason where cryptography is concerned unless the entire project is just academic!), it would be possible to have a pre-shared (or out-of-band shared) public-private key pair and using RSA to send a symmetric key. However, generic RSA (ke mod m) is NOT secure for this application because k ≪ m, which can make k easy to recover under certain circumstances. See what I mean about it being easy to introduce security vulnerabilities? To do it securely, you either need to use something called Optimal Asymmetric Encryption Padding, or you need to generate a large secret which has a similar magnitude to the modulus, and share that, then both parties convert that to the actual encryption key. Be very wary of introducing more vulnerabilities though!

 

But please just use a library.


HTTP/2 203

Link to post
Share on other sites
1 hour ago, Sauron said:

Yes, the disadvantage is that since you're making your own standard it won't be compatible with any normal SSL server.

33 minutes ago, colonel_mortis said:

The TLS protocol (and its predecessor, SSL) has been worked on for the past 25 years.

@Mad153

 

There will be compatibility issues with using other standardized encryption servers, more patching the encryption algorithm as new vulnerabilities will be likely found later in testing, and the risk that your own encryption system will have security issues which could have data be compromised due to attackers possibly being able to bypass your encryption. Transport Layer Security (TLS) encryption is more preferable to use that the older SSL (Secure Sockets Layer) encryption does not have the ability to work on different ports and utilizes weaker algorithms for encryption. Because of vulnerabilities found in SSL, its been approximately 2 decades, from when TLS was put in replacing the older SSL encryption standard. If this is not for the educational purpose of learning encryption, then I would recommend using an SSL encryption system or preferably the newer TLS system. Very rarely have I seen that these are not already available in a library (for certain code languages) and in that case, if you absolutely can't use a library reference encryption system then please be careful in your designing to prevent and eliminate possible vulnerability risks of your custom system.

 

Hope that this information was helpful, 


   @Boomwebsearch

Link to post
Share on other sites
11 hours ago, Mad153 said:

i cannot make ssl over tcp work for the life of me and i do not really understand it at all.

but i am fully capable of doing it manually by creating rsa pairs and then encrypting an aes key with the public key on the client,

Sorry, but if you can't figure out how to layer SSL over TCP, then what makes you think you can properly implement an encryption scheme yourself? If you're trying to create your own standard, don't. There is a lot of math (number theory, arithmetic geometry, elliptic curves) that's involved in the development of new encryption standards. If you want to implement an existing standard, don't do it; there is likely an already existing implementation in whatever language you prefer. More modern implementations will have resistance to well-known attacks that you might not consider like the acoustic cryptanalysis attacktiming attacks, or the infamous cache side-channel attacks. There is also the issue of randomness. It's hard (actually impossible) to generate random numbers on a computer; though, we can simulate random numbers using pseudorandom number generators (PNRGs). The implementation of these are platform specific, and some operating systems (e.g. Unix-based OSes) will have various PNRGs that are all suitable for different tasks.

 

Of course, if you're trying to implement a specific standard to understand the standard, you probably shouldn't, but it's okay to try. You should probably just read the reference implementation that any decent paper / organisation will provide. Although I suspect that you plan on using this program for something, so just don't. Please.

Link to post
Share on other sites
13 hours ago, Mad153 said:

Hello,

i am creating a program that sends data over a tcp connection.

i cannot make ssl over tcp work for the life of me and i do not really understand it at all.

but i am fully capable of doing it manually by creating rsa pairs and then encrypting an aes key with the public key on the client,

and then decrypting that with the private key on the server. and then sending the aes encrypted datafrom the client  to the server, which then can decrypt it.

Is there a disadvantage to doing it manually in this way?

thanks

What sort of issues are you having in terms of setting up SSL over TCP?  (I am assuming when you said SSL you are referring actually implementing TLS 1.2/1.3?)  If you understand how to do the other things manually, then I am a bit confused where you may have a sticking point in the SSL portion.

 

As others have said, it is generally a bad idea.  There is a lot that can go wrong when implementing your own encryption....realistically though it may depend on what you are intending to use the program for.  If it is a program that is going to be openly distributed, and the security of the TCP is important then no, do not implement your own.

 

For something like, sharing stuff between friends...maybe.  (Although in that case you would have an option of also using a predefined key ontop of that)..then again if you use a non-standard encryption (and maybe throw in your own custom encryption code) you may be safe just out of obscurity (assumes that there will only ever be a few people using this...given any encryption you write would be weaker than the current standards...but would it be worth it for the attacker to try figuring out what you did for a target so small 😛)...but the answer is still no; try getting ssl working, and if you are stuck just ask people here to help find issues with your code (ie why it isn't working)

 


3735928559 - Beware of the dead beef

Link to post
Share on other sites

also most companies that care about security wont want vendors to have access and be able to decrypt their data.

most will want to request their own certificate and private key under their control

 

also you will share the same private key and certificate for all customers?

generate one randomly?

what security will you use?

 

no offense but i wouldnt buy software from a vendor that doesnt allow me to implement a private key public certificate pair under my control thats signed by a CA that is trusted by our company.

Link to post
Share on other sites

If you're planning to use whatever you write on something other people will use, you're shooting yourself in the foot outright. Learn to write those things all you want, may be good practice. Invest time only where you actually want to learn something. I have an impression you just one to make this work properly and get on with it. If you want your thing to be secure: learn about it, and just make it (TLS) work.

Link to post
Share on other sites

While there are (irregular) new encryption algorithms every year, it takes a lot of work to figure them out. Unless you're a talented mathematician, don't try.


Write in C.

Link to post
Share on other sites
Posted · Original PosterOP
7 hours ago, tech.guru said:

generate one randomly?

I was planning to but I am now going to figure out how you do it properly. (As per everyone's suggestion)

7 hours ago, wanderingfool2 said:

What sort of issues are you having in terms of setting up SSL over TCP?  (I am assuming when you said SSL you are referring actually implementing TLS 1.2/1.3?

Specifically finding an example of sslstream class in c#. The example on MSDN and copies of it on other websites which have been slightly modified throws an error that is very vague (cannot remember it though).

 

I was looking at stunnel but that isn't documented well.

 

Compatibility is not an issue for me.

 


Please mark as helpful and informative so my profile looks better.

Thanks

Link to post
Share on other sites

Just gonna pile on the "Yes it is worse" here. Don't even try it, even if you hold 50 years of experience in computer science and mathematics. Security these days are on such a high level that they are mainly because of the vast amount of people and time it has taken to get here. A new encryption system made by only one person, and not peer reviewed at all, will always be very crackable by you guessed it; Only one person!

Link to post
Share on other sites
1 hour ago, Mad153 said:

I was planning to but I am now going to figure out how you do it properly. (As per everyone's suggestion)

Good choice. Are you trying to implement the whole routine yourself or are you using a proven library? 

 

 

 

Generally speaking for everyone else wondering if they should: encryption and authentification are the most sensitive aspects a program or web service can have. One mistake or slight oversight and the security is gone. It's not meant as an insult but if you have to ask if it's a good idea then it's probably not a good one. Very good mathematicians and computer experts are working on those systems and libraries and they regularly mess up. I'm not saying it's impossible to get a good system done yourself, it's just harder than you might think and you will most likely miss some loop holes.

Now, if you want to do this do get a better understanding and not to have a proper system for deployment then by all means: go for it. If you want a deployment ready solution then for the sake of your clients: go with a proven and tested library that still is being maintained.

Link to post
Share on other sites

if you don't understand SSL/TLS and/or can't make it work, do not create your own security protocol under any circumstances.

Link to post
Share on other sites
12 hours ago, Mad153 said:

I was planning to but I am now going to figure out how you do it properly. (As per everyone's suggestion)

Specifically finding an example of sslstream class in c#. The example on MSDN and copies of it on other websites which have been slightly modified throws an error that is very vague (cannot remember it though).

 

I was looking at stunnel but that isn't documented well.

 

Compatibility is not an issue for me.

 

If you do attempt using sslstream again, just post the code that errors and I am sure that someone will be able to help.  Another alternative may be to also try openssl (I think there are c# wrappers for it)


3735928559 - Beware of the dead beef

Link to post
Share on other sites
On 8/4/2019 at 9:50 PM, Mad153 said:

Hello,

i am creating a program that sends data over a tcp connection.

i cannot make ssl over tcp work for the life of me and i do not really understand it at all.

but i am fully capable of doing it manually by creating rsa pairs and then encrypting an aes key with the public key on the client,

and then decrypting that with the private key on the server. and then sending the aes encrypted datafrom the client  to the server, which then can decrypt it.

Is there a disadvantage to doing it manually in this way?

thanks

Another look at it is if your program stops working then you have another thing you'l need to troubleshoot, another point of failure as you will. Also if you were to deploy this program you'd rather not take the chance of your product failing because of a mistake you made.

 

IMO if you can pull it off just do it.


I'm a python programmer and I play trombone

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×