|
hi,
i am new to this mailing list so i would like to introduce myself: my name is Christian Kolek. i am 23 years old. at this time i study informatics at the university of dortmund/Germany in my spare time i am programming mostly game stuff. but at this moment i am developing something what has not much to do with game developement. this is why i am here for some help. the project i am developing at this moment is a p2p collaboration application. i have started to develope this tool because of network programming. i wanted something small to learn so i could implement the network part of my game engine after i earned some experience. it should be p2p because its something everyone is/was talking about. but i wanted a tool in which only trusted friends can connect to each other. no spam like ICQ or a tool which main purpose is to share files with unknown people. (you know where i want to?) this project got bigger and bigger.. and at some time i decided to round it up. i started to make a gui. at the same time i decided to learn some linux programming/porting because my game server should run on a linux server... some multithreading experience .. synchronization would be also ok.. and so on and so on.. a project for learning/gaining experience.. but why i am here you ask? because of encryption! ;) i decided at the start of the project that for a p2p collaboration app it would be importand to have encrypted connections.. where only trusted people can connect to each other... when i was developing the tool i also looked around what would be the best way to implement encryption.. i decided to use a combination of asymetric and symetric encryption so if two people want to connect to each other they have both to share their public keys.. using RSA for the connection establishment sharing AES keys.. to do symetric encryption.. and this is the point where it gets tricky to me.. i have implemented a first version of the app with encryption using some very slow RSA source someone have written only for education purpose.. http://www.efgh.com/software/rsa.htm and AES from http://www.codeproject.com/cpp/aes.asp?target=aes the problem with this implementations is that the RSA code is very slow.. and the author says its insecure because of some problems like weak keys... the AES implementation leaks on padding... i am very new to the encryption stuff.. but i have decided to use Crypto++.. everything in one place... and looking very well thought out. this is what the encrypton does look at this moment: (this is the case when A and B already exchanged their public keys.. and A knows the ip of B so it knows which pubKey A have to use...) A is generating a random ivA and a random AES session keyA A encrypts the two with RSAES_OAEP_SHA_Encryptor and sending them to B. B is generating a random ivB and a random AES session keyB B encrypts the two with RSAES_OAEP_SHA_Encryptor and sending them to A. Now A knows how to decrypt the data send from B and vice versa. at this moment the AES encryption goes over this: http://www.codeproject.com/cpp/aes.asp?target=aes implementation in CBC mode with zero padding and no macs (yes this is not a good idea here). i would not wonder if this handshaking is not very secure.. but this is because i am new to encryption.. and why i am looking here for help now the first questions from me: would be it ok to use CFB mode so i dont need to do any padding? are there arguments when i should use CBC and when CFB? i have already many other questions but at first i would like to decide between CBC and CFB or more precise between the two classes CBC and CFB is belonging CFB streaming looks very nice at the first look because no padding is needed.. but why is there CBC? you also can use CFB for sending data in blocks emulating CBC like behavior? as i have said i already am using CBC so filling messages to a block boundary is already treated.. and the cutting off the trash data after decryption.. is CBC faster or CFB? ok i know that are not the best questions for the first time.. but i am implementing the first version.. i shown above.. i know that i will have to redesign it.. but i want a first implementation with the main ideas.. here the inofficial project page: www.antrex.de there is a win32gui+console version and a linux console version compiled on suse7.3 and suse8 nearly the last thing which is missing is the encryption before i can go beta. the news part is missing.. and the chat maybe gets better... thx |
