Thank you for the quick replies. The application that I'm working on is some sort of license manager. A central server keeps track of how many active applications there are and how many copies are allowed. The messages need to be encrypted so that any snooping application can not replay messages (license check-in) and thus increase the number of simultaneously running clients. So yes, a man in the middle attack inserting spoofed packets is probably the biggest concern.
Timestamping is probably not necessary, as these are just short messages which are responded to immediately and then discarded. And on the transport side, I can handle out of order packets fine and simply wait until all packets have arrived before decrypting the received buffer. As I have full control over the source, I could put a key in both apps, if that's a safe way to do it. The packets will not be routed outside of the local subnet, so my primary concern is not "internet grade" encryption. - Fafa -------- Original-Nachricht -------- Datum: Mon, 26 Jun 2006 13:12:27 -0400 Von: Frank Palazzolo <[EMAIL PROTECTED]> An: [EMAIL PROTECTED] Betreff: RE: what algorithm to choose > > Hi, > > Do you need to encrypt them (protect from readability) or make them tamper > proof (hashing/signature?) or both? Do you need to detect corrupted > messages and out of order or old messages? Do you care if there is a key > in > the client or server, or both? > > I might have some ideas for you. I have used Crypto++ to do something > similar in the past. I ended up using something like AES/CBC and MD5 or > SHA > to both encrypt and "sign" (encrypt a hash) timestamped credentials, for a > web application. My goals were protection, tamper-proofing, small message > size. It was cool in that the timestamping allowed me to avoid writing a > session manager. > > Keep in mind, everything in SSL is there for a reason. > > Thanks, > Frank > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, June 26, 2006 12:25 PM > To: [email protected] > Subject: what algorithm to choose > > > Hi everyone, > > I wonder if anyone here could point me in the right direction. My question > isn't directly Crypto++ related, but I may end up using it to solve my > problem. I'm not a cryptography expert. > > I'd like to implement a secure communication over TCP/IP or UDP between > two > of my applications within a local network. I got the client/server part > all > written and working, talking back and forth. However, I need to encrypt > the > contents of these messages to make them tamper-proof. Typically these are > just a few bytes every few minutes. Setting up an SSL connection is not an > option, so I need to encrypt them at the source level. > > I'm willing to read up on this, but before I choose an algorithm and > implementation, can you comment on how to do this in a secure and > effective > way? Thanks in advance, > > Fafa > >
