Thank you for replying. I am thinking of this design.Is this feasible.My design approach is mainly based on "I dont need to know with whom I am contacting but after contact my messages should be private."
client(My own application) Server (My own application) 1.(client)create a normal socket and connect to the server 2.(server)After receiving the connection send deffie hellman paramerters 3. (client)compute my key and pass the params for DH 4.(server)compute the key number 6. (client)Multiple(n==10) key exchange using DH 5. (server)Multiple(n==10) key exchange using DH 7.(server)generate the public key and encrypt with the key which we have already exchanged. 8.(server)Send the key to client and disconnect the normal socket. 10.(client)after receiving the key close the connection. 11.(client)Start a normal openssl connection. With Regards On Wed, May 20, 2009 at 2:48 PM, Victor Duchovni < [email protected]> wrote: > On Wed, May 20, 2009 at 02:37:58PM -0500, AngelWarrior wrote: > > > I need some Info.I have a client and server application which requires a > > secure medium for the transferring of data between each other. Currently > I > > am using openssl to achieve this using private and public key > certificates > > with RSA encryption. I don't want to ship the certificate with each every > > and client application. > > > > So, Is there a method where I can transfer an on the fly created > certificate > > from the server to the client securely(like using diffi-hellman) and > > after exchanging the certificates. I will communicate with the normal > > openssl process. > > Certifications are for *authentication*, which is only possible via: > > - Prior bi-lateral exchange of keys (what you are doing now) > OR > - Mediated key-exchange via a "trusted" introducer (the public CA > model such as it is today) > OR > - Scalable mediated introduction via a trusted online distributed > database, i.e keys in a secure DNS. This has not happened yet, > and may yet fail to materialize. > > If you need authentication, pick one of the first two. If you don't, > use anonymous ciphers and accept the risk of active man-in-the-middle > attacks, with TLS protecting you only against passive eavesdropping. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] > -- _/\_ With Regards SB Angel Warrior
