Is this the "Right Way?"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Is this the "Right Way?"

Sean E. Covel
I have an app that communicates over the Internet.  I'm using the
libeay32.dll for encryption.  As we all know from WEP, using encryption
doesn't mean its secure.  Can you take a min. at look at how I've
implemented this and tell me if its secure?  Thanks!

The user has a fixed 8 character password (bad, I know, I don't control
that part.)  someSalt and theIV are 16 bytes (128 bit).  rand_bytes() is
used to init someSalt and theIV.

I use the following code to create a "session" key, and setup the
encryption context:

EVP_BytesToKey(EVP_aes_128_ofb(), EVP_md5(), (unsigned char *)someSalt,
(const unsigned char *)password, datal, count, keystr, theIV);
EVP_CIPHER_CTX_init(ctx);
EVP_CipherInit_ex(ctx, EVP_aes_128_ofb(), NULL, keystr, theIV, 1);

When the first message is passed, server to client, I send the following:

someSalt|theIV|encryptedMessage

When the client gets the first message, it gets the password from the
user, gets someSalt and theIV off the incoming message, and then uses
the same chunk of code to generate the key:

EVP_BytesToKey(EVP_aes_128_ofb(), EVP_md5(), (unsigned char *)someSalt,
(const unsigned char *)password, datal, count, keystr, theIV);
EVP_CIPHER_CTX_init(ctx);
EVP_CipherInit_ex(ctx, EVP_aes_128_ofb(), NULL, keystr, theIV, 1);

From then on the client and server only send the encryptedMessage, since
 someSalt and theIV have already done their job.

When the return socket is created, it uses the same procedure, but a new
SALT and IV.  The two sockets in the duplex communication use different
"session" keys.

Am I doing anything wrong?

Thanks,

Sean

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Loading...