Encryption ideas requested.

    Date: 02/06/05 (C Sharp)    Keywords: security, google

    Hey folks, I've recently popped into the community, as I've been rather yearning a place where I can talk to anyone else who develops in .NET (C# specifically, but I've gotten less picky, as I know about ONE person besides me who codes in .NET) so I can bounce some of my more interesting questions off them. So yeah, thanks for being here. ;)

    Anyways, I'm developing an application that can be best described as a file mirroring program: a file is synchronized between two computers when a change is made on one of them. For example, a Quicken file kept on both a laptop that travels heavily and a workstation or home PC, so when a change is made to the Quicken file, it's mirrored to the other PC. I've written my own file transfer protocol with MD5 verification (works fantastic in LAN testing so far) and most of the UI design and implementation is completed.

    However, the problem I now hit comes with dealing with encryption. Because of the potentially sensitive nature of data being sent, I'm conscious of the reality that the data could be intercepted, and I feel an encrypted stream option or mandate is pretty much a requirement for this program. This is where I haven't sufficient exposure, though. Going through the MSDN library and many, many Google searches and newsgroups, it seems to me that using RSA encryption for the local components (e.g. configuration file encryption) is the best, as I can store the keys in a CspContainer so they persist and are at least better secured than if I were to try storing them myself. The bigger problem comes up when I try to come up with a reasonable solution for encrypting the TCP stream itself between two clients. So far, it would seem that Rijndael or DES are more suited for these tasks, but how am I going to reasonable get the Key and IV between the two systems?

    So far, my best solution to this is the following:

    • Add in another command to the server to allow a client to request the server's public RSA key.

    • Create a thumbprint file that has the generated Rjindael or DES Key and IV as well as the needed information about the file to be synced, and encrypt it using the provided public key.

    • Have the thumbprint sent to the remote system, either by simply transferring the file via TCP (easiest) or having it placed on a floppy or flash drive and physically moved (safest).


    I think this is the best idea in terms of both security and usability. What I am asking you folks is two things: 1) do you feel this is a good solution as designed here, and 2) do you have an alternate solution for my scenario that may work better?

    As a bonus question, I'm curious to hear stories about how any of you have implemented encryption systems in the past.

    Thanks for your help, folks!

    Source: http://www.livejournal.com/community/csharp/25039.html

« fast set || Interfaces »
Search  •  Site Map  •  Set as Homepage  •  Add to Favourites  • 
antivirus | apache | asp | blogging | browser | bugtracking | cms | crm | css | database | ebay | ecommerce | google | hosting | html | java | jsp | linux | microsoft | mysql | offshore | offshoring | oscommerce | php | postgresql | programming | rss | security | seo | shopping | software | spam | spyware | sql | technology | templates | tracker | virus | web | xml | yahoo | home