This week's book giveaway is in the Android forum.
We're giving away four copies of Head First Android and have David & Dawn Griffiths on-line!
See this thread for details.
Win a copy of Head First Android this week in the Android forum!

liakos liakoz

+ Follow
since Nov 08, 2014
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by liakos liakoz

What i did eventually is : every party (both clients and server) has its own keystore which contains their self signed certificate. Every party also has its own truststore, which contains the certificates(public keys) of the parties that they trust (done with import-export certificates using keytool). So when a client connects to the server, they exchange certificates and then they check if the public key of the certificate that they received matches with the one they have in the truststore. Is that good enough to achieve mutual authentication using only self signed certificates?
7 years ago

Richard Tookey wrote:

liakos liakoz wrote:If the moment that a client connects to the server, they exchange certificates, would it make it any better?

So how do you know if the client is one you trust and wish to allow access to the server?

How can i possibly know if im not using certificates signed by a CA? Maybe if a create a root certificate which signs the certificates of the two clients?maybe the certificate of the server too?
7 years ago
If the moment that a client connects to the server, they exchange certificates, would it make it any better?
7 years ago
The assignment says that i have to use self signed certificates, not certificate signed by a CA
7 years ago

Richard Tookey wrote:I'm not convinced you have achieved 'authentication' since you are using self signed certificates and have not explained how the clients and servers exchange these certificates in a secure and authenticated manner.

Thanks for the reply.
So how do i achieve authentication?I just send the certificates inside every message. What should i do instead and why?
PS: I use self signed certificates and im able to retrieve every certificate i want from the keystore
PS2: Is non repudiation achieved with the implementation i described in my previous message?
7 years ago
Hello again guys.
So the assignment is : Im given a Client-Server-Client communication program and i have to add code to it in order to achieve :
1) Confidentiality
4)Non repudiation
What I've done so far is : Client1 sends a message that contains the encrypted text, the digest, the self signed certificate of the client and the digital signature. Server accepts the message, checks if the public key of the certificate that is obtained from the keystore(i have a keystore that contains all three certificates) is the same with the public key of the certificate that is sent with the message, then decrypts the cipher and checks if the digests are the same and it also checks if the digital signature is valid. The Server then encrypts the message again, sign it and sends it to Client2. (message now contains the cipher, the digest, the servers certificate and the digital signature of the server). Client2 accepts the message, checks the keys, decrypts the message, checks digest and digital signature and if everything is alright then we are ok.
What do you think of this implementation? Have i achieved all 4 subjects? If not, what am i missing, what should i add/delete to the communication and why?
Thank you
7 years ago
So, server does not involve at all (only forwards the payload) and we are still safe? Good. Thank you guys, i appreciate your help.
If i need anything else, ill come back later. Cheers
7 years ago

Ulf Dittmer wrote:Welcome to the Ranch.

when i have to pass the message non encrypted, in order for the server to be able to check its digest

I'm not clear on why the message would be unencrypted - you said encryption being used? Can't the server decrypt the data and then compute its digest?

An alternative would be to compute the digest on the client and then send only the digest to the server. But that depends on what the purpose of encryption and digest are, and from where to where each is sent - which are details we don't know.

First of all, thank you for the quick reply.
Im new to cryptography so i wasnt sure if the server could participate in the cryptography process. So if i understand right, you suggest that client1 sends the encrypted message and the digest to the server, then the server decrypts the message, digest it and then compare the digests. Then encrypt it again and send it to client2 . But now my question is, what keys does the server use to encrypt/decrypt messages? I use public/private keys for the clients(encrypt with the recipients public key and then the recipient decrypts it with his private key). Should i use the same method for the server as well, or is there another more efficient/right way? I use RSA.
Thanks again and sorry for my English
7 years ago
Clients use assymetric cryptography to encrypt/decrypt data. But i also need to check the integrity of the messages, so i use digest. My question is, how do i achieve confidentiality when i have to pass the message non encrypted, in order for the server to be able to check its digest? Does the server participate in the encrypt/decrypt process? If yes, what keys does it use?
Thanks in advance
7 years ago