0

My application automatically downloads updates from a central server. I'm a bit worried about someone, for example, hijacking my domain name and pointing it to their own server that offers subverted copies of the application.

It seems to me like symmetric keys are the way to go about this. I'm thinking I can encode the public key right into the program's source and keep the private key on my sever, then add a step to the protocol where the client sends a message meaning "are you an authorized server" and the server sends back a message meaning "I sure am" encoded with the private key, and thus decoding it with the public key verifies that it came from my server. We then proceed as normal.

Assuming this isn't a completely stupid way to go about things, how do I go about it? What lightweight libraries exist to encode/decode with RSA keys? I don't think I want full TLS with SSL; I don't care who reads the update, and I can't really afford decryption overhead anyway - the download times are annoying as it is!

Schilcote
  • 2,344
  • 1
  • 17
  • 35

1 Answers1

1

The process needs to work something like this...

Server-side:

  • Build your message data on the server
  • Hash it using something like SHA256
  • Use the private key to sign the hash
  • Send the signature and the data to the client

Client-side:

  • Receive data and signature
  • Calculate the hash of the data independently
  • Use the public key to verify that the hash we've generated matches the one signed by the server.

If so, we know the data has been sent by the server and is unmodified. We don't stop anyone else seeing the data, merely from tampering with it.

The reason for doing it this way is the asymmetric encryption is very expensive (and gets more expensive quickly as message size increases). By simply signing a hash, we're limiting the amount of data that we need to process cryptographically, while still ensuring the message is unmodified.

Be aware that this is a very high-level overview and there are lots of details that need to be handled correctly. Anything related to crypto is extremely hard to do correctly. If possible, find a library that already does this and use that instead.

If you can't find something that suits your needs, look into pycrypto or rsa and get reading. This question might be a good place to start, but make sure you read both answers.

Community
  • 1
  • 1
Basic
  • 26,321
  • 24
  • 115
  • 201
  • Excellent! Note that with the above, there's nothing to stop a malicious attacker recording the messages as they go past then replaying them to the client. If receiving messages out of order / multiple times might cause issues, consider adding a sequence / timestamp / similar to the data (as appropriate for your client) and then validating it client-side – Basic Jul 26 '15 at 17:10
  • All a replay attack would do is take some of the load off my server. :P (Well, unless the attacker finds a hash collision, but that's outside the scope of threats I'm willing to put in the effort to protect against) – Schilcote Jul 26 '15 at 17:14