Server secure connection handshake

 

I would like to know if there are any security concerns regarding the way I want to create a secure client-server connection.

NOTE: I know the most obvious answer to these type of questions is to just use SSL/TLS, but I would appreciate an answer to my specific case.

My connection protocol is as follows (following communication is un-encrypted plain text):

  • client connects to server socket
  • server sends a 2048-bit public RSA key to client
  • client generates a 256-bit AES key, encrypts it with the received public RSA key, and sends it to server (server decrypts it and obtains the secret AES key)
  • client generates a 256-bit HMAC key, encrypts it a client-embedded public RSA key, and sends it to server (server decrypts it and obtains the secret HMAC key)
  • server sends to client the HMAC of the AES key, proving it possesses the private RSA key corresponding to the client-embedded public RSA key, and proving the authenticity of the server

    • All further communication is encrypted with AES and verified with HMAC.

    A man in the middle could easily send their own public key to the client and receive the original public key from the server.

    It could then eavesdrop the conversation in both directions.

    链接地址: http://www.djcxy.com/p/21808.html

    上一篇: 此SSL方案是否有效?

    下一篇: 服务器安全连接握手