How secure is this for communication between client and server?

polaris · · 461 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>I will have a client and a server the client will have the public key while the server the private. The client sends some encrypted text to the server where its decrypted and handled... How secure is this? I am planning on using a 2048 Bit key pair.</p> <pre><code>package main import ( &#34;crypto/rand&#34; &#34;crypto/rsa&#34; &#34;crypto/x509&#34; &#34;encoding/base64&#34; &#34;encoding/pem&#34; &#34;fmt&#34; ) var PublicKey string = `-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolMfoU4vdXkaF049Lmqj lLa2zy9CWWe2d8jc38p7MmWRT4rD8YmoKPS4omWcDzSaUq2SKJ6RWZ6a/O2ywD4U TWCQ6VOUjfSAl0cg+PYZbzvB+/yySOS+op98gSSlNJfCt3qgxSwlXdulvh2CZPLi JPcV34d2KEO3eUfdieQwot6re79W8uWVLHoKKtJH1Yr5wDi7UetDkg1OgDEMiXTB wh7B8XIIbiB3wzT7X4xiGjqZw4HD/Wl0i66ypn4+4G7BCQgveEZ2thFNea4PSUru A3GLBAo7Cvt9L5MvgHDkiDbZ4hQIgtyNKDYpkO6BQ7KkWWRtT5E7rMhkQOSfqjrC OQIDAQAB -----END PUBLIC KEY-----` var PrivateKey string = `-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAolMfoU4vdXkaF049LmqjlLa2zy9CWWe2d8jc38p7MmWRT4rD 8YmoKPS4omWcDzSaUq2SKJ6RWZ6a/O2ywD4UTWCQ6VOUjfSAl0cg+PYZbzvB+/yy SOS+op98gSSlNJfCt3qgxSwlXdulvh2CZPLiJPcV34d2KEO3eUfdieQwot6re79W 8uWVLHoKKtJH1Yr5wDi7UetDkg1OgDEMiXTBwh7B8XIIbiB3wzT7X4xiGjqZw4HD /Wl0i66ypn4+4G7BCQgveEZ2thFNea4PSUruA3GLBAo7Cvt9L5MvgHDkiDbZ4hQI gtyNKDYpkO6BQ7KkWWRtT5E7rMhkQOSfqjrCOQIDAQABAoIBAC4xbXzf3Q2XCt+6 +hotaqO1Y0yObFk49GoeFQzyeCCdWr7CBITF4b7V9XzxYXnKRGhm0IMSrNZOFlkH 46hlgi2K33ImwM2s2LM0IKP4lMBcxxVIkgvAXKe2rx2pKgJPda/1C69QosmU6hOy HhtQKx7N2cGksPFAZAP1eYv2Dgkq0hGB4EICAcPATLUqGUJZhU5/Oi2fJQ13qxfi tEpG5zOkYfm9Ak9Ge+LW15cuA+MfTSzjXl7vcpgTfxCmp3F/XBVV/ltlHEGTVAP/ a5Ogy1bQvK3Xfuk2Kin3ejBwgTKbAgdCrXcwWiEgcJWlMOxZ+dd4La26yUzdXdS3 hi8shwECgYEA+7SLwRgUqucRkaGhKuue7lRcPN/fPo1XJmrZEsY5u2UtVfzA3+oC orsu7TA18kI58kpMqnILNTjWcu0zbtLOeHYX+SQCVv1hyPp+PWBVGWGn4m9IFczb PfIs+0BE6uWiaC2dORfwf/gbKc3ILkp5C5RKfs725/2UBwVbnnFzczECgYEApRgp UjZCN5UTeETLjuSO2Jr9rOlzH8bZkDgTF+uK8qv1b2LD7337zUV7KhOyoxxKHVOy 9HN8iNl5MNCTiN2EbKNFmHRyzId3yx2LPpwdL16p9QessbzjuLfKPbIXsTne+Hfr nPXybhO2Dtw+sdSJCxeY+ACcNP8jhqFzKs26rYkCgYBpvbNob0Ffeqs6zvfyHAIs hWwqdrJGiQIvtXt0E6p1O1AMa55rctegnZpdMn+3QnMtgmEqybZDqZkNtvCAgjcT DCmOFL6W5OOLlxApoKqfexMYYT+bSPBh2bdj5eAN/mJ3+ZGvRotWd1iR+005hTfM 0YNqOnAnjbP+LxYKPgcOQQKBgGUWJjbwghsGbKV3eixERjLas/jr+FG8r/peW1KK JsnwAJfzIYXC3isSIBfjd73n1HmghjKng9lHT61UCQIEoNDkJ/jxVFlnmTIFJP1x GW2nyOj/if5KaiTwZCTipx8dECmTQ/EXpxk/eHog4UKBoGfqSv+PYBYTIu2MbbgH wAYBAoGAHeHoO9YeO63cAvPFnB5OmQSXtpPPJYozYRJXf2t/gPGWVuAdrxLNRDE/ qG1NJoPwoRnG1u3LtxodS52S73Sp9gRQ/BtHPu2BxFI0vTU4xk/RL1hxWNTUVlpj x6Y9Ge6g+MaMwyTGmOq5RVwtrp8nx7BJEv+sl0kOR5PO+aI3bx0= -----END RSA PRIVATE KEY-----` var tmp string func main() { fmt.Println(&#34;Starting Encryption...&#34;) var pub *rsa.PublicKey random := rand.Reader block, _ := pem.Decode([]byte(PublicKey)) msg := []byte(&#34;Test Message. 123&#34;) pubInterface, parseErr := x509.ParsePKIXPublicKey(block.Bytes) if parseErr != nil { fmt.Println(&#34;Load public key error&#34;) panic(parseErr) } pub = pubInterface.(*rsa.PublicKey) encryptedData, encryptedErr := rsa.EncryptPKCS1v15(random, pub, msg) tmp = base64.URLEncoding.EncodeToString(encryptedData) fmt.Println(&#34;Encryption Error:&#34;, encryptedErr) fmt.Println(&#34;Encrypted Text:&#34;, tmp) fmt.Println(&#34;Base:&#34;, string(msg)) ///------------------------------------ ///------------------------------------ ///------------------------------------ ///------------------------------------ ///------------------------------------ fmt.Println(&#34;Starting Decryption...&#34;) privateKeyBlock, _ := pem.Decode([]byte(PrivateKey)) var pri *rsa.PrivateKey pri, parseErr = x509.ParsePKCS1PrivateKey(privateKeyBlock.Bytes) if parseErr != nil { fmt.Println(&#34;Load private key error&#34;) panic(parseErr) } decodedData, _ := base64.URLEncoding.DecodeString(tmp) decryptedData, decryptErr := rsa.DecryptPKCS1v15(random, pri, decodedData) fmt.Println(&#34;Decryption Error:&#34;, decryptErr) fmt.Println(&#34;Decrypted Text:&#34;, string(decryptedData)) fmt.Println(&#34;Base:&#34;, tmp) } </code></pre> <hr/>**评论:**<br/><br/>nhooyr: <pre><p>Why not use TLS instead?</p> <p>If you&#39;re trying to write your own crypto, be careful. It&#39;s highly nuanced.</p></pre>SaturnsVoid: <pre><p>I am, Just thought maybe i should add another layer of protection... TBH, i am not that well versed in how TLS works and if the data can be sniffed or caught in a MITM attack.</p></pre>nhooyr: <pre><p>It can&#39;t, that&#39;s why TLS exists, to give you a secure channel over which to communicate a server and client. Just google how to use TLS with Go and you&#39;ll be on your way. The TLS library is very easy to use.</p></pre>SilentWeaponQuietWar: <pre><blockquote> <p>Just thought maybe i should add another layer of protection...</p> </blockquote> <p>For what specific reason? Is there a limitation or vulnerability in TLS that you are concerned with? If not, you are just overcomplicating your code and rebuilding the wheel when there&#39;s a great TLS package part of the standard library</p></pre>Nakji: <pre><p>TLS is extremely secure as long as your certificate authorities are trustworthy and your crypto libs are up-to-date. If you&#39;re really worried about security, look into certificate pinning and configure your server to only use stronger crypto suites (something like the &#34;modern&#34; configuration <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations" rel="nofollow">here</a>). If you want to get really fancy and your application allows it, you can look into also using client certificates, but I&#39;ve heard that getting that working is a colossal headache.</p></pre>janderssen: <pre><p>TLS is designed for this, also, keep in mind that encrypting data with a public/private key has limitations in data length, TLS gets around this by seeding the symmetrical encryption with the public/private key so you can stream data.</p> <p>I would probably lean on the expertise of the more experience for your encryption requirements, as this is a field of many land minefields. </p> <p>Edit: Also from the DOC : WARNING: use of this function to encrypt plaintexts other than session keys is dangerous. Use RSA OAEP in new protocols. <a href="https://golang.org/pkg/crypto/rsa/#EncryptPKCS1v15" rel="nofollow">https://golang.org/pkg/crypto/rsa/#EncryptPKCS1v15</a></p></pre>epiris: <pre><p>You&#39;re going to want to use tls as others have said. It&#39;s not a good idea to use asymmetric encryption to prevent eavesdropping of arbitrary payloads. For example here as soon as your data exceeds the key size your encryption call will fail. The first mistake developers then make is ... putting it in a for loop. Now you have the slowest encryption scheme concatenating ciphertext and spitting it over the internet with a public key.</p> <p>The real issue is they often encode a API key or some form of secret to validate the payload, often because it&#39;s an integration into existing system and tech debt yadda yadda. The danger here is now on any large message a carefully crafted attack can reuse the first Keysize bytes to attempt to alter the remaining cipher text for evil doing.</p> <p>You need a way to identify yourself to the endpoint for future request once your a known entity to them. Well maybe you google message authentication and tack that on, more to get wrong. So yea, use TLS :-)</p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

461 次点击  
加入收藏 微博
0 回复
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传