G
G
Grrrr2016-09-21 14:57:39
Computer networks
Grrrr, 2016-09-21 14:57:39

Is this encryption secure?

Hello,
The task is to encrypt the traffic of the game in order to prevent the interception and substitution of packets, the interception of game sessions. I came to this, what do you say? is it reliable?
1. Client registration The
password from the client is hashed by SHA256 and sent over an open channel to the server (the hash glows 1 time during registration!)
2. Interaction with a registered client
The client wants to enter the game, sends an intent to the server. The server sends a random number to the client over an open channel. The client encrypts its password using SHA256 and a random number from the server (RN):
CPASSWORD = SHA(RN + SHA(PASSWORD))
sends to the server, the server compares its generated hash based on the password hash and the known random number RN with the one received from the client:
if(SHA(RN + SHA(PASSWORD))client == SHA(RN + SHA(PASSWORD))server)
if they match, the client enters the game.
3. Traffic encryption
Now all traffic is encrypted using the symmetric Blowfish algorithm, and the password hash is used as the key.
data: 1,0,Login
key: 99c2bb3e7c93dd54a206c77388ee09708e39db1a6f544ff6887612495bce3920
alg: Blowfish
Output: tFoTF0Oms+8Z
Total: the encryption key glows only at the time of registration, which is not absolutely reliable, but not very scary either? you can use the Diffie-Hellman protocol for key exchange, but another problem arises, the algorithm is vulnerable to data modification in the communication channel, including the "Man in the middle" attack. If you choose between two evils, does the first seem simpler and more reliable, or not?

Answer the question

In order to leave comments, you need to log in

4 answer(s)
A
Alexey, 2016-09-21
@grrrr

As an option - without reinventing the wheel, you can try SSL + SSL Pinning https://habrahabr.ru/company/dsec/blog/229849/ (against certificate substitution)

S
sim3x, 2016-09-21
@sim3x

Use libraries for your PL - no need to reinvent the wheel when everything is already there

M
Michael, 2016-09-22
@Sing303

Use ready-made libraries, you don’t need to invent a wheel if you are not an expert in this field
Articles came to mind
You are dangerously incompetent in cryptography

N
napa3um, 2016-09-21
@napa3um

Unreliable, and your criteria for "evil" are wrong. Use SSL/TLS/HTTPS, everything is already done for you.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question