-2

What I'm trying to do is send information in web requests between a application I've made for a computer, and obviously a web server.

I want this information to be encrypted for security issues, this software may be something people want to crack and I don't want them seeing whats being exchanged between the client and the server.

So, my question is, what is the most efficient way to encrypt data on the client side, send it to the server side, then be decrypted. And then also in reverse with the server encrypting and the client decrypting.

EDIT: I just want a method of valid encryption for the data being sent between the client and the server. A secure way to encrypt data on the client, then send it to the server, and have it decrypted. This whole thing was described very poorly. As programs such as fiddler, can monitor the requests sent from the C++ application to the server, and the response it gives back. All in plain text. I just need this data and response to be encrypted and be able to be decrypted on both sides.

levaa
  • 65
  • 10
  • 4
    Have you ever heard of HTTPS ? – Arthur Attout Apr 05 '18 at 19:45
  • What kind of client and server side languages? –  Apr 05 '18 at 19:45
  • 1
    There's literally like 20 questions like this that get asked everyday... The answer is the same to all of them... Use HTTPS. – Luke Joshua Park Apr 05 '18 at 19:46
  • Yes HTTPS, SSL/TLS would be appropriate when a web server is used. – Martin Apr 05 '18 at 19:46
  • 1
    @Martin Or even broader. For almost any sort of communication between two end points, it is appropriate to use TLS. That's why these questions frustrate me so much! – Luke Joshua Park Apr 05 '18 at 19:49
  • HTTPs does nothing in this scenario. Use web debugging programs, you can monitor the data and the data sent in requests from your computer. HTTPS or not. @LukeJoshuaPark – levaa Apr 05 '18 at 19:54
  • 1
    @leavaa What then, in your opinion, is the purpose of HTTPS if not to encrypt communication? – Luke Joshua Park Apr 05 '18 at 19:57
  • @LukeJoshuaPark; yeah I can image. Maybe in some cases skipping TLS could make sense. – Martin Apr 05 '18 at 20:02
  • @LukeJoshuaPark Not if you include certificate pinning. While it is possible to circumvent pinning, precisely the same techniques will circumvent whatever encryption you implement here. It is not possible to fully protect your network traffic from legitimate users of your client, but HTTPS+CertPinning is the right first step. It is precisely the type of encryption you are describing. https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning – Rob Napier Apr 05 '18 at 20:03
  • @RobNapier I'm not sure what comment of mine you are responding to, nor how certificate pinning is relevant? – Luke Joshua Park Apr 05 '18 at 20:08
  • Sorry; I mean to at-levaa regarding "Use web debugging programs" – Rob Napier Apr 05 '18 at 20:10
  • Always the first counter question: **what attack scenario in particular are you trying to protect yourself from?** – deceze Apr 05 '18 at 20:25
  • @levaa - Your edit doesn't make the question any clearer. It feels like HTTPS/TLS should do what you want. If it is inadequate, you should indicate that *in the question* and describe what specific shortcoming of it you want to overcome. Read [the perfect question](http://codeblog.jonskeet.uk/2010/08/29/writing-the-perfect-question/), then edit the *whole* question and make it something that is sensible to others without having to ask questions for clarification or make guesses as to what might work for you. – NightOwl888 Apr 06 '18 at 06:30

2 Answers2

1

The tool you want is a pinned TLS certificate. See the OWASP introduction to the topic.

The point of pinning a certificate is that your HTTPS session will not trust every root in the local keystore. It will instead only trust a limited number of roots, specifically the ones you specify (and ideally control). With that, it is not possible to simply inject a rogue root certificate into the local keystore in order to monitor local traffic.

That said, it is not particularly difficult to circumvent pinned certificates if you control the machine the client is running on. But it is not particularly difficult to circumvent any simple mechanism if you control the machine the client is running on. The techniques used to circumvent certificate pinning (namely, modifying the client), will circumvent every client-side encryption scheme.

This is discussed regularly on StackOverflow, and has been for years. Here is one of the various answers that links to several others:

Secure https encryption for iPhone app to webpage

The key lesson is that "anti-cracking" is not "security." It is achieved through obfuscation and other anti-reverse-engineering techniques. This is not a winnable problem. It requires ongoing improvements as attackers defeat your defenses. You should expect to allocate non-trivial resources to this on an ongoing basis, or you should apply modest resources (like pinning) and accept that they won't be very effective but they aren't very costly to manage.

(I used to do this as part of a team of over a dozen full-time people committed to preventing these kinds of attacks. We spend millions of dollars a year on the problem, working together with law enforcement around the world, and deploying extensive custom security hardware. We still got beaten and had to adapt our methods as attacks improved. That's what I mean by "non-trivial resources.")

Rob Napier
  • 286,113
  • 34
  • 456
  • 610
  • Why is certificate pinning relevant here? There is nothing in the question to suggest that it is necessary? – Luke Joshua Park Apr 05 '18 at 20:11
  • Just saw your other comment. I think the OP is referring to "I can see the request in Chrome debugging tools..." Or something along those lines. I don't think he is inherently trying to protect the data from the actual user of the application. I might be wrong. – Luke Joshua Park Apr 05 '18 at 20:13
  • 1
    Without cert pinning, as @levaa notes, local users can trivially circumvent TLS. With cert pinning, it is somewhat more difficult. The OP noted "may be something people want to crack" which suggests the "attacker" in this case is someone with access to the client and the machine the client is on. There is no complete solution to this problem. It is an expensive and ongoing effort if you need this. – Rob Napier Apr 05 '18 at 20:14
  • I just want a method of valid encryption for the data being sent between the client and the server. A secure way to encrypt data on the client, then send it to the server, and have it decrypted. – levaa Apr 05 '18 at 23:50
  • You got it: HTTPS with pinned certs. What kind of security beyond that are you looking for? If you just want a simple extra layer of encryption, I maintain RNCryptor (https://github.com/RNCryptor), which is easy to use, available on several platforms, and IMO securely implemented. Lots of people use it the way you're describing. But if you put the password in the code (and where else are you going to put it), it doesn't much more protection than HTTPS+PinnedCerts. – Rob Napier Apr 06 '18 at 00:03
0

Use SSL to encrypt traffic between client and server.

Tony Stark
  • 2,318
  • 1
  • 22
  • 41