I am writing a program that uses a webserver as a backend for communication betw

Question

I am writing a program that uses a webserver as a backend for communication between different users. Is it okay to use my own encryption (such as http://www.logikdev.com/2010/11/01/encrypt-with-php-decrypt-with-java/) instead of purchasing an ssl certificate for communication between the program and the server?

In particular, can I hard-code a key into a publicly-distributed program or is there too great a risk of someone decompiling it to discover the security method and using it to snoop on other users' interactions with the server?

I can't imagine that typical users of the program will have access to any communication between the client and server, and someone that would have access to it probably wouldn't realize where the program is to start tinkering around with it, and it's not such highly sensitive data in the first place that someone would bother hacking into.

Explanation / Answer

No, it isn't safe because you expose (in your program) a key which should be secret.

Your proposal is based on symmetric key cryptography, where both ends of the communication channel need a copy of the same key. Symmetric key cryptography is effective only when both ends of the channel are secure. As others have pointed out, a key embedded in a program released to users isn't secure. TLS/HTTPS is built on public key (asymmetric) cryptography, where the information given to the client need not be secret. The secret

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.