Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I am writing an application in Java that will be using SHA-1 HMAC message authen

ID: 648474 • Letter: I

Question

I am writing an application in Java that will be using SHA-1 HMAC message authentication. From what I understand, a connection over HTTPS is considered secure enough to share a secret key in plain text, and there is little added benefit to hashing the key before sending it from the client to the server.

So, my implementation would have to share a secret key when the first connection is made. After that, the client would send an API key along with the message that would identify the client and allow the server to look up the correct secret key.

For more information on the approach that I want to use, I am following this guide (Gary Rowe's Multibit Merchant).

The goal is to authenticate the client on subsequent connections.

Is my assumption correct that I can safely send the secret key over HTTPS on the initial connection?

Explanation / Answer

HTTPS itself does not do encryption, it simply relies on SSL/TLS in order to implement some level of security to your communications. The problem lies with the choice of underlying algorithm - SSL 2.0 is already considered insecure due to flaws. Similar (less critical) attacks have also been discovered for SSL 3.0/TLS 1.0 so you can only fully trust HTTPS if you know what the server AND client (browser) use behind the curtains.

Generally, the approach for communicating a secret key (read ANY secret key) assumes an effort of asymmetric cryptography (see RSA, for example). So your client would connect and send his (temporarily generated, if you must) public key and receive the secret key encrypted with this. The message can now only be decrypted by his private key which never appears in HTTPS traffic and is, mathematically, hard to figure out. This is, for the most part, the way HTTPS works.

Normally I would advise against reimplementing any sort of crypto but, if you have no control over the SSL/TLS versions the server advertises, I would go for an encrypted secret key exchange inside the session and leave the rest of the traffic as is. Just remember NOT to implement the primitives yourself - any language out there has a number of functions and libraries dedicated to this, including higher-level primitives for simply encrypting a message with little options.

It all depends on your skill and on the security you want to impose inside the system.

Related Questions

I am writing a program in C++ that will implement an AVL tree. the first part of
Question #3725084
I am writing a program in MIPS assembly language to find all amicable number pai
Question #3759836
I am writing a program in c++. this is the skeleton I have so far: #include <ios
Question #3823168
I am writing a program on python 3.4 and I\'m not sure how to do it In this prog
Question #3762904
I am writing a program that allows the user to enter up to 10 non negative integ
Question #3639999
I am writing a program that asks the user to input the amount of miles it will t
Question #3543476
I am writing a program that calculates prime numbers and I want to make several
Question #3678697
I am writing a program that calculates the average price for all books, the aver
Question #3750539
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I am writing an angular application, and I\'m wondering how much client side mem
Next
I am writing an application that should allow to view and manipulate spectra (Ra

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.