I am developing a Java SE based application (university intranet) for a computer security course that sends a password (AES ecrypted) of a registered user to a server via a HTTP request. It performs the following steps:
- The user registers to the Intranet app.
- The client sends an HTTP request containing the student’s password, encrypted with AES.
- The PHP script now decrypts the AES ciphertext and hashes it.
- The hashed password is stored into the database.
Now from what I have read about AES, I would need a secret key as part of the encryption process. As the server script will need the secret key to decrypt the cipher, would it be a bad idea to use the same secret key each time? Once the script receives the ciphertext it will then use a one way hash function to store it on a database.
If you really want to use a symmetric cypher
Ok I assume you want two entities to communicate by entering the same key on each entity (such as the Bluetooth connection). In that case the question have already been asked and I let you google for some answer like this
What you certainly want is HTTPS
But apparently you just want a secure communication between a client and a server. In that case you need to use HTTPS(since you use HTTP). HTTPS does all that for you with a handshake and then relying on a symmetric key algorithm to ensure the communication.
How it fulfills your requirements
In your very case, if the login page is served in HTTPS: