I am trying to implement a basic secure channel between two parties that can defend itself against dictionary and block replay attacks.
I want to use the RSA public key cryptosystem as a means of securing the channel. However, I would like to know if the following scenario is effective:
- A generates a private and public key
- A send B the public key
- B encrypts the message with the public key
- B sends the encrypted message to A
- Now A can decrypt the message using the private key.
Now this is all well and good. However, what if A would like to send a message securely to B. Does this mean we need two pairs of keys. So A would have B’s public key and B would have A’s public key? Is this true? Does this feasible? Also, some form of random hashing or padding will be needed to prevent block replay attacks?
Have a look at Diffie-Hellman key agreement, a protocol to allow two parties to establish a (shared) private key while only communicating publicly. Protection from replay attacks can come from renegotiating the keys frequently so that replayed messages can’t be decrypted by the receiving party, and/or by including a timestamp in the encrypted message and a limited window of acceptability at the receiving end.