I’m creating an Android application, that at first needed to be able to transmit data to the server securely. So I thought of RSA.
I would send the public key to the user, let him do what he must, then receive back and decrypt via private. That is all fine.
But now it seems, that there should also be some sort of encryption to the other side. Meaning, there should be means of encrypting a message and sending it to the user, and allow only the specific user be able to read it.
This smells like having 2 pairs of keys, and sending public key from one pair and private key from the other to the user, and keeping the rest to the server.
I have looked at symmetric keys, but they somehow seem less secure to me.
Am I missing something, or is this common? I’m somewhat new to the whole cryptography scene.
The usual advice applies: use HTTPS, don’t try to invent a secure messaging protocol. You will most likely fail. If you absolutely need to this, the usual way is to use RSA keys to encrypt symmetric session keys and encrypt your data with those. Also note that the size of data you can encrypt with an RSA key is limited by the key size (1024, 2048, etc. bits).For two way communication, each party needs to have the other party’s public key. So it goes something like this:
Reverse the roles of Alice in Bob in steps 3 to 7 for communicating the other way.
But of course, if you send a public key to someone, how can they be sure that it is actually your key, not mine? If you don’t hand it in person and show your photo ID, this is far from trivial.
Then, you need some way to verify that the (encrypted) message from Bob has not been modified (you can cut in half, and it will still be valid and decryptable; there are other, more sophisticated attacks, of course).
So just convince whoever you need to convince to use HTTPS or some other established protocol, and don’t try to re-invent the wheel.