As a learning project, I am trying to implement a secure way to share files with a friend over dropbox. (I am not looking for existing software, I am doing this in order to learn how to do this right.)
Of course I will not try to invent my own encryption algorithm.
I have a file that I want to send to my friend securely.
We both have my Project-to-be on our machines, and a shared dropbox folder. (although means of transfer should be irrelevant).
Each of us has a RSA keypair, we have exchanged public keys using a secure method (in person via USB stick, or via GPGed email).
I will use
RSACryptoServiceProvider with a keysize of 4096 bits
for these Keys.
(I am considering maybe soon 8192 bits, since I found out that the huge pause of 8-11 seconds in my test application isn't caused by RSA keypair generation, nor encryption, but by key2string
or key2base64
operations!)
The Keys are stored locally in a text file. The private key is encrypted with
AESCryptoServiceProvider in CBC mode, PKCS7 Padding, 256-Bit.
The IV will be completely random generated by the CSP.
The symmetric key will be derived from a password using
Rfc2898DeriveBytes (==PBKDF2), 1000 Iterations, salt from RNGCryptoServiceProvider.
(Salt length == final key length)
The file is encrypted, again using
AESCryptoServiceProvider in CBC mode, PKCS7 Padding, 256-Bit.
Key and IV will be completely random for each file, produced by the CSP itself.
The IV will be prepended to the encrypted filedata.
This package will be hashed using
HMACSHA512 with a random key.
I don't know whether to use RNGCSP
or the HMAC internal randomkeygen
, because until now,
I wasn't able to find out how secure that internal method is. (Is this NIST-approved?)
The HMAC will be prepended to the IV:cryptedfile package.
The HMAC-Key and the AES-Key will be (separately) encrypted with my friend's public key, and in such encrypted form be prepended to the package:
cryptedAESKey:cryptedHMACKey:HMAC:IV:cryptedfile
this package will be saved as binary to the shared DropBox folder, using the same name and extension the original had.
This is because I haven't worked anything out for the filename yet, not even thought about it, suggestions are very welcome.
On the receiving end, of course the process works in reverse:
- enter passphrase to unlock private key
- decrypt HMAC and AES Key
- authenticate file
- decrypt using key and iv
- save as original filename
So, am I doing it right?
In other words, do you see any problems, any faux-pas, no-gos, misunderstandings on my side, whatever? I am looking for your experienced verdict on my project, what could be done better, different, not at all, additionally? I think I covered all the things in lessons learned and everything my research has brought to surface.
Right now, I am not interested in hiding the existence of communication. Furthermore, the keyhandling inside my application is also not of interest right now, I will get into that as a next step (securing memory against dumping etc.) after I've got the crypto part right.