Is this encryption?


Task is to encrypt the traffic to prevent interception and spoofing of packets intercept gaming sessions. 've come up with this, what do you say? is it reliable?

1. Client registration

The password of the client is hashed SHA256 and sent on an open channel to server (hash glows 1 time at registration!)

2. The interaction with the registered client

The client wants to enter the game, it sends the intention to the server. The server sends the client a random number for an open channel. The client encrypts your password using SHA256 and a random number from the server (RN):


sends to the server, the server compares its generated hash based on the hash of the password and a known random number RN who came from the client:

if(SHA(RN + SHA(PASSWORD))client == SHA(RN + SHA(PASSWORD))server)

if the same client comes into play.

3. Traffic encryption

Now all traffic is encrypted using a symmetric algorithm Blowfish, and the key is the hash of the password.

data: 1,0,Login
key: 99c2bb3e7c93dd54a206c77388ee09708e39db1a6f544ff6887612495bce3920
alg: Blowfish
Output: tFoTF0Oms+8Z

Total: the encryption key is lit only at the time of registration, which is not absolutely reliable, but not too scary? you can use Diffie — Hellman for key exchange, but another problem arises, the algorithm is vulnerable to data modifications in the communication channel, including for the attack "man in the middle". If you choose the lesser of two evils, the first is more simple and reliable, or not?
July 4th 19 at 22:46
4 answers
July 4th 19 at 22:48
As an option - not reinventing the wheel, you can try SSL + SSL Pinning (against the substitution of the certificate)
July 4th 19 at 22:50
Use of the library for your JAP -- no need to reinvent the wheel, when all and so it is
July 4th 19 at 22:52
Use ready-made libraries does not need to invent the wheel if you are not an expert in this area

I remembered the article
You are dangerously incompetent in cryptography
Why don't I climb in cryptography
July 4th 19 at 22:54
Unreliable, and you have formulated the criteria for "evil" is wrong. Use SSL/TLS/HTTPS, where everything is already done for you.

Find more questions by tags CryptographyEncryptionComputer networks