Good day.

The goal is to encrypt communication between the server and the Android client.
The order of action is:
1) The client connects and starts a php session.
2) The server generates / gets a pair of keys, sends the public key to the client.
3) The client, in turn, generates another pair of keys, and sends its public key to the server.
4) Further communication is carried out via this secure channel through POSTs and GETs.

Question: how often is it worth generating new keys? The server and the client can create new keys every time the session starts, but key generation is a complicated and expensive operation, especially when the server is under heavy load. On the other hand, storing private and public keys in a database and on a client device is not too secure.

I will be glad to any answers, tips and links on the topic of competent design of secure client-server systems. I ask you to point out the mistakes and delusions in my reflections, and forgive me for stupidity and naivety.

Thank.

    1 answer 1

    The most important rule in cryptography is to never invent your encryption system. And that's why.

    Your encryption system does not make sense. If an attacker is able to intercept and modify traffic, he will create 2 pairs of keys, let's call them a fake server, and a fake client. Each key is sent to the appropriate side.

    Now, if the server wants to send an encrypted message, it encrypts the key of the fake client with its key (after all, he received this key from the attacker and thinks that this is the client's key). The attacker decrypts the message, and encrypts the client with the real key, and already sends it to the client. Similarly, in the other direction, if the client wants to send a message to the server.

    It turns out that an attacker can completely listen to the communication channel and even change messages.

    All these problems have already been resolved in TLS , and you can use just the transmission of information via https .