I have the impression you want to protect (providing message integrity, message authentication, and confidentiality) messages between a client and a server. The options are: 1. Protect individual message with known techniques such as S/MIME, CMS and send it in unprotected connection. 2. Protect the connection between the client and server using known techniques such TLS or DTLS, and IPSec. Send the message in clear. S/MIME, TLS, and DTLS protection is integrated with the application. IPSec protection is not integrated with application.
If you do not like any of those techniques, you can use your own technique. However, it may be option-1, option-2, or combination of option-1 and option-2. Level of difficulty to implement. IPSec: Low. Client and server do not need any new functionality. If your OS kernel has IPSec stack, you can enable and configure it and you are done. TLS, DTLS: Medium. Client and server do need modification, making TLS or DTLS API calls. It is relatively simple to implement security using TLS or DTLS; TLS and DTLS API semantics are similar to networking API semantics. It is a simpler to implement because a lot of crypto API calls are hidden. S/MIME (CMS): High. Client and server do need modification. A lot of crypto API calls need to be called to create CMS envelopedData, signedData, creating/verifying digital signature, encrypting/decrypting using public key and symmetric keys, creating symmetric key. If my understanding is correct, Diffie-Hellman is key agreement protocol; PKI is public key management mechanism. These two do not provide the protection you are looking for. They enable message protection by providing the crypto keys needed by S/MIME, TLS, DTLS, and IPSec to protect the message. Erwin On Wed, May 2, 2012 at 4:46 PM, Alex Chen <alex_c...@filemaker.com> wrote: > I want to send encrypted information from a client to the server via > non-SSL connections without using hardcode encryption key, i.e. a typical > scenario. Both client and server have their private key and certificate. > (RAS key, PEM format) > I am thinking of two options to exchange the encryption key, which will > then be use to symmetric encryption/decryption. > > 1. Use Diffie-Hellman > 2. Use PKI > > Which approach is a better? If I go with 2., what APIs are used to > extract the private key and public key from the PEM file? > > Thanks for the help. > Alex > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
