Good afternoon HTS,
I'm hopefully getting some more computing power soon and I hope to set up my own custom proxy server on port 80 by use of a special program running on the client side which securely tunnels straight to the server. My idea is to have it at least partially encrypted to prevent any firewall from snooping it and detecting something suspicious. Note that this is designed to deter anyone who hasn't passed a basic cryptography course, so I'm not getting to fancy with it. I welcome any to test out the authentication process of it for any weaknesses (besides data tampering, or else i would have added a MAC on the end of it).
The basic idea is simple, the server generate a 512 byte long Cert (Certificate) and a 512 byte Ckey (Certificate key) and stores both of them in a database. One Cert and Ckey pair is given manually (in the form of .cfg files) to each user to uniquely identify them.
When the proxy software on the client wants to connect to the server, it generates a 512 byte random pad used for authentication called Apad, and sends the server this:
Cert xor Ckey || Ckey xor Apad
( || is appending)
If the server compares the given Cert xor Ckey with all of it's own database and if it successfully finds the user, it extracts the Apad from the client message, and it generates a new 512 byte key called NewCkey, and also generates 2 512 byte temporary passwords called tkeyC (temporary key client) and tkeyS (temporary key server), then it sends this:
Apad xor NewCkey || Apad xor tkeyC || Apad xor tkeyS
from there, both the server and client replace Ckey with NewCkey in their files for use during the next authentication process, and the tkeyC and tkeyS are then used in Vigenère cipher to communicate in secrecy (it's not secure, i know, but it will fool the firewall, and that's all i care).
What do you guys think of this scheme?
- WallShadow <3