I built a client-server system where clients subscribe to securely exchange data with other clients through the server.
Here are the properties of my system:
- Client-server communication SSL encrypted
-Interface login data is stored as hashes safely with their salt in a database stored locally on the server
- To enter the system, each client sends a public session key for storage on the server, which other clients use to encrypt the symmetric key. The symmetric key is used for later message encryption to prevent server interception.
- When starting a chat, user authentication with a fingerprint is used to ensure that the user is the one he or she is pretending to be. This is usually done using a fingerprint-read phone call, which is the SHA256 hash of both public keys, divided into two and XORed for convenience.
-MAC is sent along with each message
What do you propose to improve? What possible attacks could be affected on my server?
thank
source
share