Question

In my application, I need to encrypt sensitive data on the client side using AES and then send it securely to the server for processing. However, I’m unsure how to manage the key exchange securely over HTTPS. I understand that HTTPS already provides encryption, but I want an additional layer with AES encryption for extra security.

Could someone explain the best way to perform secure key exchange in this setup?

Answer 1

In order to send sensitive data from a client to a server using symmetric encryption like AES, you can go through the following practices to ensure secure key exchange over HTTPS:

• Use HTTPS for Transmission: HTTPS encrypts all transmitted data, including keys, ensuring secure transit.

• Generate AES Key on Client: Create a unique AES key on the client to encrypt sensitive data, adding an extra layer of security.

• Encrypt AES Key with Server’s Public Key: Protect the AES key by encrypting it with the server’s public key so only the server can decrypt it.

• Send Encrypted Key and Data Together: Transmit both the AES-encrypted data and RSA-encrypted AES key over HTTPS.

• Server Decryption: The server decrypts the AES key using its private key, then decrypts the data using the AES key.

• Rotate Keys Regularly: Enhance security by generating a fresh AES key for each session or message.

Comments

Rotating the AES key for each session or message enhances security. How would you manage scenarios where session data needs to be re-encrypted for long-term storage or audits?