What is the correct way to use the Crypto Api for encryption and decryption between client and server?

Sounds like you are on the right track if you really are determined to stick with that API :).

Sounds like you are on the right track if you really are determined to stick with that API :) There are two distinct families of encryption algorithms in cryptography. 1) Ones that use symmetric keys and 2) those that use asymmetric keys. Symmetric key algorithms (e.g. AES, DES...) are very fast and should be used as long as there's a safe way to make sure both client and server have the same key (i.e.

Session key) and no one else can gain access to that key. On the other hand, asymmetric key algorithms (e.g.RSA...), which are also known private/public key algorithms, are much more computationally expensive. They have one key which can only be used to encrypt data and a second key which can only be used to decrypt data.

These algorithms, as you found out, are perfect for the initial handshake and session key exchange. The server creates public/private key pair and sends the client the public key. Anyone can intercept it, but when the client encodes the session key and sends that back, pbulic key is useless if an eavesdropper wants to find out the session key.

Only the server can decode the message as it is the only entity that is holding the private key. So your initial problem was that when the message came back, instead of using the private key from the pair, you were using synchronous session key and thus were getting garbage. Essentially you've just implemented the basic handshake that SSL does (and you could easily do with very few lines of code if using OpenSSL library).

Once the handshake is performed you now have a secure channel between the client and the server. The only problem you might have is, what if someone piggy backs on your server's IP address and starts pretending like they are the real server? Your client will think he is talking to the real server, it'll do the key exchange and will start sending secure information, but that information might all end up in malicious hands if an attacker's PC happens to be on the other end.

This is where SSL's use of certificates comes in. Certificates are another example of where public/private keys are used. A trusted authority uses private key to sign certificates hash code and anyone can verify that certificate is valid by using it's attach public key against certificates identity data.

This way even if attacker takes over your server's IP address, it won't be able to spoof your server's certificate.

Thankyou very much for that very informative answer, it's exactly what I needed i.e. A little reassurance! The primary reason I wanted to stick with this API was because I already some have experience with SSL, and although SSL would probably be perfect for this project (i.e.

Data in transport via network, internet etc), it doesn't (as far as I know) allow you to encrypt,sign and hash files or other data that may need to be stored on different media. I feel that having a grasp of both technologies would benefit my education, and perhaps even prove beneficial in a real working situation. – LeeC May 8 at 15:33.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.