Which attacks are possible concerning my security layer concept?

Question

Despite all the advices to use SSL/https/etc. I decided to implement my own security layer on top of http for my application... The concept works as follows:

Answer 1

While I would also advocate the use of SSL/TLS for this sort of thing, there is nothing wrong with going re-inventing the wheel; it leads to innovation, such as the stack exchange series of websites.

I think your security model is quite sufficient and rather intelligent, although what are you using on the client-side? I'm assuming javascript since you tagged this post with 'web-development'? Or are you using this to communicate with a plug-in of sorts? How much overhead does your implementation produce?

Some areas of concern:

-How are you handling initial communication, such as: user login, registration?

-What about man-in-the-middle attacks (assuring the client that it is talking to the authorized server)?