Client server AES encryption

Question

I am developing a client server application in which data is transferred between two clients through the server.

The data should be encrypted and I thought of using AES. My thought was to use PBKDF2 in order to derive the AES key from the client's password.

In this case the client will encode the data, the server will decode it, reencode it using the 2nd client's password and send it to the 2nd client.

Do you think this is the best way to implement this?

Is there a way for the first client to encode and the 2nd client to decode without server interference?

How can I encrypt the AES key and transfer it from one client to the other?

---

What do you think of the following solution?

1. Client and server create a private AES key using Diffie-Hellman (this key is specific to each client).
2. Transmitting client creates a session AES key and encodes it using the private AES key.
3. Server decrypts the session key and re-encrypt it for every client in the session (using each client's private key).
4. Transmitting client encrypts the data using the session AES key and sends it to the server.
5. Server sends the data to all recipient clients without any required processing.

Answer 1

You could also use Diffie–Hellman key exchange. What programming language do you use?

Answer 2

You could use an asymmetric encryption algorithm to send the AES key securely and then use this key for symmetric AES encryption/decryption. The communication could go like this:

1. A client wants to talk to a server with encrypted messages.
2. The client generates a pair of public/private keys and sends the public key to the server.
3. The server uses the public key to encrypt some secret key and sends it back to the client.
4. The client uses his private key to decrypt the secret (both now know the secret key to encrypt/decrypt their communication).
5. The client uses AES with the secret key to encrypt the message he wants to send to the server.
6. The server uses the secret key to decrypt the message.

Answer 3

You must create your own protocol for communating part of your program first or use available secure protocols such as HTTPS.the only thing that i can tell you is that heavy computing operations such as encryption/decryption must be passed by clients first and then server process reliable requests.