RSA key exchange

I want to create a message exchange program. These messages are encrypted with the AES key, and this key is encrypted using the RSA algorithm. When I send a message from User 1 to User 2, I need to request the public key from User 2, do I just get the key and use it or do I need a secure key exchange like Deffie Hellman or something else? If the answer is yes, how will I be able to use the deffie-Hellman algorithm to send this RSA public key? What I read that Hellman’s algorithm generates its own public and private key, and both are dependent on it, then how do I pass the RSA public key?

The second question is whether I encrypted using the AES algorithm only, and here I have to send the public key from the sender to the receiver, then of course I need a secure medium to transfer the keys like Deffie Hellman’s algorithm. but as I mentioned before that this algorithm generates its own public and private key. But I already have the AES public key. Is there a way to pass the AES public key to deffie hellman? please help me I am really confused about that thnx

TLS- Key exchange for session keys. Why?

I have a question about the Key Exchange Algorithm used in TLS process. I have read that the Key Exchange algorithm is used by client and server to exchange session keys. Do the client and server exchange session keys at the end of Handshake process? If they arrive mathematically at the same results for session keys at the end of the process, why would they exchange them?

Examples of SSH key exchange algorithms requiring encryption-capable host keys

In the SSH spec, Section 7.1, key exchange algorithms are distinguished based on whether they require an "encryption-capable" or a "signature-capable" host key algorithm.

If I understood their details correctly, the well-known DH-based key exchanges algorithms such as curve25519-sha256, diffie-hellman-group14-sha256 and ecdh-sha2-nistp256 all require a signature-capable host key algorithm. What are examples of SSH key exchange algorithms that instead require an encryption-capable host key algorithm?

Do you know a trusted Skrill to Paypal Exchange service

I could have transfered it via Payoneer, meaning Skrill to Payoneer then Payoneer to Paypal. Of course we can not transfer money from Payoneer to Paypal instead use Payoneer card in Paypal.

The problem is Skrill needs Euro account of Payoneer so I may transfer the funds to Payoneer and they have not approved my application. Now I have to seek a trusted exchange. If any please let me know.

Exchange SAML for JWT with AAD

I have an internal app that allows users to sign in using Azure AD. On authentication, a SAML assertion is returned. However, some of the calls that the application makes require a JWT. WHat is the best way for me to get a JWT when a user signs in? Or is there a way for me to exchange the SAML for a JWT?

How to exchange public keys between two servers in a secure way?

I have 2 servers with pair of RSA public and private keys.

I need to establish a trust between 2 servers: I need to copy a public key form the first server to the second server and the public key from the second server to the first server.

Note that it is not Diffie–Hellman key exchange (that explained very well here "Diffie-Hellman Key Exchange" in plain English).

The simplest way is just manually copy the public keys from one server to another. Additional option is to use the following homegrown flow:

  1. Generate a one-time token on the first server
  2. Copy the token manually to the second server
  3. The first servers accesses the second server via API. Ase the token for the API authentication. The API implementation exchanges public keys between servers

Any suggestions to improve the flow?

Do we have some best practices flow since homegrown flows usually bad for security?

Industry secure file format like .OFX Open Financial Exchange File [closed]

The .OFX Open Financial Exchange File is a file format created for financial data exchanges between financial institutions.

I was wondering if in the IT security realm, such a file format exists.

My goal would be to use and customize it so that my backend API entry points (that is another story, don’t worry about that)

Using Diffie-Hellman exchange on low power IoT devices

I have almost 0 knowledge of IoT, their protocols and usual device constraints. I had a discussion today with someone that has a fair amount of IoT experience and we were discussing some security related issues and the establishment of a shared key came up. I assumed that Diffie-Hellman would be used but this person seemed to not be familiar with the method and based on their knowledge for low power devices, the keys are actually preloaded inside.

  1. Is this true?
  2. Is the power consumption for a secure DH exchange too high to use on low power IoT devices?
  3. What role does Ephemeral Diffie–Hellman Over COSE (EDHOC) play in this case? Is it a good alternative or still problematic?