Hi, all!

I was hoping to get some other programmers' opinions on this.

I'm rewriting a remote access application I made a while back. It works similarly to TeamViewer, where both clients make an outbound connection to a central server, so the end users don't have to monkey with port forwarding. Only you host the server yourself.

The first iteration (InstaTech) used an ASP.NET site as the central server and websockets for data transfer, so encryption was really easy with SSL/TLS.

For this version, the server will be a WPF desktop app, and communication will be over TCP sockets. I'm using SocketAsyncEventArgs.aspx) for performance. For encryption, I was trying to implement SslStream.aspx), but it ended up being fruitless. Searching around, I never found an example of how to implement it, and others have posted that they gave up trying as well.

I decided to use end-to-end encryption with AES. Using RSA for the initial key exchange looked like it could be easy to screw up. So I decided to create a small web API project on Azure for the key exchange.

The API generates a key and ID to retrieve it and sends it back to the requester. The requester sends the ID over TCP socket to the partner client. That client sends the ID to the API, which sends back to the key, then deletes it from storage (so the key is only ever given once). This all happens over HTTPS, so now both clients have securely exchanged the key to use for AES encryption.

Assuming I've implemented the AES encryption properly, does this seem sound?

Thanks!