hazem12 wrote:
1. in private key the problem where the client will save the private key? and what if i want to change the private key.?Cannot you embed it into the executable? Is there a compelling reason to change it?
Ultimately need to embed the key somewhere, if you store it externally to the program (e.g. in XML) you open up the key for abuse. Don't name the property Key or a recogisable name, and some methods for declaring the key are better than others. You'll need to do some research on this.
hazem12 wrote:
2. what if some one snif on the data and get the part of the encrypted message contained the encrypted password and send it again to server from its program?
This is a problem. The sniffed message can be resent, but the method in the OP will prevent the password from being re-used. You could only accept messages the a less than
n seconds old, which would give some protection, but relies on the server and client clocks being relatively in sync.
You could look at adding a signature to your message (to ensure it hasn't been changed) as well as encryption.