I am building a client-server programming in c with communication between then over ESP/IPSEC.
Server on every new client connection, generate a random/unique CK/IK which was transmitted to client by some secure mechanism. I have create association and policies for different client in SPD and SAD of kernel using the PF_KEY socket programming. But this mechanism has some problem,
it start getting slow as soon as 80,000 association is created and my requirement is for 1000,000 association for load testing.
I have come to know that PF_KEY socket mechanism is old and outdated and insecure. This mechanism is KLIPS. There are two mechanism, KLIPS and NETKEY.
How to create association of IPSEC through NETKEY mechanism in c programming in user space?
I would strongly recommend that you use Wireguard over Ipsec, it is way better, approved by Linus Torvald and developed by very talented security researcher.
Sorry if it is slightly offtopic but you look like you are still exploring. Ipsec is from the 1990s, and it indeed brought a lot along the years, but Wireguard was started from scratch just few years ago with the merit of having a very short (and easily auditable) code, that was also optimized with the latest technologic breakthroughs.
You can find this beautiful project, its mirror, on Github, and it is mainly coded in C (as for the original project).
NB: Wireguard encrypt traffic through https (port 443), so it also allow users to go through all the kind of great firewalls built by dictatorships 2.0 around the world, as everyone needs to access https.
You can use the DaVICI plugin of StrongSwan.
https://github.com/strongswan/davici
Related
In previous versions of Arduino, the limiting 8-bit microcontroller board, it seems that implementing HTTPS (not merely HTTP) was almost impossible. But the newer version of Arduino Due provides 32-bit ARM core - see spec here.
I tried to check several network libraries (libcurl, openssl, yaSSL), but I didn't find anyone that was already ported to work with Arduino Due.
OpenSSL is probably too heavy to be able to run on this processor, but I believe that yaSSL as an embedded library should be possible to do.
Do you have any information of a library that I can use to trigger HTTPS requests on Arduino Due?
Unfortunately this is too long for a comment.
► No out of the box solution
From what I have gathered, there is no straightforward solution for a webserver running on the Atmel SAM3X8E ARM Cortex-M3 CPU that outputs HTTPS out of the box.
Texas Intstruments provides better options at the moment using their boards equipped with a Stellaris Microcontroller ARM Cortex-M3 CPU.
► Alternative
There are several options available that render cryptographic functions, based upon which one could lay out and implement a simple secure communication protocol that communicates with an intermediary device, which in turn facilitates Rapid Application Development and SSL.
This intermediary device, for instance an off-the-shelf 70$ Android smartphone that keeps your project mobile and connected, runs a service on a specified port which in turn communicates with Amazon SQS. Already available. This may sound ugly or tough, but is much easier than doing the programmatic groundwork for a webserver with full TLS 3 support on the Arduino. Given the proper motivation the latter may be easy, but not if one just wants a fast pragmatic solution to one's own project.
► Cryptographic libraries
crypto-arduino-library http://code.google.com/p/crypto-arduino-library/ (not maintained since 2010)
matrixssl
mbed TLS (formerly PolarSSL)
wolfSSL (formerly CyaSSL)
► Discussions
Following is a list of discussions to get you started:
HTTPS alternative on Arduino
SSL from a Microcontroller
Lightweight Packet Encryption
Many of these libraries would still need to be adapted, but community experts can help you with that fairly quickly.
Good luck! If you are at liberty to upload your final project to github then you just gained a thanks and a follower.
IMHO Arduino (including the DUE) is the wrong tool for heavy and/or encrypted web based communication. I would strongly suggest to look for more appropriate hardware in the same size and price range. As soon you get into https you are close enough to also want a lot of the other stuff that real operating systems provide. With other words I suggest to go for something like the Raspi. Similar size and prize but way more powerful, especially it can run Linux. --> HTTPS becomes simple.
The big problem with https support on an arduino is the danger of overloading your processor which could make the project unviable.
Even embedded platform targetted solutions like PolarSSL can eat up too much memory and use too much processing power. Remember that even on the most streamlined implementations, SSL support is going to have to be generalized for wide adoption and will include components that you won't find necessary. There's also the question of which Certificate Authorities you will trust and how you will communicate with them for things like certificate revocation.
I would look instead towards a solution that isn't as broken on the surface for your needs. Something like CurveProtect, which is an implementation of CurveCP.
Of course, your decision will largely be based on what you want to do and how much time you want to spend figuring the problem out. PolarSSL has a footprint that can be as small as 30K (more typically close to 100K).
I am currently building a chat server (meebo style).
The architecture is something like this.
Bitlbee over libpurple is on host B. Its a trivial server on data center.
User communicates with bitlbee via web server (just like meebo) on Host A. The backend of this web server maintains chat session. It just translates the user commands to proper bitlbee comamnd and sends back to host A.
The most important part here is that host A will be deployed in embedded Linux.
I have 2 questions.
To keep the chat session persistent I am thinking of using node.js. As its much more easier to create a real time application with persistent connection. But I doubt if its supported in such platform.
If I use C instead of node.js (I am not using any web server) I can talk to the irc server at host A by libirc. But how do I implement all the web server features in C (like session, url/cookie/post data parsing etc) ?
Also if you think my approach is wrong or there is a better approach please tell me how can I improve this architecture?
Note: This is NOT a high volume chat server.
If building V8/Node.js is prohibitive on the embedded platform, the next best thing would be to take the event loop and platform layer (libuv) and HTTP parser (http-parser) of Node, both written in C and use those as a starting point. These are the same libraries used to build Node.js so they are battle tested and will give you the performance characteristics you seek.
Ryan Dahl, author of Node.js, demonstrates exactly how to use libuv and http-parser to build an asynchronous web server in C.
Put a ZNC server between Bitlbee and the web-based IRC client. Bitlbee will think that the user has never logged out and ZNC can maintain a backlog of messages until the user connects again with the web client.
I would try to go with node.js if that is your choice, also what embedded system is it? As knowing that would help more. Also, another plus for node.js is that it does have session handling built it, but if you wanted to do it in C try and see if you can get a sqlite wrapper running on the embedded device to store the session information.
But, if possible stick to something with less work on embedded devices, feels bad to reinvent a lot of stuff or have to fiddle with compile issues for your device.
I am currently looking to add encryption to a server application (programmed in C) that passes raw data, unencrypted data over TCP to clients (a large number of different applications programmed in many different languages).
What is the best way to do this? Public-key cryptography? If so, how would the process go?
Thanks!
If you have to ask, you're probably not qualified to be doing cryptographic work. It is far to easy to make a subtle mistake in crypto processing that breaks your entire system's security, and unlike most other bugs, it is not at all obvious until someone else breaks your system.
Just use SSL (aka TLS). The folks that designed the SSL/TLS specs and libraries have already done all the hard work for you.
SSL: secure socket layers, which initiates and transmits encrypted data.
TLS: transport layer security, which asks to starttls and the answer to that is a list of capabilities, then the transmission can continue using the best mutually accepted encryption.
Note: the capabilities may include cleartext.
I suggest reading upon how to extend your existing protocol to support TLS, by looking at an example, say, the smtp starttls( rfc 2487 ). your time invested will be rewarded.
OpenSSL suits my needs! A quick view at the documentation and tutorials pointed me in the right direction.
I see that lwIP has some AutoIP (aka IPv4LL, aka RFC 3927) code, but I can't tell if it does anything higher up in the Zeroconf stack, namely mDNS and DNS-SD (with RFC 2782).
So, does lwIP support DNS-SD service discovery? If not, would it be easy to port code from a project like Avahi that does (assuming licensing allows it)?
No, lwIP does not support any part of Zeroconf except AutoIP.
I've not looked at Avahi but porting Apples mDNSResponder to lwIP
is quite straightforward. There is one bit of nastiness where you
have to pull back the pbuf headers to access the IP header to get the
sender IP (I think a "proper" method for this is in the works
for lwIP but AFAIK it's not in a release yet).
With mDNSResponder you get both service advertisment and discovery.
I can't comment on the LWIP part of your question (the last time I used LWIP it didn't even have IPv4LL support), but you might be interested to know that Apple have open-sourced their mDNSResponder code, available from here:
http://developer.apple.com/networking/bonjour
The interesting thing about this implementation is that they provide a VxWorks platform layer which may well be a better match for porting to your embedded target than the Avahi library.
The lwIP web site has a task tracker with the following three items (it looks as though they were added around 2010, around the time this question was originally asked):
Add "One shot" Multicast DNS Queries (.local) to dns.c
Marked done, Dec 2016. It provides a subset of ZeroConf functionality. It is not a complete solution, but could be a good basis to build upon.
Create "mDNSQuerier" module to support multiple response and continuous Multicast DNS queries
Create multicast DNS Responder module enabling LwIP applications to support multicast DNS host name resoltuion
On 28 August 2015, these latter two tickets were marked "Cancelled" with the note "Cancelled since noone seems to want to work on this."
Here is a very small mDNS responder which can be ported rather easily to lwIP:
https://bitbucket.org/geekman/tinysvcmdns
Apples mDNSResponder is still rather heavyweight for very small systems (in terms of RAM usage), so if only basic functionality is required this one may be preferred.
In short: Is there any known protocol for remote process management?
I have a system that contains several applications, each has it's own computer in a local network. When the applications are up and running, they communicate without any problems.
What I'm interested in is a protocol to manage the remote applications startup, shutdown and monitoring. By monitoring I mean getting error codes (predefined) when something goes wrong. Ideally I would control the whole system from one managing application and get status about what's going on.
I once worked in a place that wrote an in-house protocol that did this. However, I wish to avoid writing it again if someone already figured this out.
Edit: some more details:
Platforms in use are Windows and Linux, both on x86.
On Windows, C/C++ and .NET are used. On Linux, C/C++.
Why bother with homegrown solutions instead of using tried and tested technology? Unless you only employ programmers who are MENSA members with 30+ years of experience, your solution will be less robust and costlier to maintain.
You failed to mention any details about the platform you're using, so I'll assume a Unix-ish system. I would go with (and have been going with for years)
SNMP for monitoring
either daemontools or cron + scripting (as a distant second choice) for supervision and restart
ssh/scp with RSA authentication for interactive intervention, remote command execution, and occasional transfers