C unix, asymmetric encryption on a socket - c

i have a client/server application in C unix, and i need to encrypt/decript the data with something like RSA (but not necessarly RSA). Is there a library (and the correspondent documentation) for this kind of function?

You can take a look at SSL/TLS C API.

For a Client/Server Application, the best way to ensure security is by using TLS/SSL.
The latest version of TLS is TLS 1.2 (RFC 5246) and as WagnerVaz has rightly mentioned, the best opensource library available fro TLS is OpenSSL .OpenSSL not only provides the library for TLS/Crypto. But, it also provides you a tool for generating certificates & private keys (based on RSA/DSA etc) on various formats.
Though OpenSSL is the finest TLS Library available in the market, it is a little difficult to understand and use for a first timer. There is a very wonderful tutorial written by Eric Rescorla himself on using OpenSSL.
An Introduction to OpenSSL Programming (Part - I) /
An Introduction to OpenSSL Programming (Part - II)
It would be best if you first try to get some idea as to what is SSL and then start writing code for the same.
Alternately, let's say you are interested only in assymetric encryption / decryption, still OpenSSL's Crypto Libraries can be used.

Related

Security vulnerability reported as backdoor when using OpenSSL's librypto.a library

My C code uses librypto.a library to link to the compiled source code at the final stage for implementing RSA algorithm.
When a vulnerability scan was done, it comes back with a YARA signature match for the following:
YARA signature "ldpreload" classified file as as "backdoor" based on indicators: "dlopen,dlsym,fopen,fopen64,__fxstat,accept,Accept,open,Open,OPEN,opendir,readdir"
This is because I use the libcrypto.a library from Open SSL. I thought this is a widely used library for implementing crypro algorithms. How to mitigate this issue? Should try to get this whitelisted as I was not able to find any other way of implementing RSA in C without having to use OpenSSL libraries.

Embedded systems file encryption library

I've got a project and a part of it is incorporating encryption into a FAT file system.
The goal of the project is not the encryption, so I'm free to use open-source pre-done libraries.
Ideally what I'm after is a C library which uses RSA, that already has the methods for computing keys and encrypting/decrypting files.
You might want to check out NaCl (pronounced as "salt"), especially since this is for an embedded system.
It has CPU-specific tunings and doesn't require any dynamic memory allocation.
As for licensing, the page (linked above) says "All of the NaCl software is in the public domain".
Regarding library - check Cryptlib . It has dual license and includes quite a lot of functionality.
However, capability to encrypt files right depends on how you write the data and how you expect to do encryption.
Streaming encryption for streams with random access (i.e. when you need to encrypt-decrypt file data on the fly when it's written or read) is not a trivial task and requires certain knowledge of cryptography to employ correct encryption mode and do this right.
On the other hand if you have a file and want it encrypted, CryptLib has PKCS7/CMS implementation to do the job.
You might want to give blowfish a try. It's royalty free and there are several open source C implementations. It was created by Bruce Schneier. Here is an article about using it with embedded systems.

What programs use GSS-API? Any decent sample programs?

I thought I wanted to use GSS-API, but now am not so sure, since I'm having a hard time finding good sample code for a trivial client/server pair. Sun has documentation including sample code, but it's written specifically for their GSS API implementation, using a few proprietary functions not in e.g. the GNU GSS-API (and for which it's not immediately clear to me how to re-implement them against the GNU implementation). Plus, it's written in pre-ANSI C, with K&R function declarations and so on (I had no problem converting the declarations, but it did make me think the Sun example code may be so old as to be irrelevant).
Have you used the GSS-API in an application in, say, the last decade? Do you know of some self-contained tutorial with example programs that's worth reading?
Alternatively, maybe I'm on the wrong track and should try SASL instead. The GNU GSS-API author himself suggests as much.
For what it's worth, I'm using GCC on Linux, and have Kerberos set up already for other purposes.
Yes, you should absolutely be using SASL instead of GSSAPI. It is a much better supported protocol, and the libraries are pretty good. At the very least, you can think of it as a sanity-improving wrapper over GSSAPI, since that is one of the typical plugins implemented for SASL. The only reason you should consider using GSSAPI directly is to implement a SASL library. But don't do that. :)
SASL also has wide use. It is specified as part of IMAP and XMPP.
Are you implementing some custom protocol over TCP?
Sun uses the GSSAPI in their Java code. You can find a bit more information about it here:
Equivalent of 'gss_import_name' and 'gss_init_sec_context' methods in java?
Also you may want to look at the code implementation done by the folks at OpenJDK:
http://www.docjar.org/docs/api/sun/security/jgss/GSSContextImpl.html
They have published a full working example of GSSAPI written in Java.
Grant

Small RSA or DSA lib without dependencies

Is there a small library for RSA or DSA without any dependencies like GMP or OpenSSL? (Written in C or Asm)
You may find LibTomCrypt useful. It's written in C, supports RSA and DSA (along with a host of other algorithms), and is public domain software. You can read about it here.
Take a look at axTLS it's a BSD licensed TLSv1 SSL in C for embedded systems. It's built for POSIX sockets, but is easily ported.
The one thing it's missing is RSA key generation, but it can read X.509 certificates.
It's about 32KB of code space with a small RAM footprint.
Okay I found myself one after searching not so common coder sites http://z0mbie.daemonlab.org/ it's under PGP/RSA-RELATED if someones interested. But are there any others?

Adding a TLS/SSL layer to communications..?

My stuff is made with several components among which some are written in C. As I would like to add some security features, I am thinking of communicating over an SSL/TLS layer.
Could you advise me some good lib to do this (if possible) ?
GnuTLS (Please note that it is mainly LGPL not GPL so you can link to it). At least I prefere it's API over OpenSSL.
Also there is Mozilla's NSS.
We use axTLS which works great on both our server (.NET) and our embedded systems (Linux and uClinux). We had problems getting OpenSSL to work well on uClinux.
axTLS is not as feature complete as OpenSSL yet so make sure it meets your requirements before using it.
How about OpenSSL?
I would suggest not spending your time trying to implement an SSL function in your app. Instead, you could just use an existing SSL-tunnel software, which creates an SSL tunnel in front of your existing socket application.
Internet --- [SSLTunnel] --- Your App
For example, you could tell the SSL tunnel to listen on port 443 (https) and forward all decrypted packets to port 80 (http). For your custom application, it will just see decrypted packets.
There are plenty of free apps that do it. Just google for one.
CyaSSL would be an excellent choice to consider. This is an embedded SSL library written in C which has been optimized for speed and size. It can be up to 20 times smaller than OpenSSL, and can be quite a bit faster as well.
Among the feature list are a minimum size of 30-100kb and an OpenSSL compatibility layer. The full feature list can be found on the yaSSL website here:
http://www.yassl.com/yaSSL/Products_cyassl.html.
It is dual licensed under the open source GPLv2 as well as a commercial license (for support). It is updated very frequently with new features. I think one of the cool features is support for the RABBIT and HC-128 stream ciphers from the eStream project.

Resources