I am currently looking to add encryption to a server application (programmed in C) that passes raw data, unencrypted data over TCP to clients (a large number of different applications programmed in many different languages).
What is the best way to do this? Public-key cryptography? If so, how would the process go?
Thanks!
If you have to ask, you're probably not qualified to be doing cryptographic work. It is far to easy to make a subtle mistake in crypto processing that breaks your entire system's security, and unlike most other bugs, it is not at all obvious until someone else breaks your system.
Just use SSL (aka TLS). The folks that designed the SSL/TLS specs and libraries have already done all the hard work for you.
SSL: secure socket layers, which initiates and transmits encrypted data.
TLS: transport layer security, which asks to starttls and the answer to that is a list of capabilities, then the transmission can continue using the best mutually accepted encryption.
Note: the capabilities may include cleartext.
I suggest reading upon how to extend your existing protocol to support TLS, by looking at an example, say, the smtp starttls( rfc 2487 ). your time invested will be rewarded.
OpenSSL suits my needs! A quick view at the documentation and tutorials pointed me in the right direction.
Related
I am building a client-server programming in c with communication between then over ESP/IPSEC.
Server on every new client connection, generate a random/unique CK/IK which was transmitted to client by some secure mechanism. I have create association and policies for different client in SPD and SAD of kernel using the PF_KEY socket programming. But this mechanism has some problem,
it start getting slow as soon as 80,000 association is created and my requirement is for 1000,000 association for load testing.
I have come to know that PF_KEY socket mechanism is old and outdated and insecure. This mechanism is KLIPS. There are two mechanism, KLIPS and NETKEY.
How to create association of IPSEC through NETKEY mechanism in c programming in user space?
I would strongly recommend that you use Wireguard over Ipsec, it is way better, approved by Linus Torvald and developed by very talented security researcher.
Sorry if it is slightly offtopic but you look like you are still exploring. Ipsec is from the 1990s, and it indeed brought a lot along the years, but Wireguard was started from scratch just few years ago with the merit of having a very short (and easily auditable) code, that was also optimized with the latest technologic breakthroughs.
You can find this beautiful project, its mirror, on Github, and it is mainly coded in C (as for the original project).
NB: Wireguard encrypt traffic through https (port 443), so it also allow users to go through all the kind of great firewalls built by dictatorships 2.0 around the world, as everyone needs to access https.
You can use the DaVICI plugin of StrongSwan.
https://github.com/strongswan/davici
I want to write a client and server in C preferably, simple C++ if necessary.
The server will run on some flavor of Linux, the client is for testing the server.
I want to ensure messages are received and error free; therefore I will use TCP.
I want them to communicate securely; thus I will use the latest version of TLS (v1.3).
I intend to use the GnuTLS library for reasons:
Actively updated by reputable open source project
License permits selling product
Given the above, if implemented and tested, I could claim that the client/server communication is secure, reliable (a.k.a. assured), and error-checked. Yes?
Am I missing something? Is anything patently false?
Edit: certificates... i think i'm missing something about certificates to protect against man in the middle attacks...
TLS is a complex topic. Depending on your specific code the TLS connection might succeed even if you fail to properly validate the certificate. Thus, just based on what you state so far in your question it cannot be assured that the data are transferred with proper end-to-end protection and that no man in the middle can manipulate the data.
I want to write an Application layer protocol that uses TCP to return certain ASCII Text when a GET request is sent. I read the first HTTP specification and the SMTP specification but am still unclear on how to write the protocol connecting the two computers itself. How could I write this in C? Are there any tutorials or examples I could look at?
The heart of any communication protocol is the interface control document(ICD), which will describe the message structures that are allowed, like what is the size of your header, data, crc field etc. It is from this document you create the C structures. Usually people use bit fields to encapsulate the message fields appropriately. When you use existing communication methods, for example Ethernet you have the TCP or UDP sockets to send and receive the data. You can encode your messages in them. If you want to develop a new communication protocol then you have to make a logic of your own and embed it over existing media and proceed.
You're asking two questions. Your first question is "How can I create a new communications protocol", and your second question is "How can I implement this in C".
These are both far too generic to be good questions per the charter of this forum.
The answer to "How can I create a new communications protocol" is, as millimoose already pointed out, simple: A protocol is a document specifying the set of rules for how entities can communicate. Decide what a conversation should look like, starting from the "hello" or equivalent, specifying every possible request and every possible response, and every possible error response, through to how to say goodbye (and how to deal with a connection that gets dropped with saying goodbye), and write that all down. The SMTP protocol is actually a fairly good example of exactly that, in fact. (A TCP-based internet protocol will also typically specify a default TCP port to operate the protocol over.)
The answer to "How can I implement this in C", now that you have a fully specified protocol, is the same as the answer to "How can I implement this in Java", "How can I implement this in REBOL", or "How can I implement this in TCL": Write a basic server app that speaks the server half of the protocol and a basic client app that speaks the client half of the protocol.
(Of course, you might actually have been intending to ask "Regardless of the specific protocol, how can I write in C a server and client that communicate with each other?". This is also an excessively generic question, which can be answered through judicious searching on google.)
In practice, it is much better to use an existing TCP stack (e.g. tcp(7) socket implementation, at least on Linux), then use some HTTP server library above it, like e.g. libonion. Reinventing your TCP stack and your HTTP server layer would take you more than a year of work.
In previous versions of Arduino, the limiting 8-bit microcontroller board, it seems that implementing HTTPS (not merely HTTP) was almost impossible. But the newer version of Arduino Due provides 32-bit ARM core - see spec here.
I tried to check several network libraries (libcurl, openssl, yaSSL), but I didn't find anyone that was already ported to work with Arduino Due.
OpenSSL is probably too heavy to be able to run on this processor, but I believe that yaSSL as an embedded library should be possible to do.
Do you have any information of a library that I can use to trigger HTTPS requests on Arduino Due?
Unfortunately this is too long for a comment.
► No out of the box solution
From what I have gathered, there is no straightforward solution for a webserver running on the Atmel SAM3X8E ARM Cortex-M3 CPU that outputs HTTPS out of the box.
Texas Intstruments provides better options at the moment using their boards equipped with a Stellaris Microcontroller ARM Cortex-M3 CPU.
► Alternative
There are several options available that render cryptographic functions, based upon which one could lay out and implement a simple secure communication protocol that communicates with an intermediary device, which in turn facilitates Rapid Application Development and SSL.
This intermediary device, for instance an off-the-shelf 70$ Android smartphone that keeps your project mobile and connected, runs a service on a specified port which in turn communicates with Amazon SQS. Already available. This may sound ugly or tough, but is much easier than doing the programmatic groundwork for a webserver with full TLS 3 support on the Arduino. Given the proper motivation the latter may be easy, but not if one just wants a fast pragmatic solution to one's own project.
► Cryptographic libraries
crypto-arduino-library http://code.google.com/p/crypto-arduino-library/ (not maintained since 2010)
matrixssl
mbed TLS (formerly PolarSSL)
wolfSSL (formerly CyaSSL)
► Discussions
Following is a list of discussions to get you started:
HTTPS alternative on Arduino
SSL from a Microcontroller
Lightweight Packet Encryption
Many of these libraries would still need to be adapted, but community experts can help you with that fairly quickly.
Good luck! If you are at liberty to upload your final project to github then you just gained a thanks and a follower.
IMHO Arduino (including the DUE) is the wrong tool for heavy and/or encrypted web based communication. I would strongly suggest to look for more appropriate hardware in the same size and price range. As soon you get into https you are close enough to also want a lot of the other stuff that real operating systems provide. With other words I suggest to go for something like the Raspi. Similar size and prize but way more powerful, especially it can run Linux. --> HTTPS becomes simple.
The big problem with https support on an arduino is the danger of overloading your processor which could make the project unviable.
Even embedded platform targetted solutions like PolarSSL can eat up too much memory and use too much processing power. Remember that even on the most streamlined implementations, SSL support is going to have to be generalized for wide adoption and will include components that you won't find necessary. There's also the question of which Certificate Authorities you will trust and how you will communicate with them for things like certificate revocation.
I would look instead towards a solution that isn't as broken on the surface for your needs. Something like CurveProtect, which is an implementation of CurveCP.
Of course, your decision will largely be based on what you want to do and how much time you want to spend figuring the problem out. PolarSSL has a footprint that can be as small as 30K (more typically close to 100K).
First of all: I'm not absolutely certain that this is the right place to ask, but I think the question fits here better then on superuser or serverfault, since it is a question from a programmer's perspective: I figured more programmers might have had the same question (although I couldn't find this specific question!).
I would like to have a feature in my program which allows users to send files to a 'friend'. You can find friends via an username: this all goes via a server which can provide the IP-adress of a friend.
I wanted to use a tcp connection to send the file. This becomes difficult, however, when one (or both) of the parties is behind a NAT. What is the best way to solve this? I heard that it's possible to send stuff via a server, but I'd rather send everything directly, to prevent server overhead.
I heard about a technique called hole punching, but also that it's pretty complex to implement and not 100% reliable. I could use UDP and implement some scheme to improve the reliability, but this seems a bit complex to me. I know skype, bittorrent and a whole lot of other programs do similiar things (but I don't know about the specifics, which protocol they use, if they use hole punching etc.).
I looked into FTP a bit, until I realised that this is just a protocol using TCP, so I should use TCP hole punching in order to let this work... Anyway, I hope someone can give me some advice on this :)
If you don't want to make data pass through a server, I'm not aware of other methods other than TCP Hole Punching or simple Port forwarding of a previously choosen port.