openssl ssl encryption

后端 未结 4 525
情话喂你
情话喂你 2021-01-22 10:10

I want to discuss about openssl write and read method.
Assume I have an data structure like below:

/-----------------------------------------------------\\
|  my_         


        
相关标签:
4条回答
  • 2021-01-22 10:40

    If you're building an encrypted protocol, that's exactly how I'd do it, assuming my_header contains enough information and nothing that in itself needs to be kept secure, such as the session key. Network packets at the low level (see tcpdump/libpcap) are just a char* ("string") and you extract different headers by moving along the array different lengths - what you're suggesting sounds just like this.

    0 讨论(0)
  • 2021-01-22 10:45

    When you use TLS/DTLS, you have the choice : you cipher the whole frame, or nothing at all.

    If you want to have some unciphered data in the frame, then you probably don't need TLS/DTLS. You might however use OpenSSL to compute a hash of your header (using SHA or any other related hash algorithm) and adding it at the end of the frame to avoid tampering.

    For the ciphered part of the frame, you'll have to choose between symetric and asymetric cipher algorithms. But without knowing what you want to achieve, I cannot really advise on this.

    Just keep in mind that symetric algorithms are usually faster but require a key exchange at first. To do so, you might use an asymetric algorithm, but then, you're reinventing TLS/DTLS ;)

    0 讨论(0)
  • 2021-01-22 10:53

    You can actually let OpenSSL do a lot of the heavy lifting for you.

    You can create your networking primitives as before and associate the file descriptors with an Open SSL context, which will handle the SSL handshake, encryption and decryption. I'm glossing over a lot of the details but the sample code on the openssl website and in this book:

    http://www.amazon.com/Network-Security-OpenSSL-John-Viega/dp/059600270X

    will be very instructive. The book is also available online but I believe you have to pay to access it.

    In OpenSSL's distribution you can find lots of sample code illustrating exactly how to do this.

    Good luck.

    0 讨论(0)
  • 2021-01-22 10:53

    OpenSSL comes with a libcrypto library which is commonly used to perform standalone encryption outside of an SSL context.

    http://www.openssl.org/docs/crypto/evp.html

    Alternatively, the bio portion of the library may be even closer to what you want: http://www.openssl.org/docs/crypto/bio.html

    But if you really intend to send this over the network, then I would question the safety of leaving the header unencrypted. Encryption is about more than privacy, it is also about ensuring the data has not been modified in transit. If someone is in a position to monitor your traffic, then they are usually in a position to tamper with it too.

    If you want the header unecrypted so you can read it in wireshark for debugging, then I suggest making a flag in your application to fully enable/disable encryption for use in a debugging environment.

    0 讨论(0)
提交回复
热议问题