Asp Forum - Re: Securley Transmit Data

Jano Svitok

1/18/2007 8:51:00 AM

On 1/18/07, Daniel N <has.sox@gmail.com> wrote:
> Hi everyone,
>
> Being very unfamiliar with encryption and secure transmission I'm at a loss
> of how to do this.
>
> I need to get info from my system to a clients (with many such transactions
> for different clients) securely.
>
> My thinking is firstly to require all clients to provide a public digital
> certificate, then when they request the data send something like.
>
> <data_transmission>
> <key>
> AES key that has been encrypted with PGP using the public key
> </key>
> <data>
> data encrypted with AES using the un-encrypted key
> </data>
> </data_transmission>
>
> Then when the client recieves the data, they un-encrypt the key with their
> private key, and then un-encrypt the data.
>
> Firstly, is this approach secure?

If you implement it correctly, this is the "standard" approach

> If it is, does anyone know where I might find some kind of tutorial(s) that
> would help me with implementation.
>
> I don't even know what library to look in...

I have answered similar questions in:
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t... and
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t...
Especially notice the link to Handbook of Applied Cryptography

The library you are interested in is OpenSSL

This might be helpful as well:
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t...

Maybe instead of using PGP to encrypt, you may want to use stardard
PKI (X.509 certificates etc.) - just choose which one is more
convenient to you and/or your users (although I assume OpenSSL
supports the X.509 better)

7 Answers

benjohn

1/18/2007 9:24:00 AM

*snip*
>> My thinking is firstly to require all clients to provide a public
>> digital
>> certificate, then when they request the data send something like.
>>
>> <data_transmission>
>> <key>
>> AES key that has been encrypted with PGP using the public key
>> </key>
>> <data>
>> data encrypted with AES using the un-encrypted key
>> </data>
>> </data_transmission>
>>
>> Then when the client recieves the data, they un-encrypt the key with
>> their
>> private key, and then un-encrypt the data.
>>
>> Firstly, is this approach secure?
>
> If you implement it correctly, this is the "standard" approach

*snip*

This isn't something I've got a lot of experience of, but...

It's worth pointing out that you probably wouldn't send the lump of XML
above. If you do this, you'll have to get your software to manage
encryption, decryption, key sharing, and lots of other fluf that I doubt
you care about.

What you'd probably do instead is simply communicate over a secure
socket, and pretty much forget about encryption. Your program may be
entirely oblivious to it, in fact, or may be a little aware in that it
knows it's setting up a secure socket, or perhaps checks that the socket
creation parameter it's been given results in a secure socket. Something
like that.

As the first poster said, I think it's likely that:

> The library you are interested in is OpenSSL

Cheers,
Benjohn

Daniel N

1/18/2007 9:45:00 AM

On 1/18/07, Jan Svitok <jan.svitok@gmail.com> wrote:

> I have answered similar questions in:
> http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t... and
> http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t...
> Especially notice the link to Handbook of Applied Cryptography
>
> The library you are interested in is OpenSSL
>
> This might be helpful as well:
> http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t...
>
> Maybe instead of using PGP to encrypt, you may want to use stardard
> PKI (X.509 certificates etc.) - just choose which one is more
> convenient to you and/or your users (although I assume OpenSSL
> supports the X.509 better)
>
>
Great Thanx for your input. I'll have a read of these thread asap.

Daniel N

1/18/2007 9:55:00 AM

On 1/18/07, benjohn@fysh.org <benjohn@fysh.org> wrote:
> *snip*
> >> My thinking is firstly to require all clients to provide a public
> >> digital
> >> certificate, then when they request the data send something like.
> >>
> >> <data_transmission>
> >> <key>
> >> AES key that has been encrypted with PGP using the public key
> >> </key>
> >> <data>
> >> data encrypted with AES using the un-encrypted key
> >> </data>
> >> </data_transmission>
> >>
> >> Then when the client recieves the data, they un-encrypt the key with
> >> their
> >> private key, and then un-encrypt the data.
> >>
> >> Firstly, is this approach secure?
> >
> > If you implement it correctly, this is the "standard" approach
>
> *snip*
>
> This isn't something I've got a lot of experience of, but...
>
> It's worth pointing out that you probably wouldn't send the lump of XML
> above. If you do this, you'll have to get your software to manage
> encryption, decryption, key sharing, and lots of other fluf that I doubt
> you care about.
>
> What you'd probably do instead is simply communicate over a secure
> socket, and pretty much forget about encryption. Your program may be
> entirely oblivious to it, in fact, or may be a little aware in that it
> knows it's setting up a secure socket, or perhaps checks that the socket
> creation parameter it's been given results in a secure socket. Something
> like that.

I thought about just doing the communication over ssl, but I want to
ensure that the correct client is requesting the data. At this stage
I'm still early in my thought processes on exactly how to achieve
this.

It's important that only the correct client, obtain the data. Also it
is important that the client is who they say they are, and not just
someone who setup an account claiming to be someone else. Hence my
interest in using their certificates and encrypting using their public
key, so only they can unencrypt.

My current thinking is that when a client signs up for an account, use
their digital certificate and domain to confirm their identity, and
then in the future they can request data from the site. I don't need
to go over ssl, because by encrypting with their own public key, only
they can get the data.

At least this is my undestanding at the moment, but I have to read the
posts from Jan yet.

Cheers

Daniel N

1/18/2007 10:04:00 AM

On 1/18/07, Daniel N <has.sox@gmail.com> wrote:
> On 1/18/07, Jan Svitok <jan.svitok@gmail.com> wrote:
>
> > I have answered similar questions in:
> > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t... and
> > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t...
> > Especially notice the link to Handbook of Applied Cryptography
> >
> > The library you are interested in is OpenSSL
> >
> > This might be helpful as well:
> > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t...
> >
> > Maybe instead of using PGP to encrypt, you may want to use stardard
> > PKI (X.509 certificates etc.) - just choose which one is more
> > convenient to you and/or your users (although I assume OpenSSL
> > supports the X.509 better)
> >
> >
> Great Thanx for your input. I'll have a read of these thread asap.
>

I did find these threads prior to posting. I'm still no clearer on
how to implement. :(

I did look at OpenSSL and there does not seem to be any documentation
to speak of. Also there does not seem to be any useable tutorial that
I could identify on the net for this library.

I do need to read up on PKI X.509 certificates though.

Thanx again

benjohn

1/18/2007 10:18:00 AM

> On 1/18/07, Daniel N <has.sox@gmail.com> wrote:
>> On 1/18/07, Jan Svitok <jan.svitok@gmail.com> wrote:
>>
>> > I have answered similar questions in:
>> > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t...
>> and
>> > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t...
>> > Especially notice the link to Handbook of Applied Cryptography
>> >
>> > The library you are interested in is OpenSSL
>> >
>> > This might be helpful as well:
>> > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t...
>> >
>> > Maybe instead of using PGP to encrypt, you may want to use stardard
>> > PKI (X.509 certificates etc.) - just choose which one is more
>> > convenient to you and/or your users (although I assume OpenSSL
>> > supports the X.509 better)
>> >
>> >
>> Great Thanx for your input. I'll have a read of these thread asap.
>>
>
> I did find these threads prior to posting. I'm still no clearer on
> how to implement. :(
>
> I did look at OpenSSL and there does not seem to be any documentation
> to speak of. Also there does not seem to be any useable tutorial that
> I could identify on the net for this library.
>
> I do need to read up on PKI X.509 certificates though.

I generally look for documentation for the underlying library when the
docs about the bindings aren't so good. OpenSSL is based on SSL as far
as I know, and that ought to be pretty well documented!

If you're on a unix like machine, you should be able to play about with
SSL and SSH (secure shell, it runs over a secure socket) and get a feel
for how they work (I've got a keys files in the folder: ~/.ssh). My
advice would be to put Ruby to one side and understand the layer below
it.

Sorry if I'm advising on how to suck eggs [best boiled, in my opinion] :)

Cheers,
Benjohn

Daniel N

1/18/2007 11:45:00 AM

On 1/18/07, benjohn@fysh.org <benjohn@fysh.org> wrote:
> > On 1/18/07, Daniel N <has.sox@gmail.com> wrote:
> >> On 1/18/07, Jan Svitok <jan.svitok@gmail.com> wrote:
> >>
> >> > I have answered similar questions in:
> >> > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t...
> >> and
> >> > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t...
> >> > Especially notice the link to Handbook of Applied Cryptography
> >> >
> >> > The library you are interested in is OpenSSL
> >> >
> >> > This might be helpful as well:
> >> > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-t...
> >> >
> >> > Maybe instead of using PGP to encrypt, you may want to use stardard
> >> > PKI (X.509 certificates etc.) - just choose which one is more
> >> > convenient to you and/or your users (although I assume OpenSSL
> >> > supports the X.509 better)
> >> >
> >> >
> >> Great Thanx for your input. I'll have a read of these thread asap.
> >>
> >
> > I did find these threads prior to posting. I'm still no clearer on
> > how to implement. :(
> >
> > I did look at OpenSSL and there does not seem to be any documentation
> > to speak of. Also there does not seem to be any useable tutorial that
> > I could identify on the net for this library.
> >
> > I do need to read up on PKI X.509 certificates though.
>
> I generally look for documentation for the underlying library when the
> docs about the bindings aren't so good. OpenSSL is based on SSL as far
> as I know, and that ought to be pretty well documented!
>
> If you're on a unix like machine, you should be able to play about with
> SSL and SSH (secure shell, it runs over a secure socket) and get a feel
> for how they work (I've got a keys files in the folder: ~/.ssh). My
> advice would be to put Ruby to one side and understand the layer below
> it.
>
> Sorry if I'm advising on how to suck eggs [best boiled, in my opinion] :)
>

I'd better get my egg cup ;)

Thanx

Bible Studies with Satan

3/22/2010 8:50:00 PM

Patriot Games wrote:

> On Mon, 22 Mar 2010 08:16:37 -0700 (PDT), Tater Gumfries
> <tater@kernsholler.net> wrote:
>>On Mar 22, 8:33?am, Patriot Games <Patr...@america.com> wrote:
>>> You exist now only as my personal toilet.
>>You don't have the guts to admit when you're wrong. You were wrong
>>about the House convictin him... admit it and move on.
>
> He was found GUILTY. "Guilty" is a "conviction."
>
> He was "impeached." "Impeachment" is the punishment for the
> "conviction" resulting from being found "guilty" of CRIMES.

Noe. You're wrong as usual. Impeachment by the House is the indictment. It's the
Senate which convicts.

Why are conservatives so out of touch with reality?

>
> NONE OF THAT IS RELEVANT to the Senate's actions.

--
Ezekiel 23:20

comp.lang.ruby

Re: Securley Transmit Data

Jano Svitok

benjohn

Daniel N

Daniel N

Daniel N

benjohn

Daniel N

Bible Studies with Satan

x Login to ForumsZone