LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 04-22-2007, 03:14 AM   #1
introuble
Member
 
Registered: Apr 2004
Distribution: Debian -unstable
Posts: 700

Rep: Reputation: 31
Secure data transmission


I'm developing a *very* basic/simple/stupid application which has the sole task to allow two people to share a file.

It works more or less like this:

Code:
RECEIVER: Run Program -> "Play" TCP/IP -Server- end.
SENDER: Run Program -> "Play" TCP/IP -Client- end.
SENDER: Read file from local drive and write it to the socket.
RECEIVER: Read from socket and output to local drive.
SENDER: Finish sending -> End program
RECEIVER: End program.
(Not sure why I detailed the steps but anyway.)

However this doesn't seem secure at all. I need a way to make the transfer secure. Should I come up with a personal algorithm? (But then it'd be security by obscurity which, IIRC bruce schneier doesn't consider to be "security" at all .. and given bruce schneier == chuck norris .. well.) Or should I use SSL/etc.? Any suggestions would be highly appreciated.

P.S.: Programming language used: C 89
 
Old 04-22-2007, 03:18 AM   #2
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Use gpg.

Is this homework?
The reason I ask is that most people would use ssh for this.
 
Old 04-22-2007, 08:18 AM   #3
introuble
Member
 
Registered: Apr 2004
Distribution: Debian -unstable
Posts: 700

Original Poster
Rep: Reputation: 31
#1. Great to know I posted in General rather than Programming. Perhaps a Moderator can help me by moving it there.

#2. It's not homework, and I don't need the complexity of SSH.

Thanks for your reply.
 
Old 04-22-2007, 03:57 PM   #4
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,527

Rep: Reputation: 147Reputation: 147
Moved to Programming, as requested.

The solution depends on the fact how you define security here. You may mean different things:
* not showing contents of the file
* allowing access only certain users
* making sure the file is complete
* making sure the file is exactly the file that was intended
and so on...

No matter what, it just looks like you need standard cryptography and will choose one or more from the following: symmetric algorithm, asymmetric algorithm, signing, hash function.

Please be more precise...
 
Old 04-22-2007, 05:48 PM   #5
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
ssh complex? hmmm... I think you need to specify your specifications.
 
Old 04-23-2007, 06:53 AM   #6
introuble
Member
 
Registered: Apr 2004
Distribution: Debian -unstable
Posts: 700

Original Poster
Rep: Reputation: 31
Thank you for moving the thread to "Programming".

By security I mean:
Code:
#1. Make sure the host/server is who we think it is.
#2. Make sure we receive the file actually send by the .. sender.
#3. Should anyone intercept the traffic between the two computers,
 make it impossible (or very hard) to make sense of it. (encryption)
Presumption: the source code is freely available and the attacker knows this, has the code and fully understands it.

@ Simon Bridge: I don't need all of SSH's features. Not to mention SSH, is, at it's core .. the "secure shell". (Which I simply don't need). I don't even need all the features of the FTP protocol. ONE program run allows for ONE transfer of ONE file.
 
Old 04-23-2007, 12:00 PM   #7
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,390
Blog Entries: 2

Rep: Reputation: 900Reputation: 900Reputation: 900Reputation: 900Reputation: 900Reputation: 900Reputation: 900Reputation: 900
Isn't SSL a documented API that allows you to create your own application using the already existing algorithms and methods for secure tranmission of data? It sounds like that would be the obvious way to go, otherwise you are just re-inventing another wheel. You could not expect to do half as well as a lot of experts that spent quite some time to come up with SSL.

--- rod.
 
Old 04-23-2007, 03:40 PM   #8
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,527

Rep: Reputation: 147Reputation: 147
The question is how "good" should be the security you're implementing. You can go for simplier solutions or more complicated ones. In fact it's more of less the same effort now, because you have all the cryptography you need in OpenSSL. What you will need...
Quote:
Originally Posted by introuble
#1. Make sure the host/server is who we think it is.
Example scheme: host and server have both public and private keys. When estabilishing a connection they both encrypt something (current date+some random seed+maybe something more) using their private key and send it to the other side. That side can decrypt the message (using the public key) to check if the data inside the message is OK. It may be RSA here.
Quote:
#2. Make sure we receive the file actually send by the .. sender.
All files transfered may be signed. Verification procedure is similar as above.
Quote:
#3. Should anyone intercept the traffic between the two computers,
make it impossible (or very hard) to make sense of it. (encryption)
AES probably. But you need to find the session keys (connected with the authentication phase, #1).

It may even be that the cryptography will be most complicated thing in the whole protocol, but to make it correct, it requires a number of steps. To make the implementation simplier, look into OpenSSL routines. You may find the examples from http://www.rtfm.com/openssl-examples/ useful.
 
Old 04-24-2007, 06:13 AM   #9
introuble
Member
 
Registered: Apr 2004
Distribution: Debian -unstable
Posts: 700

Original Poster
Rep: Reputation: 31
Obviously I am not trying to reinvent the wheel. I had OpenSSL in mind at the beginning but wandered if perhaps there are some good alternatives I didn't know of. However, thank you very much for your replies.
 
Old 04-24-2007, 03:43 PM   #10
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,527

Rep: Reputation: 147Reputation: 147
There's Crypto++ (for C++, not C). It's mostly about algorithms, not protocols themselves. Link: http://www.cryptopp.com/
 
Old 04-27-2007, 02:31 AM   #11
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5
Posts: 16,086

Rep: Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995
Depends if this is an exercise in programming, or if you really just want to txfr a file.
If the former, writing your own code, even using SSL is iffy at best.
As Bruce would put it, it's not just the algo (SSL), it's the entire 'system' you need to worry about, and that's harder than you think.
If it's the latter (ie you actually do need to txfr a file, not write code), then installing ssh (ie scp) is relatively trivial and extremely secure (use v2 protocol).
It's also dead easy to use...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Data Rate transmission discrepancy suggesting hijack drmjh Linux - Security 13 03-23-2007 04:29 PM
LXer: Six steps to secure sensitive data in MySQL LXer Syndicated Linux News 0 08-05-2006 05:03 PM
project on secure stream control transmission protocol(SCTP) monindra Fedora - Installation 1 05-29-2005 03:47 AM
how to secure data on HDD Vs FBI, CIA MI5 PeterOnTheNet Slackware 5 03-07-2005 09:13 PM
ways to secure data and information of corporate g_arun22 Linux - Security 3 06-01-2003 01:43 PM


All times are GMT -5. The time now is 11:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration