Securley Transmit Data


#1

Hi everyone,

Being very unfamiliar with encryption and secure transmission I’m at a
loss
of how to do this.

I need to get info from my system to a clients (with many such
transactions
for different clients) securely.

My thinking is firstly to require all clients to provide a public
digital
certificate, then when they request the data send something like.

<data_transmission>

AES key that has been encrypted with PGP using the public key


data encrypted with AES using the un-encrypted key

</data_transmission>

Then when the client recieves the data, they un-encrypt the key with
their
private key, and then un-encrypt the data.

Firstly, is this approach secure?

If it is, does anyone know where I might find some kind of tutorial(s)
that
would help me with implementation.

I don’t even know what library to look in…

Thanx for any help.

Daniel


#2

On 1/18/07, Daniel N removed_email_address@domain.invalid wrote:

private key, and then un-encrypt the data.

Firstly, is this approach secure?

If you implement it correctly, this is the “standard” approach

If it is, does anyone know where I might find some kind of tutorial(s) that
would help me with implementation.

I don’t even know what library to look in…

I have answered similar questions in:
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/211073 and
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/219842
Especially notice the link to Handbook of Applied Cryptography

The library you are interested in is OpenSSL

This might be helpful as well:
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/228214

Maybe instead of using PGP to encrypt, you may want to use stardard
PKI (X.509 certificates etc.) - just choose which one is more
convenient to you and/or your users (although I assume OpenSSL
supports the X.509 better)


#3

snip

Then when the client recieves the data, they un-encrypt the key with
their
private key, and then un-encrypt the data.

Firstly, is this approach secure?

If you implement it correctly, this is the “standard” approach

snip

This isn’t something I’ve got a lot of experience of, but…

It’s worth pointing out that you probably wouldn’t send the lump of XML
above. If you do this, you’ll have to get your software to manage
encryption, decryption, key sharing, and lots of other fluf that I doubt
you care about.

What you’d probably do instead is simply communicate over a secure
socket, and pretty much forget about encryption. Your program may be
entirely oblivious to it, in fact, or may be a little aware in that it
knows it’s setting up a secure socket, or perhaps checks that the socket
creation parameter it’s been given results in a secure socket. Something
like that.

As the first poster said, I think it’s likely that:

The library you are interested in is OpenSSL

Cheers,
Benjohn


#4

On 1/18/07, Jan S. removed_email_address@domain.invalid wrote:

Maybe instead of using PGP to encrypt, you may want to use stardard
PKI (X.509 certificates etc.) - just choose which one is more
convenient to you and/or your users (although I assume OpenSSL
supports the X.509 better)

Great Thanx for your input. I’ll have a read of these thread asap.


#5

On 1/18/07, removed_email_address@domain.invalid removed_email_address@domain.invalid wrote:

data encrypted with AES using the un-encrypted key

socket, and pretty much forget about encryption. Your program may be
entirely oblivious to it, in fact, or may be a little aware in that it
knows it’s setting up a secure socket, or perhaps checks that the socket
creation parameter it’s been given results in a secure socket. Something
like that.

I thought about just doing the communication over ssl, but I want to
ensure that the correct client is requesting the data. At this stage
I’m still early in my thought processes on exactly how to achieve
this.

It’s important that only the correct client, obtain the data. Also it
is important that the client is who they say they are, and not just
someone who setup an account claiming to be someone else. Hence my
interest in using their certificates and encrypting using their public
key, so only they can unencrypt.

My current thinking is that when a client signs up for an account, use
their digital certificate and domain to confirm their identity, and
then in the future they can request data from the site. I don’t need
to go over ssl, because by encrypting with their own public key, only
they can get the data.

At least this is my undestanding at the moment, but I have to read the
posts from Jan yet.

Cheers


#6

On 1/18/07, Daniel N removed_email_address@domain.invalid wrote:

http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/228214

Maybe instead of using PGP to encrypt, you may want to use stardard
PKI (X.509 certificates etc.) - just choose which one is more
convenient to you and/or your users (although I assume OpenSSL
supports the X.509 better)

Great Thanx for your input. I’ll have a read of these thread asap.

I did find these threads prior to posting. I’m still no clearer on
how to implement. :frowning:

I did look at OpenSSL and there does not seem to be any documentation
to speak of. Also there does not seem to be any useable tutorial that
I could identify on the net for this library.

I do need to read up on PKI X.509 certificates though.

Thanx again


#7

On 1/18/07, removed_email_address@domain.invalid removed_email_address@domain.invalid wrote:

I generally look for documentation for the underlying library when the

I’d better get my egg cup :wink:

Thanx


#8

I did find these threads prior to posting. I’m still no clearer on
how to implement. :frowning:

I did look at OpenSSL and there does not seem to be any documentation
to speak of. Also there does not seem to be any useable tutorial that
I could identify on the net for this library.

I do need to read up on PKI X.509 certificates though.

I generally look for documentation for the underlying library when the
docs about the bindings aren’t so good. OpenSSL is based on SSL as far
as I know, and that ought to be pretty well documented!

If you’re on a unix like machine, you should be able to play about with
SSL and SSH (secure shell, it runs over a secure socket) and get a feel
for how they work (I’ve got a keys files in the folder: ~/.ssh). My
advice would be to put Ruby to one side and understand the layer below
it.

Sorry if I’m advising on how to suck eggs [best boiled, in my opinion]
:slight_smile:

Cheers,
Benjohn