Forum: Ruby Securley Transmit Data

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
9d1f5d2d9de70bd9a934f557dc95a406?d=identicon&s=25 Daniel ----- (liquid)
on 2007-01-18 05:55
(Received via mailing list)
Hi everyone,

Being very unfamiliar with encryption and secure transmission I'm at a
loss
of how to do this.

I need to get info from my system to a clients (with many such
transactions
for different clients) securely.

My thinking is firstly to require all clients to provide a public
digital
certificate, then when they request the data send something like.

<data_transmission>
  <key>
    AES key that has been encrypted with PGP using the public key
  </key>
  <data>
    data encrypted with AES using the un-encrypted key
  </data>
</data_transmission>

Then when the client recieves the data, they un-encrypt the key with
their
private key, and then un-encrypt the data.

Firstly, is this approach secure?

If it is, does anyone know where I might find some kind of tutorial(s)
that
would help me with implementation.

I don't even know what library to look in...

Thanx for any help.

Daniel
97550977337c9f0a0e1a9553e55bfaa0?d=identicon&s=25 Jan Svitok (Guest)
on 2007-01-18 09:51
(Received via mailing list)
On 1/18/07, Daniel N <has.sox@gmail.com> wrote:
>
> private key, and then un-encrypt the data.
>
> Firstly, is this approach secure?

If you implement it correctly, this is the "standard" approach

> If it is, does anyone know where I might find some kind of tutorial(s) that
> would help me with implementation.
>
> I don't even know what library to look in...

I have answered similar questions in:
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/... and
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/...
Especially notice the link to Handbook of Applied Cryptography

The library you are interested in is OpenSSL

This might be helpful as well:
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/...

Maybe instead of using PGP to encrypt, you may want to use stardard
PKI (X.509 certificates etc.) - just choose which one is more
convenient to you and/or your users (although I assume OpenSSL
supports the X.509 better)
Ffcb418e17cac2873d611c2b8d8d891c?d=identicon&s=25 unknown (Guest)
on 2007-01-18 10:27
(Received via mailing list)
*snip*
>>   </data>
>> </data_transmission>
>>
>> Then when the client recieves the data, they un-encrypt the key with
>> their
>> private key, and then un-encrypt the data.
>>
>> Firstly, is this approach secure?
>
> If you implement it correctly, this is the "standard" approach

*snip*

This isn't something I've got a lot of experience of, but...

It's worth pointing out that you probably wouldn't send the lump of XML
above. If you do this, you'll have to get your software to manage
encryption, decryption, key sharing, and lots of other fluf that I doubt
you care about.

What you'd probably do instead is simply communicate over a secure
socket, and pretty much forget about encryption. Your program may be
entirely oblivious to it, in fact, or may be a little aware in that it
knows it's setting up a secure socket, or perhaps checks that the socket
creation parameter it's been given results in a secure socket. Something
like that.

As the first poster said, I think it's likely that:

> The library you are interested in is OpenSSL

Cheers,
  Benjohn
9d1f5d2d9de70bd9a934f557dc95a406?d=identicon&s=25 Daniel ----- (liquid)
on 2007-01-18 10:45
(Received via mailing list)
On 1/18/07, Jan Svitok <jan.svitok@gmail.com> wrote:

> Maybe instead of using PGP to encrypt, you may want to use stardard
> PKI (X.509 certificates etc.) - just choose which one is more
> convenient to you and/or your users (although I assume OpenSSL
> supports the X.509 better)
>
>
Great Thanx for your input.  I'll have a read of these thread asap.
9d1f5d2d9de70bd9a934f557dc95a406?d=identicon&s=25 Daniel ----- (liquid)
on 2007-01-18 10:56
(Received via mailing list)
On 1/18/07, benjohn@fysh.org <benjohn@fysh.org> wrote:
> >>     data encrypted with AES using the un-encrypted key
>
> socket, and pretty much forget about encryption. Your program may be
> entirely oblivious to it, in fact, or may be a little aware in that it
> knows it's setting up a secure socket, or perhaps checks that the socket
> creation parameter it's been given results in a secure socket. Something
> like that.

I thought about just doing the communication over ssl, but I want to
ensure that the correct client is requesting the data.  At this stage
I'm still early in my thought processes on exactly how to achieve
this.

It's important that only the correct client, obtain the data.  Also it
is important that the client is who they say they are, and not just
someone who setup an account claiming to be someone else.  Hence my
interest in using their certificates and encrypting using their public
key, so only they can unencrypt.

My current thinking is that when a client signs up for an account, use
their digital certificate and domain to confirm their identity, and
then in the future they can request data from the site.  I don't need
to go over ssl, because by encrypting with their own public key, only
they can get the data.

At least this is my undestanding at the moment, but I have to read the
posts from Jan yet.

Cheers
9d1f5d2d9de70bd9a934f557dc95a406?d=identicon&s=25 Daniel ----- (liquid)
on 2007-01-18 11:05
(Received via mailing list)
On 1/18/07, Daniel N <has.sox@gmail.com> wrote:
> > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/...
> >
> > Maybe instead of using PGP to encrypt, you may want to use stardard
> > PKI (X.509 certificates etc.) - just choose which one is more
> > convenient to you and/or your users (although I assume OpenSSL
> > supports the X.509 better)
> >
> >
> Great Thanx for your input.  I'll have a read of these thread asap.
>

I did find these threads prior to posting.  I'm still no clearer on
how to implement.  :(

I did look at OpenSSL and there does not seem to be any documentation
to speak of.  Also there does not seem to be any useable tutorial that
I could identify on the net for this library.

I do need to read up on PKI X.509 certificates though.

Thanx again
Ffcb418e17cac2873d611c2b8d8d891c?d=identicon&s=25 unknown (Guest)
on 2007-01-18 11:18
(Received via mailing list)
>> >
>>
>
> I did find these threads prior to posting.  I'm still no clearer on
> how to implement.  :(
>
> I did look at OpenSSL and there does not seem to be any documentation
> to speak of.  Also there does not seem to be any useable tutorial that
> I could identify on the net for this library.
>
> I do need to read up on PKI X.509 certificates though.

I generally look for documentation for the underlying library when the
docs about the bindings aren't so good. OpenSSL is based on SSL as far
as I know, and that ought to be pretty well documented!

If you're on a unix like machine, you should be able to play about with
SSL and SSH (secure shell, it runs over a secure socket) and get a feel
for how they work (I've got a keys files in the folder: ~/.ssh). My
advice would be to put Ruby to one side and understand the layer below
it.

Sorry if I'm advising on how to suck eggs [best boiled, in my opinion]
:)

Cheers,
  Benjohn
9d1f5d2d9de70bd9a934f557dc95a406?d=identicon&s=25 Daniel ----- (liquid)
on 2007-01-18 12:46
(Received via mailing list)
On 1/18/07, benjohn@fysh.org <benjohn@fysh.org> wrote:
> >> >
> >>
> I generally look for documentation for the underlying library when the
>
I'd better get my egg cup ;)

Thanx
This topic is locked and can not be replied to.