EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SBB in proxy environment

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#4222
Posted: 11/05/2007 16:41:29
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Hi group,

I'm fairly new to SBB as well as to this group. I recently finished a RFC 3310 implementation, which realizes 3GPP AKA Digest Authorization. I don't want to annoy you with details, but the heart of this solution is an HTTP proxy (socket based), written in 100% managed C#.

The proxy is capable of handle HTTP(S) connections, either as local proxy, transparent proxy or reverse proxy - means, I have total control over all data flowing from whatever frontend to whatever backend. Currently HTTPS is just passed back and forth (no chance to intercept), but HTTP traffic is handled according to RFC 3310, RFC 2617 and the big, black 3GPP spec mountain :)

So what? One of the results of the special 3GPP GBA bootstrap is a so called "KS_NAF", some sort of "pre-shared key" intendet to be used for SSL encryption of the (unencrypted) frontend data on it's way to the backend.

Here probably comes SBB into the game. I think I don't need components like HTTPSClient, I would rather opt for SSLClient or something other.

And here is the question finally: Could someone point me to a component/sample, where I can provide PSK and CiperSuite setups in order to get encrypted data from unencrypted and vice versa?

Sorry, if I'm wrong with my assumptions, SSB could help me out here in any way.

Regards
#4224
Posted: 11/06/2007 01:43:41
by Ken Ivanov (EldoS Corp.)

Quote
And here is the question finally: Could someone point me to a component/sample, where I can provide PSK and CiperSuite setups in order to get encrypted data from unencrypted and vice versa?

Please consider using TElSecureClient (on client side) and TElSecureServer (on server side) components along with PSK cipher suites.

Unfortunately, there's no sample for PSK (however, there do exist samples for generic SSL). However, they can be easily upgraded to support PSK. In general words, you should (a) turn on PSK ciphersuites and (b) handle OnKeyNeeded events of both client and server to be able to pass PSK key to objects.
#4225
Posted: 11/06/2007 01:57:45
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Hello Innokentiy,

thanks for your quick answer. I already played a bit with the SSLBlackbox/SSLClientDemo. Thanks for the hint. I'll give it a trial.
#4226
Posted: 11/06/2007 10:10:31
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

OK, now I could manage to
- connect to an HTTPS server
- encrypt and send a request
- receive and decrypt the answer.

All in all not that difficult, besides the callback "back and forth", but I guess, this has to be done that way. The only component in use is the TElSecureClient, for now.

I'm a bit concerned about the Wireshark "Malformed Packet (SSL)" complaints on my very first ClientHello, but probably my secureClientObject is not setup properly (??).

Also could not managed to "turn on PSK ciphersuites" (at least all my attempts didn't show up the expected results) nor to get called back on OnKeyNeeded.

Could you please be a bit more specific, on how to turn PSK ciphersuites correctly?

Kind regards
Neil
#4227
Posted: 11/06/2007 10:32:13
by Ken Ivanov (EldoS Corp.)

Quote
I'm a bit concerned about the Wireshark "Malformed Packet (SSL)" complaints on my very first ClientHello, but probably my secureClientObject is not setup properly (??).

AFAIR, this message is sometimes reported if SSL2 client hello is sent. As we do not have access to Wireshark's code, we cannot identify the exact reason for this. Please turn off SSL2 version to suppress this message.

Quote
Could you please be a bit more specific, on how to turn PSK ciphersuites correctly?

Please use CipherSuites property (set_CipherSuites event in C#) to turn ciphersuites on/off:

Client.set_CipherSuites(SBConstants.Unit.SB_SUITE_RSA_IDEA_SHA, true);

The following PSK-based suites are declared:
SB_SUITE_PSK_RC4_SHA
SB_SUITE_PSK_3DES_SHA
SB_SUITE_PSK_AES128_SHA
SB_SUITE_PSK_AES256_SHA
SB_SUITE_DHE_PSK_RC4_SHA
SB_SUITE_DHE_PSK_3DES_SHA
SB_SUITE_DHE_PSK_AES128_SHA
SB_SUITE_DHE_PSK_AES256_SHA
SB_SUITE_RSA_PSK_RC4_SHA
SB_SUITE_RSA_PSK_3DES_SHA
SB_SUITE_RSA_PSK_AES128_SHA
SB_SUITE_RSA_PSK_AES256_SHA
SB_SUITE_RSA_SEED_SHA
SB_SUITE_DH_DSS_SEED_SHA
SB_SUITE_DH_RSA_SEED_SHA
SB_SUITE_DHE_DSS_SEED_SHA
SB_SUITE_DHE_RSA_SEED_SHA
SB_SUITE_DH_ANON_SEED_SHA

Please note, that PSK suites must be supported by both client and server. It is not possible to use PSK if one peer (e.g., client) does support it but the other one (server) doesn't.
#4228
Posted: 11/06/2007 10:33:32
by Ken Ivanov (EldoS Corp.)

Quote
...set_CipherSuites event in C#...

set_CipherSuites *method*, of course. Sorry.
#4229
Posted: 11/06/2007 11:01:45
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Arrgghhh,

because that "Malformed SSL" did sound familiar to me I reviewed my mailbox and found, that we already had mail contact concerning this a couple of month ago (May this year). I was assigned #12069 and the answer was:

Quote
SSL client hello from your Wireshark log is a correct SSL2 message (we have manually re-checked it). Most likely, Wireshark gets confused by some recent ciphersuite codes which he does not 'know'.


Sorry, I've overseen this. BTW: Disabling v2 did the trick.

Quote
Please note, that PSK suites must be supported by both client and server. It is not possible to use PSK if one peer (e.g., client) does support it but the other one (server) doesn't.


I think that's _the_ hint at all. So I have to code the server side as well in order to get called back OnKeyNeeded, right?

Regards
#4230
Posted: 11/06/2007 11:08:35
by Ken Ivanov (EldoS Corp.)

Quote
So I have to code the server side as well in order to get called back OnKeyNeeded, right?

Yes, exactly.
#4233
Posted: 11/06/2007 14:19:28
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Thank you for your assistance. I'm now having a running client/server PSK solution. Still under oxygen masks, but seems to work.

Just a couple of questions:

1) The SBB is 100% managed code? Or is there any COM/OCX/ActiveX around, required at runtime?
2) For client and server I would have to deploy SecureBlackBox.dll, SecureBlackBox.PKI.dll, SecureBlackBox.SSLCommon.dll, SecureBlackBox.SSLServer/Client.dll and probably the certificates (?). Anything else?
3) I did limit the ciphersuites on both client/server site to SB_SUITE_PSK_AES256_SHA _only_. Anything problematic with this setup? I assume, this is a setup for a 256 bit PSK?
4) Is all that able to run under Windows Mobile 5 and 6 and PPC 2003?

Lot's of questions, I know. But I really want to make the things sure, before going to purchase SBB.

EDIT: Withdrawing questions 1 and 4, because they are answered on the website.

Regards
#4241
Posted: 11/07/2007 02:47:31
by Ken Ivanov (EldoS Corp.)

Quote
1) The SBB is 100% managed code? Or is there any COM/OCX/ActiveX around, required at runtime?

Yes. The only external calls are performed by TElWinCertStorage (to Win32 CryptoAPI) and TElPKCS11CertStorage (to PKCS#11 driver DLL) classes. If you do not use certificates stored in Windows system store or on PKCS#11 token, no external code is used.

Quote
2) For client and server I would have to deploy SecureBlackBox.dll, SecureBlackBox.PKI.dll, SecureBlackBox.SSLCommon.­dll, SecureBlackBox.SSLServer/­Client.dll and probably the certificates (?). Anything else?

Yes, no other assemblies are needed. Certificates support is implemented in SecureBlackbox.PKI.dll.

Quote
3) I did limit the ciphersuites on both client/server site to SB_SUITE_PSK_AES256_SHA _only_. Anything problematic with this setup? I assume, this is a setup for a 256 bit PSK?

There should be no problems with this setup. The above ciphersuite can be translated to English as "PSK key exchange with AES256 symmetric cipher and SHA1 hash function".

Quote
4) Is all that able to run under Windows Mobile 5 and 6 and PPC 2003?

.NET edition of SBB includes assemblies built for .NET Compact Framework 1 and 2.
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 7328 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!