EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SBB in proxy environment

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#4244
Posted: 11/07/2007 04:01:00
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Thanks for your patience and your extraordinary efforts.

I tend to purchase the stack. Because we are currently in a single-developer proof of concept and demonstrator situation, I would tend to start with the SSLClient/Server .net Standard Business Edition for ˆ 199 (I think). Because of the nature of the code a productive version would have to have a middleware license, but that would be the next step.

Would you share this approach?

Kind reagards
#4259
Posted: 11/07/2007 16:09:16
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Sorry for annoying you again, but after having read the 3gpp TS 24.109 (describing the TLS scenarios available) I have some additional technical questions concerning the granularity of control over the parameters of a TLS client/server connection established using SBB.

According to 3gpp TS 24.109, 5.3.3.1

a) the ClientHello shall contain one or more PSK based ciphersuites.

b) the ClientHello shall contain the server_name TLS extension as specified in RFC 3546 with a specific content.

c) the ServerHello shall contain a PSK based ciphersuite.

d) the ServerKeyExchange shall contain th psk_identiy_hint field with a specific content.

e) the ClientKeyExchange shall contain the psk_identity_field with a specific content. The client provides a special PSK as pre-master secret (shall be possible, as I have seen)

f) the server shall be able to extract the psk_identiy_field from the ClientKeyExchange. The server checks the authentication information contained in psk_identiy_field and derives a corresponding PSK (which is identical to the client PSK).

From now the things are not quite clear to me. The flowchart in F.3 of the a.m. specification (available at ftp://ftp.3gpp.org or via Google Search) shows

ClientKeyExchange (PSK identity)
ChangeCipherSpec
Finished
------------------------------------------->
Authentication at server side
ChangeCipherSpec
Finished
<-------------------------------------------

In my preliminary tests I've seen, that I was asked for OnKeyNeeded on client and server side. The problem: Before beeing able to provide a PSK on server side I would need to have access to the PSK identity, because this identity is required to derive the key material.

My question: Can all this be done with SBB? I've seen that I'm able to support requirement a) and c) and provide a PSK on both sides. But what about the other requirements?

Please be so kind to comment.

Kind regards





#4261
Posted: 11/08/2007 02:22:51
by Ken Ivanov (EldoS Corp.)

Quote
a) the ClientHello shall contain one or more PSK based ciphersuites.

The ciphersuites are added to the ClientHello automatically according to the value of TElSecureClient.CipherSuites[] property. I.e., all the enabled ciphersuites get to the client hello.

Quote
b) the ClientHello shall contain the server_name TLS extension as specified in RFC 3546 with a specific content.

The extension can be set up using TElSecureClient.Extensions.ServerName property.

Quote
c) the ServerHello shall contain a PSK based ciphersuite.

The same as (a) -- you just need to enable PSK-based ciphersuites for the instance of TElSecureServer.

Quote
d) the ServerKeyExchange shall contain th psk_identiy_hint field with a specific content.

The corresponding identity content can be set via TElSecureServer.Extensions.PSKIdentityHint property.

Quote
e) the ClientKeyExchange shall contain the psk_identity_field with a specific content. The client provides a special PSK as pre-master secret (shall be possible, as I have seen)

Yes -- use OnKeyNeeded event to pass a PSK key to TElSecureClient.

Quote
f) the server shall be able to extract the psk_identiy_field from the ClientKeyExchange. The server checks the authentication information contained in psk_identiy_field and derives a corresponding PSK (which is identical to the client PSK).

The same -- use TElSecureServer.OnKeyNeeded event to get the PSK identity provided by the client (and to pass a PSK key to TElSecureServer).
#4262
Posted: 11/08/2007 03:54:15
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Hello Innokentiy,

thanks for the quick and detailed answer. So let's start!

Concerning the step-by-step approach I mentioned in one of my previous posts: Is the SSLClient/Server .net Standard Business Edition sufficient for the a.m. scenario? Especially are all of required assemblies (PKI) contained in this package? Or do I have to purchase SBB complete?

Kind regards.
#4264
Posted: 11/08/2007 12:09:24
by Eugene Mayevski (EldoS Corp.)

PKIBlackbox is included with all other packages (as it contains core PKI functionality, on which most of other stuff is based). So for beginning the business license for SSLBlackbox client-server is ok. If you plan to include SSLBlackbox (and PKIBlackbox) as a part of your *components* for other develolpers, then you need a middleware license. If your solution is for end-users, then a vendor license is needed. Later you will be able to upgrade the license by paying just the difference between the cost of the purchased license and the cost of the new license.


Sincerely yours
Eugene Mayevski
#4270
Posted: 11/08/2007 15:24:39
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Thanks. No further questions for now :)

I've put the purchase process on the way.

For now many thanks for that extemely useful and helpful information.

Regards
#4271
Posted: 11/08/2007 15:40:39
by Eugene Mayevski (EldoS Corp.)

Thank you. If you can, please share your experience regarding use of our products with other users. You can submit a testimonial using the Feedback form.

Alternatively you can write a use case. We offer the discount to the customers who create the use cases.


Sincerely yours
Eugene Mayevski
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 7340 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!