openssl ssl encryption

Question

Hello, I want to discuss about openssl write and read method.
Assume I have an data structure like below:

/-----------------------------------------------------\
|  my_header   |  PAYLOAD                             |
\-----------------------------------------------------/
       |                              |
      \ /                            \ /
 not encrypted                      encrypted

I think the proper algorithm would be like this :
   SEND:
   build my_header with my own header.
   encrypt PAYLOAD with encryption function
   attach my_header and PAYLOAD (encrypted) to one buffer
   send it using common POSIX function just like send or sendto
   RECV:
   using common POSIX function just like recv or recvfrom.
   extract my_header and PAYLOAD(encrypted)
   decrypt PAYLOAD with decryption function
   at last i got my_header and PAYLOAD(decrypted).

How is your approach if you face a problem like above. Since openssl encrypt all of data that is sent to SSL_write function (CMIIW).

Thanks.

Maybe, the apropriate question is, what is the encryption and decryption function that can be used to encrypt/decrypt PAYLOAD in openssl?.

Answer 1

If you're building an encrypted protocol, that's exactly how I'd do it, assuming my_header contains enough information and nothing that in itself needs to be kept secure, such as the session key. Network packets at the low level (see tcpdump/libpcap) are just a char* ("string") and you extract different headers by moving along the array different lengths - what you're suggesting sounds just like this.

Answer 2

You can actually let OpenSSL do a lot of the heavy lifting for you.

You can create your networking primitives as before and associate the file descriptors with an Open SSL context, which will handle the SSL handshake, encryption and decryption. I'm glossing over a lot of the details but the sample code on the openssl website and in this book:

http://www.amazon.com/Network-Security-OpenSSL-John-Viega/dp/059600270X

will be very instructive. The book is also available online but I believe you have to pay to access it.

In OpenSSL's distribution you can find lots of sample code illustrating exactly how to do this.

Good luck.

Answer 3

OpenSSL comes with a libcrypto library which is commonly used to perform standalone encryption outside of an SSL context.

http://www.openssl.org/docs/crypto/evp.html

Alternatively, the bio portion of the library may be even closer to what you want: http://www.openssl.org/docs/crypto/bio.html

But if you really intend to send this over the network, then I would question the safety of leaving the header unencrypted. Encryption is about more than privacy, it is also about ensuring the data has not been modified in transit. If someone is in a position to monitor your traffic, then they are usually in a position to tamper with it too.

If you want the header unecrypted so you can read it in wireshark for debugging, then I suggest making a flag in your application to fully enable/disable encryption for use in a debugging environment.

Answer 4

When you use TLS/DTLS, you have the choice : you cipher the whole frame, or nothing at all.

If you want to have some unciphered data in the frame, then you probably don't need TLS/DTLS. You might however use OpenSSL to compute a hash of your header (using SHA or any other related hash algorithm) and adding it at the end of the frame to avoid tampering.

For the ciphered part of the frame, you'll have to choose between symetric and asymetric cipher algorithms. But without knowing what you want to achieve, I cannot really advise on this.

Just keep in mind that symetric algorithms are usually faster but require a key exchange at first. To do so, you might use an asymetric algorithm, but then, you're reinventing TLS/DTLS ;)