openssl ssl 加密
我想讨论一下openssl的写入和读取方法。
假设我有一个如下所示的数据结构:
/-----------------------------------------------------\
| my_header | PAYLOAD |
\-----------------------------------------------------/
| |
\ / \ /
not encrypted encrypted
I think the proper algorithm would be like this :
SEND:
build my_header with my own header.
encrypt PAYLOAD with encryption function
attach my_header and PAYLOAD (encrypted) to one buffer
send it using common POSIX function just like send or sendto
RECV:
using common POSIX function just like recv or recvfrom.
extract my_header and PAYLOAD(encrypted)
decrypt PAYLOAD with decryption function
at last i got my_header and PAYLOAD(decrypted).
如果您遇到上述问题,您的方法是什么。由于 openssl 加密了发送到 SSL_write 函数 (CMIIW) 的所有数据。
谢谢。
也许,合适的问题是,openssl 中可用于加密/解密 PAYLOAD 的加密和解密函数是什么?
I want to discuss about openssl write and read method.
Assume I have an data structure like below:
/-----------------------------------------------------\
| my_header | PAYLOAD |
\-----------------------------------------------------/
| |
\ / \ /
not encrypted encrypted
I think the proper algorithm would be like this :
SEND:
build my_header with my own header.
encrypt PAYLOAD with encryption function
attach my_header and PAYLOAD (encrypted) to one buffer
send it using common POSIX function just like send or sendto
RECV:
using common POSIX function just like recv or recvfrom.
extract my_header and PAYLOAD(encrypted)
decrypt PAYLOAD with decryption function
at last i got my_header and PAYLOAD(decrypted).
How is your approach if you face a problem like above. Since openssl encrypt all of data that is sent to SSL_write function (CMIIW).
Thanks.
Maybe, the apropriate question is, what is the encryption and decryption function that can be used to encrypt/decrypt PAYLOAD in openssl?.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
实际上,您可以让 OpenSSL 为您完成许多繁重的工作。
您可以像以前一样创建网络原语,并将文件描述符与 Open SSL 上下文相关联,该上下文将处理 SSL 握手、加密和解密。我掩盖了很多细节,但 openssl 网站和本书中的示例代码:
http://www.amazon.com/Network-Security-OpenSSL-John-Viega/dp/059600270X
将非常有启发性。这本书也可以在网上找到,但我相信你必须付费才能访问它。
在 OpenSSL 的发行版中,您可以找到大量示例代码,准确说明如何执行此操作。
祝你好运。
You can actually let OpenSSL do a lot of the heavy lifting for you.
You can create your networking primitives as before and associate the file descriptors with an Open SSL context, which will handle the SSL handshake, encryption and decryption. I'm glossing over a lot of the details but the sample code on the openssl website and in this book:
http://www.amazon.com/Network-Security-OpenSSL-John-Viega/dp/059600270X
will be very instructive. The book is also available online but I believe you have to pay to access it.
In OpenSSL's distribution you can find lots of sample code illustrating exactly how to do this.
Good luck.
OpenSSL 附带了一个 libcrypto 库,该库通常用于在 SSL 上下文之外执行独立加密。
http://www.openssl.org/docs/crypto/evp.html
另外,库的生物部分可能更接近您想要的:
http://www.openssl.org/docs/crypto/bio.html
但如果您真的打算通过网络发送此信息,那么我会质疑未加密标头的安全性。加密不仅涉及隐私,还涉及确保数据在传输过程中不被修改。如果有人能够监视您的流量,那么他们通常也能够篡改您的流量。
如果您希望标头未加密,以便可以在wireshark中读取它以进行调试,那么我建议在您的应用程序中创建一个标志以完全启用/禁用在调试环境中使用的加密。
OpenSSL comes with a libcrypto library which is commonly used to perform standalone encryption outside of an SSL context.
http://www.openssl.org/docs/crypto/evp.html
Alternatively, the bio portion of the library may be even closer to what you want:
http://www.openssl.org/docs/crypto/bio.html
But if you really intend to send this over the network, then I would question the safety of leaving the header unencrypted. Encryption is about more than privacy, it is also about ensuring the data has not been modified in transit. If someone is in a position to monitor your traffic, then they are usually in a position to tamper with it too.
If you want the header unecrypted so you can read it in wireshark for debugging, then I suggest making a flag in your application to fully enable/disable encryption for use in a debugging environment.
如果您正在构建加密协议,那么我就是这样做的,假设
my_header包含足够的信息,并且本身没有任何内容需要保持安全,例如会话密钥。低级别的网络数据包(请参阅 tcpdump/libpcap)只是一个 char* (“字符串”),您可以通过沿着数组移动不同的长度来提取不同的标头 - 您的建议听起来就像这样。If you're building an encrypted protocol, that's exactly how I'd do it, assuming
my_headercontains enough information and nothing that in itself needs to be kept secure, such as the session key. Network packets at the low level (see tcpdump/libpcap) are just a char* ("string") and you extract different headers by moving along the array different lengths - what you're suggesting sounds just like this.当您使用 TLS/DTLS 时,您可以选择:对整个帧进行加密,或者什么都不加密。
如果您想在帧中包含一些未加密的数据,那么您可能不需要 TLS/DTLS。但是,您可以使用 OpenSSL 计算标头的哈希值(使用 SHA 或任何其他相关哈希算法)并将其添加到帧末尾以避免篡改。
对于帧的加密部分,您必须在对称和非对称加密算法之间进行选择。但在不知道你想要实现什么目标的情况下,我无法就此提供真正的建议。
请记住,对称算法通常更快,但首先需要密钥交换。为此,您可以使用非对称算法,但随后您将重新发明 TLS/DTLS ;)
When you use TLS/DTLS, you have the choice : you cipher the whole frame, or nothing at all.
If you want to have some unciphered data in the frame, then you probably don't need TLS/DTLS. You might however use OpenSSL to compute a hash of your header (using SHA or any other related hash algorithm) and adding it at the end of the frame to avoid tampering.
For the ciphered part of the frame, you'll have to choose between symetric and asymetric cipher algorithms. But without knowing what you want to achieve, I cannot really advise on this.
Just keep in mind that symetric algorithms are usually faster but require a key exchange at first. To do so, you might use an asymetric algorithm, but then, you're reinventing TLS/DTLS ;)