* Ben Laurie wrote:
Peter 'Luna' Runestig wrote:
On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote:
Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space.
The OpenVPN project <http://openvpn.net/> runs OpenSSL over UDP, works great.
No, it doesn't. It uses SSL do bootstrap UDP connections.
It says in the book "Web Security & Commerce by Simson Garfinkel, Gene Spafford" that SSL cannot use UDP.
I read that bit just the other day :-)
The question is a little vague. I don't know of anything that you can just plug in that does this (I'm not very knowledgeable on the subject though). If you mean can a system be built, then it can.
You can arrange for order of arrival and guaranteed delivery above UDP and have basically rebuilt TCP on top of UDP. So in that respect, with some work anything that can work over TCP can work over UDP. It would be counter productive to do this though unless your main goal was to work around a system that wouldn't pass IP packets with the protocol set to TCP.
If you want to work with UDPs lower overhead by accepting lost and out of order packets then you need to use an encryption method that doesn't alter its state based on the data flow (i.e. RC4 would be out).
SSL (usually?) uses public key encryption to exchange a shared secret that's used in a symmetric algorithm for the remainder of the conversation. A straightforward method might be to establish a TCP connection for this key exchange, and then use a block cipher (blowfish perhaps) to encrypt individual UDP packets. Since each UDP packet would be encrypted individually a lost or out of order packet would not matter to the decryption process. I don't know how secure blowfish would be using the same key over and over, and certainly the more data you pass encrypted with the same key the easier it will become to analyze and break. If you're worried about it you can keep the TCP connection open and exchange new symmetric keys occassionally.
If you look into the encryption used for wireless communication (I'm sure there's a couple RFCs on this) that system should adapt to UDP transmissions without much work. Use the newest standard, since the older one was fairly easy to break if I recall.
Andrew ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
