Re: SSL (or alike) over UDP
On 2005-01-14 10:39:55 UTC, [EMAIL PROTECTED] wrote: There is IETF Internet Draft proposed by E. Rescorla that allows TLS over UDP here is the link: http://www.ietf.org/internet-drafts/draft-rescorla-dtls-02.txt I'm looking forward this protocol. The people behind this protocol told me: We're currently working on integrating with the OpenSSL source, so that will be the official distribution. Here's the past release: http://scm.sipfoundry.org/viewsvn/resiprocate/main/sip/contrib/dtls/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL (or alike) over UDP
Peter 'Luna' Runestig wrote: On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote: Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. The OpenVPN project http://openvpn.net/ runs OpenSSL over UDP, works great. No, it doesn't. It uses SSL do bootstrap UDP connections. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL (or alike) over UDP
* Ben Laurie wrote: Peter 'Luna' Runestig wrote: On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote: Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. The OpenVPN project http://openvpn.net/ runs OpenSSL over UDP, works great. No, it doesn't. It uses SSL do bootstrap UDP connections. It says in the book Web Security Commerce by Simson Garfinkel, Gene Spafford that SSL cannot use UDP. I read that bit just the other day :-) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL (or alike) over UDP
Shaun Lipscombe wrote: * Ben Laurie wrote: Peter 'Luna' Runestig wrote: On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote: Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. The OpenVPN project http://openvpn.net/ runs OpenSSL over UDP, works great. No, it doesn't. It uses SSL do bootstrap UDP connections. It says in the book Web Security Commerce by Simson Garfinkel, Gene Spafford that SSL cannot use UDP. I read that bit just the other day :-) The question is a little vague. I don't know of anything that you can just plug in that does this (I'm not very knowledgeable on the subject though). If you mean can a system be built, then it can. You can arrange for order of arrival and guaranteed delivery above UDP and have basically rebuilt TCP on top of UDP. So in that respect, with some work anything that can work over TCP can work over UDP. It would be counter productive to do this though unless your main goal was to work around a system that wouldn't pass IP packets with the protocol set to TCP. If you want to work with UDPs lower overhead by accepting lost and out of order packets then you need to use an encryption method that doesn't alter its state based on the data flow (i.e. RC4 would be out). SSL (usually?) uses public key encryption to exchange a shared secret that's used in a symmetric algorithm for the remainder of the conversation. A straightforward method might be to establish a TCP connection for this key exchange, and then use a block cipher (blowfish perhaps) to encrypt individual UDP packets. Since each UDP packet would be encrypted individually a lost or out of order packet would not matter to the decryption process. I don't know how secure blowfish would be using the same key over and over, and certainly the more data you pass encrypted with the same key the easier it will become to analyze and break. If you're worried about it you can keep the TCP connection open and exchange new symmetric keys occassionally. If you look into the encryption used for wireless communication (I'm sure there's a couple RFCs on this) that system should adapt to UDP transmissions without much work. Use the newest standard, since the older one was fairly easy to break if I recall. Andrew __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL (or alike) over UDP
Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. I'd like to prevent TCP disconnects (SSL over TCP has this problem) I'd also like to use reliable delivery and a stream unreliable delivery protocol over the same connection-oriented base secure protocol. It would be like using IPSEC totally in user space but without anything to do with IP. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL (or alike) over UDP
On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote: Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. Not possible to use SSL. Some other protocol is potentially possible, but you haven't told us what you are trying to accomplish, so it hard to tell what is appropriate. I'd also like to use reliable delivery and a stream unreliable delivery protocol over the same connection-oriented base secure protocol. To do what? It would be like using IPSEC totally in user space but without anything to do with IP. I'm still confused. What security problem are you trying to solve. Brad pgpLnmA0Z94YR.pgp Description: PGP signature
Re: SSL (or alike) over UDP
Dear all, There is IETF Internet Draft proposed by E. Rescorla that allows TLS over UDP here is the link: http://www.ietf.org/internet-drafts/draft-rescorla-dtls-02.txt -Ibrahim Original Message: - From: Brad Hards [EMAIL PROTECTED] Date: Fri, 14 Jan 2005 21:19:24 +1100 To: openssl-users@openssl.org Subject: Re: SSL (or alike) over UDP On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote: Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. Not possible to use SSL. Some other protocol is potentially possible, but you haven't told us what you are trying to accomplish, so it hard to tell what is appropriate. I'd also like to use reliable delivery and a stream unreliable delivery protocol over the same connection-oriented base secure protocol. To do what? It would be like using IPSEC totally in user space but without anything to do with IP. I'm still confused. What security problem are you trying to solve. Brad mail2web - Check your email from the web at http://mail2web.com/ . __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL (or alike) over UDP
On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote: Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. Not possible to use SSL. Some other protocol is potentially possible, but you haven't told us what you are trying to accomplish, so it hard to tell what is appropriate. It's certainly possible. SSL doesn't care how the bytes get from one end to the other. Any reliable stream protocol will work, including TCP, pipes, or one implemented over UDP. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL (or alike) over UDP
On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote: Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. The OpenVPN project http://openvpn.net/ runs OpenSSL over UDP, works great. -- Peter 'Luna' Runestig (fd. Altberg), Sweden [EMAIL PROTECTED] PGP Key ID: 0xD07BBE13 Fingerprint: 7B5C 1F48 2997 C061 DE4B 42EA CB99 A35C D07B BE13 AOL Instant Messenger Screen name: PRunestig Yahoo! Messenger profile name: altberg __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
