Re: [DotGNU]Encryption protocols

[Chris Smith]

Okay.  I've been doing a lot with openssl with the dgee stuff (actually its 
part of Goldwater and is required where you want to encrypt data passing 
between distributed Goldwater (dgee) nodes).

Norbert and I have discussed OpenSSL and GnuPGP at great length in terms of 
licencing (as openssl isn't gpl, but fairly compatible).  The solution that 
came up was to use 'a crypt toolkit' but not specifically openssl or 
gnupgp.... OpenSSL would be the prefered option IMO as it's so well respected 
and trusted, but GNUPgp sould be the default at compile time as it's GPL... 
(I'd want to use openssl every time though TBH :o)

If you're going to use openssl/gnupgp from C# within pnet I'd suggest using 
the InternalCall mechanism to bind to a C abstraction layer that hides the 
differences between openssl and other toolkits.  Doing it this way means that 
any code running within ILEngine has access to the crypt primitives, 
regardless of the language they're written in.

I agree with Rhys though, you don't really need to implement your own security 
algorithm using combinations of encryption types as SSL/TLS will surely do 
everything you want, as long as you're encrypting a network link.  If you 
need to encrypt a block of data, and then transmit it using a variety of 
methods, including storing it on disc for instance, then you need to do the 
encryption yourself.

99% of the time you need to protect your network channel.  You'll need no mre 
than SSL/TLS for this - and if you use session resumption (the slow) startup 
handshakes can be avoided.

If SSL./TLS doesn't fit the job I'd be asking 'Why?'.  They are rare, but do 
happen and you may have one of those, but I'd be suspicious.

Cheers,
Chris 'Happy to discuss SSL at any Time :o)'



On Sunday 09 Mar 2003 09:19, Peter Minten wrote:
> Hi folks,
>
> I promised on IRC yesterday to look into openssl and which parts of it are
> useful to DotGNU. A quick look revealed that 2 protocols might be very
> useful: RSA and blowfish. RSA is good for the authentication (since it uses
> public and private keys) and blowfish is good for the encryption of
> communication.
>
> It would work like this: you authenticate with the slow RSA protocol, at
> the end of the authentication you get an blowfish key and that's used for
> encryption of the communication of this session (since blowfish is a lot
> faster than RSA the change is worthwhile).
>
> Greetings,
>
> Peter
>
> PS: Interesting in this context is this article:
> http://tldp.org/LDP/LG/current/vinayak.html .
>
> _______________________________________________
> Developers mailing list
> address@hidden
> http://www.dotgnu.org/mailman/listinfo/developers

-- 
Chris Smith
  Technical Architect - netFluid Technology Ltd.
  "Internet Technologies, Distributed Systems and Tuxedo Consultancy"
  E: address@hidden  W: http://www.nfluid.co.uk