I'm trying to encrypt a regular file using TLS extension.
I've generated public and private keys as following (under linux):
openssl genrsa -out server-private.pem 1024
openssl req -new -x509 -key server-private.pem \
-out server-public.pem -days 365 \
-config openssl.cfg
then I've wrote some small test script:
##########################
package require tls
# Encrypting
set fd [open crypted_file w+]
::tls::import $fd -certfile server-public.pem -keyfile \
server-private.pem -ssl2 1 -ssl3 1 -tls1 0 -require 0 \
-request 0
puts $fd "some example text to encrypt"
close $fd
# Decrypting
set fd [open crypted_file r+]
::tls::import $fd -keyfile server-public.pem -ssl2 1 \
-ssl3 1 -tls1 0 -require 0 -request 0
set data [read $fd]
puts "data: $data"
close $fd
##########################
But it breaks while reading file (second part of script).
Encrypting goes OK and crypted_file seems to be OK (there are some
random craps inside of it), but when I try to call [read $fd] Tcl
breaks with message:
error reading "file4": connection reset by peer
Anyone has idea why is that and how to fix it?
--
Pozdrawiam (Regards)!
Googie
Hello Googie,
Interesting post. Not so long ago I asked in this newsgroup about the
type of channels for which TLS would be meaningful (including regular
files). See the thread "Valid channels for use with tls::import?",
23-Mar-2007, 11.27. I was then in doubt about the possibility to encrypt
files by the method that you use.
The answer is: it can't be done. TLS needs another party with which it
agrees on a session key for message encryption (the handshake). In the
case of a regular file, there is no party to do the handshake with.
Therefore I expect your method to fail in an earlier stage than you
mention (see below).
To write encrypted information to a regular file, you'd need to encrypt
the information first, and next write it out to a regular file (no TLS/SSL).
(If you insist on using TLS, there are setups to be construed, but I
don't think they are not very straightforward to say the least).
Greetings,
Erik Leunissen
> openssl genrsa -out server-private.pem 1024
> openssl req -new -x509 -key server-private.pem \
> -out server-public.pem -days 365 \
> -config openssl.cfg
>
> then I've wrote some small test script:
>
> ##########################
> package require tls
>
> # Encrypting
> set fd [open crypted_file w+]
> ::tls::import $fd -certfile server-public.pem -keyfile \
> server-private.pem -ssl2 1 -ssl3 1 -tls1 0 -require 0 \
> -request 0
> puts $fd "some example text to encrypt"
^^^^^^^^
Expect it to fail here because a handshake is required to write to a TLS
channel.
> close $fd
>
> # Decrypting
> set fd [open crypted_file r+]
> ::tls::import $fd -keyfile server-public.pem -ssl2 1 \
> -ssl3 1 -tls1 0 -require 0 -request 0
> set data [read $fd]
> puts "data: $data"
> close $fd
> ##########################
>
> But it breaks while reading file (second part of script).
> Encrypting goes OK and crypted_file seems to be OK (there are some
> random craps inside of it), but when I try to call [read $fd] Tcl
> breaks with message:
> error reading "file4": connection reset by peer
>
> Anyone has idea why is that and how to fix it?
>
--
leunissen@ nl | Merge the left part of these two lines into one,
e. hccnet. | respecting a character's position in a line.
>
> (If you insist on using TLS, there are setups to be construed, but I
> don't think they are not very straightforward to say the least).
>
On the other hand, it could be a useful method if you intend to write to
a file system that resides on another host, and the purpose of using TLS
is encrypt the communication with the process on the other host that
does the actual writing to file for you.
Erik
TLS does not encrypt files.
Use one of the packages (wish protocol)
% package require des
1.0.0
% package require rc4
1.1.0
% package require blowfish
1.0.2
I have done it with rc4 - this code snippet might help;
set of [open $outfile w]
fconfigure $of -translation binary
rc4::rc4 -key $k -infile $f -out $of
close $of
--- Max
or even AES, it is the latest encryption standard.
Or have a look at GPG, it is perfect for this task, with key management
and user interface.
Max
(not talking to myself..) I should show the complete proc, it might be
confusing about files and handles...
You can use this to encode, and decode!
proc enc {f k} {
if {[file extension $f] == ".rc4"} {
set outfile [file rootname $f]
} else {
set outfile $f.rc4
}
# might test for outfile existence here...
set of [open $outfile w]
fconfigure $of -translation binary
rc4::rc4 -key $k -infile $f -out $of
close $of
}
----- Max
> or even AES, it is the latest encryption standard.
>
> Or have a look at GPG, it is perfect for this task, with key
> management and user interface.
Thank you Max for such a rich response!
AES/RC4/blowfish - they do not satisfy me, because I need asynchronous
algorithm.
GPG would fit, but it's external tool. I really need some Tcl
implemented asynchronous algorithm, or at least stubs-enabled Tcl
extension. I want to distribute it togather with the application in a
starkit.
Any hints? (I found pure-Tcl RSA on the wiki, but it's poor
implementation, not full).
--
Pozdrawiam (Regards)!
Googie
> The answer is: it can't be done. TLS needs another party with which
> it agrees on a session key for message encryption (the handshake). In
> the case of a regular file, there is no party to do the handshake
> with.
I wounder if such functionality (as I had expected) can be done at TLS
extension level, or must be done at OpenSSL level...
Anyway, thanks for response!
--
Pozdrawiam (Regards)!
Googie
asymmetric
>
> GPG would fit, but it's external tool. I really need some Tcl
> implemented asynchronous algorithm, or at least stubs-enabled Tcl
> extension. I want to distribute it togather with the application in a
> starkit.
>
> Any hints? (I found pure-Tcl RSA on the wiki, but it's poor
> implementation, not full).
>
Okay, you want public key/private key encryption, I can't help you there.
By the way, do you know that most encryption applications use asymmetric
encryption only for the key of the symmectric cypher. So inside you have
3DES, AES, Blowfish, etc.
Max
> asymmetric
Right, I don't know where it (above) came from :)
> Okay, you want public key/private key encryption, I can't help you
> there.
Thanks anyway!
--
Pozdrawiam (Regards)!
Googie