Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

TLS and regular files

18 views
Skip to first unread message

Googie

unread,
Apr 21, 2007, 7:28:01 AM4/21/07
to
Hello,

I'm trying to encrypt a regular file using TLS extension.
I've generated public and private keys as following (under linux):

openssl genrsa -out server-private.pem 1024
openssl req -new -x509 -key server-private.pem \
-out server-public.pem -days 365 \
-config openssl.cfg

then I've wrote some small test script:

##########################
package require tls

# Encrypting
set fd [open crypted_file w+]
::tls::import $fd -certfile server-public.pem -keyfile \
server-private.pem -ssl2 1 -ssl3 1 -tls1 0 -require 0 \
-request 0
puts $fd "some example text to encrypt"
close $fd

# Decrypting
set fd [open crypted_file r+]
::tls::import $fd -keyfile server-public.pem -ssl2 1 \
-ssl3 1 -tls1 0 -require 0 -request 0
set data [read $fd]
puts "data: $data"
close $fd
##########################

But it breaks while reading file (second part of script).
Encrypting goes OK and crypted_file seems to be OK (there are some
random craps inside of it), but when I try to call [read $fd] Tcl
breaks with message:
error reading "file4": connection reset by peer

Anyone has idea why is that and how to fix it?

--
Pozdrawiam (Regards)!
Googie

Erik Leunissen

unread,
Apr 21, 2007, 5:55:54 PM4/21/07
to
Googie wrote:
> Hello,
>
> I'm trying to encrypt a regular file using TLS extension.
> I've generated public and private keys as following (under linux):
>

Hello Googie,

Interesting post. Not so long ago I asked in this newsgroup about the
type of channels for which TLS would be meaningful (including regular
files). See the thread "Valid channels for use with tls::import?",
23-Mar-2007, 11.27. I was then in doubt about the possibility to encrypt
files by the method that you use.

The answer is: it can't be done. TLS needs another party with which it
agrees on a session key for message encryption (the handshake). In the
case of a regular file, there is no party to do the handshake with.

Therefore I expect your method to fail in an earlier stage than you
mention (see below).

To write encrypted information to a regular file, you'd need to encrypt
the information first, and next write it out to a regular file (no TLS/SSL).

(If you insist on using TLS, there are setups to be construed, but I
don't think they are not very straightforward to say the least).

Greetings,

Erik Leunissen


> openssl genrsa -out server-private.pem 1024
> openssl req -new -x509 -key server-private.pem \
> -out server-public.pem -days 365 \
> -config openssl.cfg
>
> then I've wrote some small test script:
>
> ##########################
> package require tls
>
> # Encrypting
> set fd [open crypted_file w+]
> ::tls::import $fd -certfile server-public.pem -keyfile \
> server-private.pem -ssl2 1 -ssl3 1 -tls1 0 -require 0 \
> -request 0
> puts $fd "some example text to encrypt"

^^^^^^^^
Expect it to fail here because a handshake is required to write to a TLS
channel.

> close $fd
>
> # Decrypting
> set fd [open crypted_file r+]
> ::tls::import $fd -keyfile server-public.pem -ssl2 1 \
> -ssl3 1 -tls1 0 -require 0 -request 0
> set data [read $fd]
> puts "data: $data"
> close $fd
> ##########################
>
> But it breaks while reading file (second part of script).
> Encrypting goes OK and crypted_file seems to be OK (there are some
> random craps inside of it), but when I try to call [read $fd] Tcl
> breaks with message:
> error reading "file4": connection reset by peer
>
> Anyone has idea why is that and how to fix it?
>


--
leunissen@ nl | Merge the left part of these two lines into one,
e. hccnet. | respecting a character's position in a line.

Erik Leunissen

unread,
Apr 21, 2007, 6:13:43 PM4/21/07
to
Erik Leunissen wrote:

>
> (If you insist on using TLS, there are setups to be construed, but I
> don't think they are not very straightforward to say the least).
>

On the other hand, it could be a useful method if you intend to write to
a file system that resides on another host, and the purpose of using TLS
is encrypt the communication with the process on the other host that
does the actual writing to file for you.

Erik

Message has been deleted

M. Strobel

unread,
Apr 22, 2007, 2:39:45 PM4/22/07
to
Googie schrieb:

TLS does not encrypt files.

Use one of the packages (wish protocol)
% package require des
1.0.0
% package require rc4
1.1.0
% package require blowfish
1.0.2

I have done it with rc4 - this code snippet might help;

set of [open $outfile w]
fconfigure $of -translation binary
rc4::rc4 -key $k -infile $f -out $of
close $of

--- Max

M. Strobel

unread,
Apr 22, 2007, 2:45:38 PM4/22/07
to
M. Strobel schrieb:

or even AES, it is the latest encryption standard.

Or have a look at GPG, it is perfect for this task, with key management
and user interface.

Max

M. Strobel

unread,
Apr 22, 2007, 3:05:56 PM4/22/07
to
M. Strobel schrieb:

(not talking to myself..) I should show the complete proc, it might be
confusing about files and handles...

You can use this to encode, and decode!

proc enc {f k} {
if {[file extension $f] == ".rc4"} {
set outfile [file rootname $f]
} else {
set outfile $f.rc4
}
# might test for outfile existence here...


set of [open $outfile w]
fconfigure $of -translation binary
rc4::rc4 -key $k -infile $f -out $of
close $of
}

----- Max

Googie

unread,
Apr 22, 2007, 3:14:51 PM4/22/07
to
M. Strobel wrote:

> or even AES, it is the latest encryption standard.
>
> Or have a look at GPG, it is perfect for this task, with key
> management and user interface.

Thank you Max for such a rich response!

AES/RC4/blowfish - they do not satisfy me, because I need asynchronous
algorithm.

GPG would fit, but it's external tool. I really need some Tcl
implemented asynchronous algorithm, or at least stubs-enabled Tcl
extension. I want to distribute it togather with the application in a
starkit.

Any hints? (I found pure-Tcl RSA on the wiki, but it's poor
implementation, not full).

--
Pozdrawiam (Regards)!
Googie

Googie

unread,
Apr 22, 2007, 3:27:17 PM4/22/07
to
Erik Leunissen wrote:

> The answer is: it can't be done. TLS needs another party with which
> it agrees on a session key for message encryption (the handshake). In
> the case of a regular file, there is no party to do the handshake
> with.

I wounder if such functionality (as I had expected) can be done at TLS
extension level, or must be done at OpenSSL level...

Anyway, thanks for response!

--
Pozdrawiam (Regards)!
Googie

M. Strobel

unread,
Apr 22, 2007, 4:39:20 PM4/22/07
to
Googie schrieb:

> M. Strobel wrote:
>
>> or even AES, it is the latest encryption standard.
>>
>> Or have a look at GPG, it is perfect for this task, with key
>> management and user interface.
>
> Thank you Max for such a rich response!
>
> AES/RC4/blowfish - they do not satisfy me, because I need asynchronous
> algorithm.

asymmetric

>
> GPG would fit, but it's external tool. I really need some Tcl
> implemented asynchronous algorithm, or at least stubs-enabled Tcl
> extension. I want to distribute it togather with the application in a
> starkit.
>
> Any hints? (I found pure-Tcl RSA on the wiki, but it's poor
> implementation, not full).
>

Okay, you want public key/private key encryption, I can't help you there.

By the way, do you know that most encryption applications use asymmetric
encryption only for the key of the symmectric cypher. So inside you have
3DES, AES, Blowfish, etc.

Max

Googie

unread,
Apr 22, 2007, 4:52:30 PM4/22/07
to
M. Strobel wrote:

> asymmetric

Right, I don't know where it (above) came from :)

> Okay, you want public key/private key encryption, I can't help you
> there.

Thanks anyway!

--
Pozdrawiam (Regards)!
Googie

0 new messages