Secure TCP
219 views
Skip to first unread message
MartinG
Feb 3, 2016, 3:39:32 PM2/3/16
to golang-nuts
Hi,
(this is probably as much a crypto question as a golang question - apologies if this is considered slightly offtopic)
I'm looking for advice on how best to do authenticated encryption over a TCP connection.
The obviously default answer is to use TLS, but first I'd like to explain the scenario.
I require mutual authentication and no dependency on a certificate authority.
This will only be used to communicate between parties who have previously physically met, so exchanging public keys or similar in person is perfectly practical.
Still assuming TLS is the right answer, I think I need so use self signed certs, and exchange the certs in person, then configure TLS to use those certs somehow to validate at runtime.
I'm stuck on how to do that part. My problem is that TLS seems pretty hard to use in a less common scenario like mine, and I think it's likely I'd get this wrong without help.
I am tempted to build something simple using golang.org/x/crypto/nacl/box which would appear much simpler, but as I understand it that would lack various desirable features of TLS.
Does anyone (ideally with a decent crypto protocols background) have a suggestion, or can point me to an example?
Thanks.
--
Martin.
(this is probably as much a crypto question as a golang question - apologies if this is considered slightly offtopic)
I'm looking for advice on how best to do authenticated encryption over a TCP connection.
The obviously default answer is to use TLS, but first I'd like to explain the scenario.
I require mutual authentication and no dependency on a certificate authority.
This will only be used to communicate between parties who have previously physically met, so exchanging public keys or similar in person is perfectly practical.
Still assuming TLS is the right answer, I think I need so use self signed certs, and exchange the certs in person, then configure TLS to use those certs somehow to validate at runtime.
I'm stuck on how to do that part. My problem is that TLS seems pretty hard to use in a less common scenario like mine, and I think it's likely I'd get this wrong without help.
I am tempted to build something simple using golang.org/x/crypto/nacl/box which would appear much simpler, but as I understand it that would lack various desirable features of TLS.
Does anyone (ideally with a decent crypto protocols background) have a suggestion, or can point me to an example?
Thanks.
--
Martin.
Shawn Milochik
Feb 3, 2016, 3:44:16 PM2/3/16
to golang-nuts
This post has a lot of good info, and will walk you through more than you need to know. I was able to use it to write code demonstrating everything he showed in the article just using his sample code as a reference.
The reason I'm recommending this in your case (aside from it being a thorough and highly educational article) is that he shows how to actually create a root certificate and use it to sign other certificates. This satisfies your desire to have no dependency on any certificate authority.
This is all assuming that TLS is actually the solution you need, which I can't address with the information I have.
Andy Balholm
Feb 3, 2016, 4:44:01 PM2/3/16
to MartinG, golang-nuts
Another option would be to use the SSH protocol. Its authentication and encryption features sound like just what you need, but then you have the overhead of a protocol that supports multiple simultaneous data streams over one TCP connection.
Andy
Andy
MartinG
Feb 3, 2016, 4:44:12 PM2/3/16
to golang-nuts, Sh...@milochik.com
The reason I'm recommending this in your case (aside from it being a thorough and highly educational article) is that he shows how to actually create a root certificate and use it to sign other certificates. This satisfies your desire to have no dependency on any certificate authority.
Thanks for this. It's really informative. It does look though (if I am not mistaken) like I'd still need a certificate authority, but one of my own creation. So I guess the two parties would also have to share the CA too?
I'll have another, more thorough read tomorrow and try out some of the examples to see if it helps me.
Thanks again.
--
Martin.
Shawn Milochik
Feb 11, 2016, 1:33:02 PM2/11/16
to golang-nuts
Did you ever get anywhere with this? Yes, your understanding is correct about having to create your own CA to use certs as described in the blog post.
Reply all
Reply to author
Forward
0 new messages