Security Layer to make sure proto objects are not tampered when transferred over https
Prakash Rao
my proto objects to https output stream? In java we have sealed
objects and we can have signature attached to it to make sure objects
are not tampered on the receiving end. Is there something similar in
protocol buffer as well?
I’m just trying understand what all different options that protocol
buffer provides as far security is concerned when compared to web
services to make sure data is not tampered. Web services comes with
good security models (such XML signature, SAML) to make sure data is
not tampered.
Regards,
Prakash
Marc Gravell
Regards,
Marc
Henner Zeller
Protocol buffers do the encoding. They expliclitly don't add
additional features that belong to the conceptual level of the
transport channel. Do one thing and do it right.
You can have this as simple as adding a HMAC to your message or use
channels that already provide that (like an SSL channel with the
appropriate options turned on). It would be just a confusing mess if
each encoding scheme for data would add yet another implementation of
what is already there (From your quote, apparently XML/SAML adds to
that mess, but it doesn't mean that it is smart to do).
It is sad that many designers of protocols mix up these layers.
-h
>
> Regards,
> Prakash
>
> --
> You received this message because you are subscribed to the Google Groups "Protocol Buffers" group.
> To post to this group, send email to prot...@googlegroups.com.
> To unsubscribe from this group, send email to protobuf+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/protobuf?hl=en.
>
>
Marc-André Laverdière
If you want security features on top of it, you can either add it to
your messages, or you can use a secure network layer that does the
work for you. Its your call.
Personally, I'm against reinventing the wheel, so I use protobuf over
TLSv1 with a good set of cipher suites configured :)
Marc-André LAVERDIÈRE
"Perseverance must finish its work so that you may be mature and
complete, not lacking anything." -James 1:4
mlaverd.theunixplace.com/blog
/"\
\ / ASCII Ribbon Campaign
X against HTML e-mail
/ \
2010/7/21 Prakash Rao <prakash...@gmail.com>:
Prakash Rao
I was just going through various protocol buffer discussion forum
topics and found the below one which talks about putting a signature
in proto object and do a validation before processing the payload. I
believe this is what you guys are referring to when you say "add HMAC
to your proto messages". Yes, this is something simple that can be
tried out.
http://groups.google.com/group/protobuf/browse_thread/thread/a3a2742bffe3a8e5
We have SSL for our http communication and we allow communication from
client only if server certificate is imported in the client keystore.
I'm just curious to find out best possible ways to avoid my proto
object data tampering (in case of man in the middle of attack)
especially when server is in public domain (internet).
Regards,
Prakash
On Jul 22, 9:36 am, Marc-André Laverdière
> Protobuf allows you to build your conceptual protocol the way you want it.
> If you want security features on top of it, you can either add it to
> your messages, or you can use a secure network layer that does the
> work for you. Its your call.
> Personally, I'm against reinventing the wheel, so I use protobuf over
> TLSv1 with a good set of cipher suites configured :)
>
> Marc-André LAVERDIÈRE
> "Perseverance must finish its work so that you may be mature and
> complete, not lacking anything." -James 1:4
> mlaverd.theunixplace.com/blog
>
> /"\
> \ / ASCII Ribbon Campaign
> X against HTML e-mail
> / \
>
>
>
> > Is there a way to add security layer to protocol buffer if I'm writing
> > my proto objects to https output stream? In java we have sealed
> > objects and we can have signature attached to it to make sure objects
> > are not tampered on the receiving end. Is there something similar in
> > protocol buffer as well?
>
> > I’m just trying understand what all different options that protocol
> > buffer provides as far security is concerned when compared to web
> > services to make sure data is not tampered. Web services comes with
> > good security models (such XML signature, SAML) to make sure data is
> > not tampered.
>
> > Regards,
> > Prakash
>
> > --
> > You received this message because you are subscribed to the Google Groups "Protocol Buffers" group.
> > To post to this group, send email to prot...@googlegroups.com.
> > To unsubscribe from this group, send email to protobuf+u...@googlegroups.com.
>
> - Show quoted text -
Marc-André Laverdière
than to roll your own.
Marc-André LAVERDIÈRE
"Perseverance must finish its work so that you may be mature and
complete, not lacking anything." -James 1:4
mlaverd.theunixplace.com/blog
/"\
\ / ASCII Ribbon Campaign
X against HTML e-mail
/ \
2010/7/22 Prakash Rao <prakash...@gmail.com>:
Prakash Rao
Yes, TLS with good set of cihper suites should help.
Regards,
Prakash
On Jul 22, 10:22 pm, Marc-André Laverdière
> It looks like TLS with a trust store would be the way to go. Better
> than to roll your own.
>
> Marc-André LAVERDIÈRE
> "Perseverance must finish its work so that you may be mature and
> complete, not lacking anything." -James 1:4
> mlaverd.theunixplace.com/blog
>
> /"\
> \ / ASCII Ribbon Campaign
> X against HTML e-mail
> / \
>
>
>
> > Thanks for the response...
>
> > I was just going through various protocol buffer discussion forum
> > topics and found the below one which talks about putting a signature
> > in proto object and do a validation before processing the payload. I
> > believe this is what you guys are referring to when you say "add HMAC
> > to your proto messages". Yes, this is something simple that can be
> > tried out.
>