astanley has asked for the wisdom of the Perl Monks concerning the following question:

Hey everyone, I've been working on a project for a while that consists of a client communicating with a server on another machine. Both the client and the server are using Blowfish encryption with CBC extensions to encrypt and decrypt the messages, however, I run into a problem every so often where the text sent at one end is not the same text received at the other end. I am attributing this to the fact that possibly the encrypted string contains a \n or some other sequence that makes perl stop reading the socket. To combat this I have added a verify function that uses much more overhead than I would like. When either side receives text, it sends the text back with a verify string attached and the other side either sends an "yes" response or resends the original command encrypted again. My question is is there an alternative to the verification procedure I am using as it really takes up extra time since the client and server are not on the same network. I can post more info if necessary. -Adam Stanley Nethosters, Inc.

Replies are listed 'Best First'.
Re: Network programming with encryption
by btrott (Parson) on Mar 03, 2001 at 07:58 UTC
    For verification use some sort of message verification algorithm, like a checksum or a signature. Check out String::CRC32 for an example of such an algorithm. Or Digest::MD5, if you'd prefer something like that.

    This is good practice no matter what, partly just so that you can ensure that there's no tampering with your messages.

    For the problem of not reading the socket correctly: how are you reading from the socket? You could try using sysread and syswrite. That's what I'm doing, and it works great.

    If you'd like an example of some of this, check out (shameless plug) the packet code in Net::SSH::Perl, my Perl implementation of an ssh client. SSH network packets are encrypted and contain message verification (in the form of checksums), so you might get some ideas there. The packet code is in Net::SSH::Perl::Packet.

[reply]
Re: Network programming with encryption
by rpc (Monk) on Mar 03, 2001 at 11:04 UTC
    With encryption it is important to remember you're dealing with binary data. Encrypted blocks should be sent independantly, blocksize bytes at a time, or encapsulated in a header which describes the packet being sent. If there's not enough data to fill an entire block, padding should be used. You should probably use sysread and syswrite for the lowlevel socket operations.

    If you're using a stateful network protocol like TCP, there shouldn't be any issues with receiving blocks of the stream out of order, which would mung CBC mode.

    An ideal protocol would not require verification of sent and received blocks. If you absolutely must, though, use Digest::MD5 or Digest::SHA1 hashes of the _encrypted blocks_, not plaintext.

[reply]
[d/l]
[select]
Re: Network programming with encryption
by kh (Initiate) on Mar 03, 2001 at 19:18 UTC
    hello; have you checked that your blowfish encryption/decryption are functioning correctly re: messages of different lengths? the reason i suggest this is that is is easy to use blowfish but different schemes have different methods of implementing the 'end block' problem; these can sometimes cause problems; at least they did when i implemented blowfish (:-)) to check if this is the case, just send a set of messages containing a consecutive range of bytes, and examine the results with od -c or something to ensure the implementor of blowfish has done his/her job properly. hoping this helps, kh.
[reply]

Back to Seekers of Perl Wisdom