Quinn Slack

From Quora: Will Linux incorporate tcpcrypt?

sqs — Fri, 03 Jun 2011 16:03:09 +0000

Someone on Quora just asked: “Will Linux incorporate tcpcrypt?”. I posted a response over there:

I have been working on and off with tcpcrypt for about a year. I believe that if someone puts in the time to polish the Linux kernel implementation, it’d be a likely candidate for inclusion. Andrea Bittau (the lead tcpcrypt guy) told me he would like to work on the kernel implementation himself sometime in the future. Andrea, Mark Handley, and David Mazieres are also working on the Internet Draft.

For now, the userspace implementation works well (and supports Linux, Mac OS X, FreeBSD, and Windows). It has a library so that endpoints can see the tcpcrypt session ID (to perform their own authentication), at https://github.com/sorbo/tcpcrypt/blob/master/user/include/tcpcrypt/tcpcrypt.h, and I made an Apache module that passes the session ID to Web apps, at https://github.com/sqs/mod_tcpcrypt.

On the advantages of tcpcrypt over TLS:

If your system runs tcpcryptd, then existing applications will use tcpcrypt. If the destination host doesn’t support tcpcrypt, then the channel falls back to normal TCP with no communication round-trip overhead. If both sides support tcpcrypt, then the applications get encryption for free (no code changes and minimal overhead). Of course, this only protects against passive attackers; to protect against active attacks, the apps would have to be modified to authenticate using the tcpcrypt session ID. Still, it’s better than cleartext. This, I think, is the key benefit tcpcrypt has over TLS: it makes encrypted-by-default really simple to bring about.

See also the tcpcrypt Internet-Draft and the tcpcrypt Wikipedia page.

What I’ve finished reading, Jan-May 2011

sqs — Mon, 30 May 2011 03:47:17 +0000

The Devil in the White City by Erik Larson
The Myth of the Rational Voter: Why Democracies Choose Bad Policies by Bryan Caplan
The Great Stagnation: How America Ate All The Low-Hanging Fruit of Modern History, Got Sick, and Will (Eventually) Feel Better by Tyler Cowen
Ayn Rand and the World She Made by Anne Heller
In The Plex by Stephen Levy (about Google)
The Immortal Life of Henrietta Lacks by Rebecca Skloot
The Greatest Trade Ever: The Behind-the-Scenes Story of How John Paulson Defied Wall Street and Made Financial History by Gregory Zuckerman
“The Use of Knowledge in Society” by F. A. Hayek
The Machinery of Freedom: Guide to a Radical Capitalism by David Friedman (son of Milton Friedman)

I enjoyed all of them–or else I wouldn’t have finished reading them.

Reading “Sum: Forty Tales from the Afterlives” by David Eagleman

sqs — Mon, 30 May 2011 03:32:23 +0000

Just started reading Sum: Forty Tales from the Afterlives by David Eagleman. I heard about the book from an interesting New Yorker profile of him.

I’ll update this post when (or if) I finish reading the book.

Update (May 31): Just finished reading it. Very thought-provoking. My favorite was the one where people wait in the afterlife until the last utterance of their name.

Python 3.3 patch for TLS-SRP support

sqs — Wed, 27 Apr 2011 22:35:34 +0000

I just posted a patch for Python 3.3 to add TLS-SRP support (Issue #11943). This patch adds support for TLS-SRP (RFC 5054) to Python ssl.SSLSocket, _ssl.c, http, and urllib. TLS-SRP lets a client and server establish a mutually authenticated SSL channel using only a username and password (a certificate may also be used to supplement authentication). Two Python-specific use cases for TLS-SRP are calling HTTP APIs that require auth, and writing test suites in Python for networked software (e.g., how Chromium uses TLSLite for network testing). More info at http://trustedhttp.org/wiki/TLS-SRP_in_Python.

TLS-SRP patch for Apache 2 mod_ssl

sqs — Sun, 17 Apr 2011 21:53:09 +0000

I just posted a patch for TLS-SRP support in Apache 2 mod_ssl on the wiki and as ASF Bugzilla #51075.

Updated Steffen Schulz’s NSS patch for TLS-SRP support

sqs — Sat, 16 Apr 2011 21:44:10 +0000

I updated Steffen Schulz’s NSS patch for TLS-SRP support and posted it to Bugzilla #405155. NSS (Network Security Services) is a Mozilla library that provides SSL and crypto routines to Firefox, Chrome, and lots of other apps.

I modified Steffen Schulz’s patch to:

use the same format for the SRP passwd and group param file as libsrp, so
that the standard srptool (provided by libsrp or GnuTLS) can be used. This
means that srputil (which duplicated srptool’s functionality) is no longer
necessary to include in this patch. (This means either libsrp or GnuTLS are
required to generate SRP passwd files. Is this OK, or does NSS need to be fully
self-contained? For the test suite, I have included pre-generated SRP passwd
files.)
implement TLS-SRP in selfserv instead of SSLsample.
include TLS-SRP tests. (These currently fail because of a memory leak;
ignoring that, they pass.)
apply cleanly against nss-3.12.9.

See “TLS-SRP in NSS” on the wiki for more usage instructions, but here’s a quick example:

tstclnt usage:
tstclnt -l jsmith -k abc -h tls-srp.test.trustedhttp.org -d /tmp/certs/ -c
:C01D -o -3 -2
# then GET /

selfserv usage:
cd $NSS/mozilla/security/nss/tests
selfserv -n localhost -p 4443 -v -H ssl/tpasswd.conf -K ssl/tpasswd -d
/tmp/certs/
tstclnt -p 4443 -h localhost -f -d /tmp/certs -v -l TestUser -k nss -2 -c :C01D

This patch still needs a lot more work before it’s ready for serious review, but I wanted to get some feedback on it now.

TLS-SRP in Chrome announcement

sqs — Thu, 07 Apr 2011 17:39:27 +0000

I just posted an in-progress patch that adds TLS-SRP support to Chrome over at the Chromium code review site. I also posted a Chromium-discuss message announcing my progress.

To install it yourself, see the TLS-SRP in Chrome wiki page.

Chrome TLS-SRP login (preliminary)

Chrome TLS-SRP Web page

Patch: RFC 5054-compliant TLS-SRP support for TLS Lite

sqs — Mon, 04 Apr 2011 20:48:59 +0000

I submitted a patch to TLS Lite that updates its TLS-SRP support to comply with RFC 5054. Read the email message to tlslite-users or download the the patch (tlslite+tls-srp-rfc5054.patch). I’ve also applied this patch to my tlslite git repository.

TLS-SRP patch (probably) accepted into OpenSSL 1.0.1

sqs — Fri, 25 Mar 2011 20:00:10 +0000

Looks like TLS-SRP will be in OpenSSL 1.0.1. Tom Wu’s patch at http://cvs.openssl.org/chngview?cn=20484 was finally accepted.

(HT: Tom Wu and Daniel Stenberg)

cURL 7.21.4 released, with TLS-SRP support

sqs — Fri, 18 Feb 2011 09:41:52 +0000

cURL 7.21.4 was just released, with support for TLS-SRP. I submitted the patch for this feature (based on a previous patch by Peter Sylvester).

If you are using, or are interested in using, TLS-SRP on the Web, I’d love to hear from you. I also have instructions on setting up a TLS-SRP Web server, and Firefox and NSS with TLS-SRP support (based on patches from Steffen Schulz and John Engler).