This repository has been archived by the owner on Jul 28, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 73
Encryption. #27
Comments
Hi Ben
Sorry for this delayed replay and thank you for your interest of this
project.
I left the encrypt/decrypt unimplemented because encryption alone can be a
quite deep topic, and I am no info security expert, and in this case also
involves performance(it needs to be fast and save iPhone battery life), and
rather independent (say if you already have an good encrypt/decrypt
solution you can plug in this demo project easily (I hope :)))
And the entry points to plug encrpyt decrpyt in are here:
- Encrypt:
https://github.com/lxdcn/NEPacketTunnelVPNDemo/blob/master/NEPacketTunnelVPNDemoTunnel/PacketTunnelProvider.swift#L21
- This is the callback where we read packages from the device, right
before we write into to tun (L24)
- Decrypt:
https://github.com/lxdcn/NEPacketTunnelVPNDemo/blob/master/NEPacketTunnelVPNDemoTunnel/PacketTunnelProvider.swift#L41
- Conversely, this is the callback we read from tun and write back to
device
Of course in server we have to do the same thing, so in a nutshell:
NE extension gather data packs --> NE extension encrypt --> send to
server via tun --> server decrypt --> server redirect traffic via
iptables (as fare as I remember) --> server receive response data -->
server encrypt --> server send to iOS --> NE extension read data packs
--> NE extension decrypt --> NE extension forward to iOS (other apps)
Generally encryption process is taking a chunk of binary data, convert into
another chunk of binary data (Usually in byte arrays in most programming
languages), and also the input data may need to be padded to meet length
requirement, and output data length may be different. So in this case we
may need to consider data boundaries (use separator to separate
encrypt/decrypt data unit)
And also another key point is the key, usually symmetric encryption
requires both encrypt part and decrypt part share the same key (in our case
the iOS end and server end), this should happen during the connection
setup, based on existing authentication, make them somehow share a same
piece of string. But if you just create a private app for self usage, you
can hard code the key I suppose :)
And also if what you are creating is not for self usage, which means you
might have multiple clients (iOS) connect to server simultaneously, as some
people already complained in Github issues, the server doesn't support
multiple connection, this is due to simplicity of server code and my
laziness (no excuse, sorry). And also if your App blossoms and you have
tens of thousands of clients connect to it, then handling them securely and
efficiently is another deep topic and beyond several lines of C as my
server demo shows.
The amount of work involved to implement the whole suite above is enormous,
but like I said, the encrypt/decrypt part can be isolated, if you can find
a good existing solution, then should be better.
Cheers
…On Fri, 31 May 2019 at 09:51, Ben Mitchell ***@***.***> wrote:
Hi, this is by far my favourite protocol. I am currently using Shadowsocks
in my app OneProxy which I on the App Store, however before that I was
using this protocol.
However, it has no encryption, thus I resorted to shadow socks.
I am wondering if you could make a update to this project and server and
add encryption.
I see in the files that you have actually mentioned encryption and that
you didn't have the time to do it.
If you still don't have the time maybe you could point me in the correct
direction.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#27>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAERB4MGSL3N7FY3TUFB3PLPYBD7JANCNFSM4HRMH5WQ>
.
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi, this is by far my favourite protocol. I am currently using Shadowsocks in my app OneProxy which I on the App Store, however before that I was using this protocol.
However, it has no encryption, thus I resorted to shadow socks.
I am wondering if you could make a update to this project and server and add encryption.
I see in the files that you have actually mentioned encryption and that you didn't have the time to do it.
If you still don't have the time maybe you could point me in the correct direction.
The text was updated successfully, but these errors were encountered: