Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Add encryption Indy TIdTCPServer/Client


This question is not answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 1 - Last Post: Jan 9, 2017 11:11 AM Last Post By: Remy Lebeau (Te... Threads: [ Previous | Next ]
Boris Epel

Posts: 4
Registered: 9/27/02
Add encryption Indy TIdTCPServer/Client  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 7, 2017 8:39 AM
Hi!
I have a software which uses TIdTCPServer/Client with custom protocol (binary data). It is a standalone software with one server and 1-2 remote clients. There is no authorization procedure, packets have few identification bytes to catch illegal source. I need to secure the connection and encrypt the TCPIP traffic (customer requirement). This can be a simplest encryption based on single key that user inputs. No sensitive data.
I need a help to find out the direction to go. Indy is so vast and I do not want to overdo the security. Indy and Builder XE7. Thanks!
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Add encryption Indy TIdTCPServer/Client  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 9, 2017 11:11 AM   in response to: Boris Epel in response to: Boris Epel
Boris wrote:

I need a help to find out the direction to go. Indy is so vast and I
do not want to overdo the security. Indy and Builder XE7. Thanks!

The best way is to not invent a custom encryption scheme, but to use a standardized
encryption scheme, such as SSL/TLS.

Indy implements SSL/TLS in TCP by requiring you to assign SSLIOHandler components
to the TIdTCPClient.IOHandler and TIdTCPServer.IOHandler properties, respectively.
An SSLIOHandler's PassThrough property is True by default to allow unencrypted
data to be transmitted/received. When you are ready to turn on encryption,
you can set PassThrough to False to initiate the SSL/TLS handshake. Both
parties on a connection must initiate handshake handling at the same time
to complete the handshake. Afterwards, all data transmitted/received will
automatically be encrypted/decrypted by Indy for you.

On the client side, you can set PassThrough to False before calling Connect()
if you want to encrypt the entire connection, or you can set PassThrough
dynamically after first sending an unencrypted STARTTLS-style command to
the server to request switching to an encrypted state.

On the server side, each connected client will then receive an SSLIOHandler
assigned to its AContext.Connection.IOHandler property. You can type-cast
that object to TIdSSLIOHandlerSocketBase to access its PassThrough property
when needed. You can do that in the server's OnConnect event to encrypt
the entire connection, or dynamically in a STARTTLS-style command handler.

Indy includes TIdSSLIOHandlerSocketOpenSSL and TIdServerIOHandlerSSLOpenSSL
components for the OpenSSL library (this requires you to deploy two OpenSSL
DLLs with your app, unless they are already pre-installed in the OS). Or,
you can write your own custom SSLIOHandler components (there are only a few
virtual methods to override) for any encryption library you want to use (such
as Microsoft's Crypto/SChannel API). Or, you can use a 3rd party SSLIOHandler
implementation (such as the one included in Eldos Blackbox).

That being said, SSL/TLS is not the only option available. You can alternatively
assign TIdBlockCipherIntercept and TIdServerBlockCipherIntercept components
to the TIdTCPClient.Intercept and TIdTCPServer.Intercept properties, respectively.
On the server side, each connected client will then receive a TIdBlockCipherIntercept
assigned to its AContext.Connection.IOHandler.Intercept property. You can
type-cast that object to TIdBlockCipherIntercept when needed.

On both client and server, use TIdBlockCipherIntercept's OnSend and OnReceive
events to interface with any encryption library you want to use. There is
no handshake needed, encryption is handled on a per-send/receive basis, so
it is possible to encrypt the entire connection or just portions of it dynamically
(unlike SSL/TLS, which cannot be turned off once activated).

--
Remy Lebeau (TeamB)
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02