Doing data exchange in plain text is very convenient and easy to implement but what can you do to prevent eavesdropping, tampering, and message forgery of the data you send back and forth? Here's where secure communication comes into play. At present the most common secure communication method is using Transport Layer Security (TLS) or Secure Sockets Layer (SSL). In web context you can see secure data exchange in action when browsing web-sites with HTTPS prefix
In .NET framework secure communications can be done with SslStream class. It can use both TLS and SSL protocols.
TLS and SSL for authentication process use public key infrastructure or PKI. It requires certificates.
Here's nice explanation how to create certificate using makecert utility
After reading and doing what was said in the above mentioned blogpost we should end up with 2 installed certificates. They're depicted on the picture below.
The certificate we'll use will be "vadmyst-enc".
SslStream gives you the look and feel of a common .NET stream.
So, what are the basic steps to start secure communication with SslStream?
Very often the communication happens between server (e.g web server) and client (e.g. browser).
Here are the steps for the server side:
- Start listening on specific address and port
- When connection is accepted wrap obtained NetworkStream with SslStream
- Call SslStream::AuthenticateAsServer
- Start doing I/O (in our case that's basic echo server
In code it looks like this:
TcpListener listener = new TcpListener(ipEndpoint);serverCertificate is obtained from certificate storage on the local machine:
listener.Start(5);
TcpClient tcpClient = listener.AcceptTcpClient();
SslStream secureStream = new SslStream(tcpClient.GetStream(), false);
secureStream.AuthenticateAsServer(serverCertificate);
//use anonymous delegate for simplicity
ThreadPool.QueueUserWorkItem(new WaitCallback(delegate(object unused)
{
//simple echo server
byte[] tempBuffer = new byte[1024];
int read = 0;
try
{
while ((read = secureStream.Read(tempBuffer, 0, tempBuffer.Length)) > 0)
{
secureStream.Write(tempBuffer, 0, read);
}
}
finally
{
secureStream.Close();
}
}), null);
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);In this post I'll will not cover usage of client certificates to perform client authentication for the simplicity's sake. Client will only authenticate server.
store.Open(OpenFlags.ReadOnly);
X509Certificate serverCertificate = null;
for (int i = 0; i < store.Certificates.Count; i++)
{
serverCertificate = store.Certificates[i];
if (serverCertificate.Subject.Contains("vadmyst-enc"))
break;
}
store.Close();
The steps required by the client:
- Open TCP connection to the remote server
- Wrap obtained NetworkStream with SslStream instance
- Call SslStream::AuthenticateAsClient
- Begin do the I/O
Source code below demonstrates basic TCP client that transfers data in a secure way.
TcpClient client = new TcpClient();
client.Connect(endPoint);
SslStream sslStream = new SslStream(client.GetStream(), false);
sslStream.AuthenticateAsClient("vadmyst-enc");
byte[] plaintext = new byte[5*1024 + 35];
byte[] validation = new byte[plaintext.Length];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetNonZeroBytes(plaintext);
sslStream.Write(plaintext);
sslStream.Flush();
int read = 0;
int totalRead = 0;
while( (read = sslStream.Read(validation, totalRead,
validation.Length - totalRead)) > 0)
{
totalRead += read;
if (totalRead == plaintext.Length)
break; //we've received all sent data
}
//check received data
for(int i=0; i < plaintext.Length; i++)
{
if ( validation[i] != plaintext[i] )
throw new InvalidDataException("Data is not the same");
}
sslStream.Close();
SslStream appeared in .NET framework on version 2.0. As you can see doing secure communications with it is very easy. However, there are number of situations that require additional coding: client authentication using client certificates, using other algorithms when doing secure I/O. I will cover these advanced topics on the next posts. Stay tuned!