Changes between Version 4 and Version 5 of Encryption
- Timestamp:
- 07/28/16 10:30:14 (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Encryption
v4 v5 5 5 {{{#!div class="box" 6 6 == Introduction == 7 Access to Xpra's sessions over TCP (see [/wiki/Network network connection]) can be protected using [/wiki/Authentication authentication modules] but those do not protect the network connection itself from man in the middle attacks. For that, you need encryption. 7 Access to Xpra's sessions over TCP and unix domain sockets (see [/wiki/Network network connection]) can be protected using [/wiki/Authentication authentication modules] but those do not protect the network connection itself from man in the middle attacks. 8 9 For that, you need encryption. There are two options supported at present: 10 * SSL 11 * AES 12 }}} 13 14 {{{#!div class="box" 15 == AES == 16 Use this option if you can securely distribute the AES key to each client. 8 17 [[BR]] 9 Xpra's encryption layer uses the [http://www.pycrypto.org/ pycrypto]library to:18 Xpra's AES encryption layer uses either the [http://www.pycrypto.org/ pycrypto] or the [https://pypi.python.org/pypi/cryptography cryptography] python library to: 10 19 * encrypt the network packets with [http://en.wikipedia.org/wiki/Advanced_Encryption_Standard AES] (`Advanced Encryption Standard`) [http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29 CBC mode] (`Cipher-block chaining`) 11 20 * stretch the "passwords" with [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2] (`Password-Based Key Derivation Function 2`) 12 21 The salts used are generated using Python's [http://docs.python.org/2/library/uuid.html#uuid.uuid4 uuid.uuid4()] 22 23 24 ---- 25 26 27 The encryption key to use must be specified with the "{{{--encryption-keyfile=FILENAME}}}" command line option or it will fallback to the password from the [/wiki/Authentication authentication module] in use, which may not be as safe. 28 29 The contents of this key are combined with salts to generate the secret used to initialize the AES cipher. 30 31 ---- 32 33 Example for TCP sockets: 34 * server 35 {{{ 36 xpra start --start=xterm \ 37 --bind-tcp=0.0.0.0:10000 \ 38 --tcp-encryption=AES --tcp-encryption-keyfile=key.txt 39 }}} 40 * client: 41 {{{ 42 xpra attach tcp:$SERVERIP:10000 \ 43 --tcp-encryption=AES --tcp-encryption-keyfile=./key.txt 13 44 }}} 14 45 46 15 47 {{{#!div class="box" 16 == S etup==48 == SSL == 17 49 18 Prior to version 0.11, the encryption key used was derived directly from the "{{{--password-file=FILENAME}}}" command line option.50 This option can more easily go through some firewalls and may be required by some network policies. Client certificates can also be used for authentication. 19 51 20 Starting with version 0.11, one can specify the encryption key to use with the "{{{--encryption-keyfile=FILENAME}}}" command line option or fallback to the password from the [/wiki/Authentication authentication module] in use. 52 There are a lot more options to configure and certificates to deal with. 53 See [https://docs.python.org/2/library/ssl.html], on which this is based. 21 54 22 The contents of this key are combined with salts to generate the secret used to initialize the AES cipher. 55 It is only applicable to TCP sockets, not unix domain sockets. 56 Do not assume that you can just enable SSL to make your connection secure. 57 58 For details, see #1252. 59 60 ---- 61 62 Example: 63 * server with TCP and SSL support: 64 {{{ 65 xpra start --start=xterm \ 66 --bind-tcp=0.0.0.0:10000 --ssl-cert=./cert.pem --ssl=on 23 67 }}} 68 or for SSL only: 69 {{{ 70 xpra start --start=xterm \ 71 --bind-ssl=0.0.0.0:10000 --ssl-cert=./cert.pem 72 }}} 73 * client: 74 {{{ 75 xpra attach ssl:127.0.0.1:10001 76 }}} 77 78 If you are using temporary tests certificates and see this message: {{{[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)}}}, temporarily add {{{--ssl-server-verify-mode=none}}} to your client command line. 79 }}}