FAQ
Hi everyone,

I'm trying to gently introduce my development team to Go. Here are the
requirements for my first project to help prove Go has what it takes:

1. Process #1 on Host A must establish a socket connection with Process #2
on Host B. These are daemon processes which will then push data freely in
both directions simultaneously.

2. The communication must be encrypted in both directions since the data
will be traversing the Internet.

3. Process #1 must be sure it's talking to Process #2 and only Process #2.

4. Process #2 must be sure it's talking to Process #1 and only Process #1.

5. If anyone tries to meddle with data in transit, the connection should be
terminated.

I'm new to encryption and security, but I know just enough to know that I
shouldn't try to create my own solution.

I've been pointed in some interesting directions, but I'm starting to get
the impression one must tackle 3-4 thick books on the subject, and spend
weeks or months writing test programs and getting familiar with things,
before even knowing where to start on a project like this. (And here I
naively thought this kind of thing would be so common that I could
trivially find a 10 step guide. Nope!)

Public keys, private keys, ciphers, encryption algorithms, certificates,
certificate chains, SSL, TLS, block encryption, stream encryption, trust,
DSA, RSA, pem files... yikes! All I want is a secure channel of
communication! (Well, just a bit more than that, as outlined above.) I feel
a bit like a programmer that just needs to sort a list but has to read the
entire history of sorting algorithms first. It seems like this stuff should
all be in the domain of experts and there should be some kind of nearly
idiot proof CreateSecureConnection() function somewhere instead, with clear
instructions on what exactly to feed it.

From the research I've done already, I think something called TLS has all
the features necessary to meet the requirements above, but getting
everything setup and configured correctly is a little daunting. Can anyone
give me a basic outline to get me started? I don't mind digging into the
details myself... I just want to make sure I have all my bases covered,
since confidential data will be transported between these processes. And of
course, I'm trying to get this up and running quickly to prove Go is
awesome.

Thanks in advance for any guidance anyone can give!

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

  • Kyle Lemons at Oct 31, 2013 at 12:18 am
    It's all there in the stdlib and
    go.crypto<http://godoc.org/code.google.com/p/go.crypto>subrepos.

    The two easiest ways are probably to use SSL (streaming) or OpenPGP/NaCL
    (message passing). In both cases you'll need to generate keys for both
    sides. In the SSL case you may also want to generate your own CA cert that
    you use to sign all of the keys.

    For SSL (each of these should be doable with the openssl commandline, lots
    of howtos on google)

    1. Generate a CA certificate and a ca config
    2. Generate a certificate and key for each server (generate a request for
    each certificate and sign them in turn with the CA)
    3. Transfer the certificates, keys, and CA certificate to the servers

    Then, for your servers, you

    1. Use http://godoc.org/crypto/tls#LoadX509KeyPair to load the cert and key
    2. Make a tls.Config with the certificate
    If you followed above, you can also load the CA certificate and add it to
    the root chain and turn on client cert verification.
    3. use tls.Listen and tls.Dial to make the connection

    This is all off the top of my head but I think that should cover it.

    On Wed, Oct 30, 2013 at 3:12 PM, xtalk1 wrote:

    Hi everyone,

    I'm trying to gently introduce my development team to Go. Here are the
    requirements for my first project to help prove Go has what it takes:

    1. Process #1 on Host A must establish a socket connection with Process #2
    on Host B. These are daemon processes which will then push data freely in
    both directions simultaneously.

    2. The communication must be encrypted in both directions since the data
    will be traversing the Internet.

    3. Process #1 must be sure it's talking to Process #2 and only Process #2.

    4. Process #2 must be sure it's talking to Process #1 and only Process #1.

    5. If anyone tries to meddle with data in transit, the connection should
    be terminated.

    I'm new to encryption and security, but I know just enough to know that I
    shouldn't try to create my own solution.

    I've been pointed in some interesting directions, but I'm starting to get
    the impression one must tackle 3-4 thick books on the subject, and spend
    weeks or months writing test programs and getting familiar with things,
    before even knowing where to start on a project like this. (And here I
    naively thought this kind of thing would be so common that I could
    trivially find a 10 step guide. Nope!)

    Public keys, private keys, ciphers, encryption algorithms, certificates,
    certificate chains, SSL, TLS, block encryption, stream encryption, trust,
    DSA, RSA, pem files... yikes! All I want is a secure channel of
    communication! (Well, just a bit more than that, as outlined above.) I feel
    a bit like a programmer that just needs to sort a list but has to read the
    entire history of sorting algorithms first. It seems like this stuff should
    all be in the domain of experts and there should be some kind of nearly
    idiot proof CreateSecureConnection() function somewhere instead, with clear
    instructions on what exactly to feed it.

    From the research I've done already, I think something called TLS has all
    the features necessary to meet the requirements above, but getting
    everything setup and configured correctly is a little daunting. Can anyone
    give me a basic outline to get me started? I don't mind digging into the
    details myself... I just want to make sure I have all my bases covered,
    since confidential data will be transported between these processes. And of
    course, I'm trying to get this up and running quickly to prove Go is
    awesome.

    Thanks in advance for any guidance anyone can give!

    --
    You received this message because you are subscribed to the Google Groups
    "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Dave Cheney at Oct 31, 2013 at 12:28 am
    http://gokyle.org/book/

    On 30 Oct 2013, at 15:12, xtalk1 wrote:

    Hi everyone,

    I'm trying to gently introduce my development team to Go. Here are the requirements for my first project to help prove Go has what it takes:

    1. Process #1 on Host A must establish a socket connection with Process #2 on Host B. These are daemon processes which will then push data freely in both directions simultaneously.

    2. The communication must be encrypted in both directions since the data will be traversing the Internet.

    3. Process #1 must be sure it's talking to Process #2 and only Process #2.

    4. Process #2 must be sure it's talking to Process #1 and only Process #1.

    5. If anyone tries to meddle with data in transit, the connection should be terminated.

    I'm new to encryption and security, but I know just enough to know that I shouldn't try to create my own solution.

    I've been pointed in some interesting directions, but I'm starting to get the impression one must tackle 3-4 thick books on the subject, and spend weeks or months writing test programs and getting familiar with things, before even knowing where to start on a project like this. (And here I naively thought this kind of thing would be so common that I could trivially find a 10 step guide. Nope!)

    Public keys, private keys, ciphers, encryption algorithms, certificates, certificate chains, SSL, TLS, block encryption, stream encryption, trust, DSA, RSA, pem files... yikes! All I want is a secure channel of communication! (Well, just a bit more than that, as outlined above.) I feel a bit like a programmer that just needs to sort a list but has to read the entire history of sorting algorithms first. It seems like this stuff should all be in the domain of experts and there should be some kind of nearly idiot proof CreateSecureConnection() function somewhere instead, with clear instructions on what exactly to feed it.

    From the research I've done already, I think something called TLS has all the features necessary to meet the requirements above, but getting everything setup and configured correctly is a little daunting. Can anyone give me a basic outline to get me started? I don't mind digging into the details myself... I just want to make sure I have all my bases covered, since confidential data will be transported between these processes. And of course, I'm trying to get this up and running quickly to prove Go is awesome.

    Thanks in advance for any guidance anyone can give!
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Wkharold at Oct 31, 2013 at 2:51 pm
    This is not a bad place to
    start: http://tiebing.blogspot.com/2013/06/golang-ssl-server-and-client-example.html

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Taharqa at Nov 1, 2013 at 8:36 am
    For a bidirectionnal secure communication dialog between two remote process
    you can also look at secure websocket. have a look on this link

    http://andrewwdeane.blogspot.fr/2013/01/gobing-down-secure-websockets.html

    Le mercredi 30 octobre 2013 23:12:23 UTC+1, xtalk1 a écrit :
    Hi everyone,

    I'm trying to gently introduce my development team to Go. Here are the
    requirements for my first project to help prove Go has what it takes:

    1. Process #1 on Host A must establish a socket connection with Process #2
    on Host B. These are daemon processes which will then push data freely in
    both directions simultaneously.

    2. The communication must be encrypted in both directions since the data
    will be traversing the Internet.

    3. Process #1 must be sure it's talking to Process #2 and only Process #2.

    4. Process #2 must be sure it's talking to Process #1 and only Process #1.

    5. If anyone tries to meddle with data in transit, the connection should
    be terminated.

    I'm new to encryption and security, but I know just enough to know that I
    shouldn't try to create my own solution.

    I've been pointed in some interesting directions, but I'm starting to get
    the impression one must tackle 3-4 thick books on the subject, and spend
    weeks or months writing test programs and getting familiar with things,
    before even knowing where to start on a project like this. (And here I
    naively thought this kind of thing would be so common that I could
    trivially find a 10 step guide. Nope!)

    Public keys, private keys, ciphers, encryption algorithms, certificates,
    certificate chains, SSL, TLS, block encryption, stream encryption, trust,
    DSA, RSA, pem files... yikes! All I want is a secure channel of
    communication! (Well, just a bit more than that, as outlined above.) I feel
    a bit like a programmer that just needs to sort a list but has to read the
    entire history of sorting algorithms first. It seems like this stuff should
    all be in the domain of experts and there should be some kind of nearly
    idiot proof CreateSecureConnection() function somewhere instead, with clear
    instructions on what exactly to feed it.

    From the research I've done already, I think something called TLS has all
    the features necessary to meet the requirements above, but getting
    everything setup and configured correctly is a little daunting. Can anyone
    give me a basic outline to get me started? I don't mind digging into the
    details myself... I just want to make sure I have all my bases covered,
    since confidential data will be transported between these processes. And of
    course, I'm trying to get this up and running quickly to prove Go is
    awesome.

    Thanks in advance for any guidance anyone can give!
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Xtalk1 at Nov 1, 2013 at 8:12 pm
    Thank you to all the people that replied. I think I need to:

        1. Understand what a CA cert is.
        2. Understand *why* I need a CA cert (I thought a CA cert was a third
        party thing, and I don't want any third parties involved -- so clearly, I
        have a misunderstanding here).
        3. How to generate a CA cert.
        4. Understand what a CA config is.
        5. Understand *why* I need a CA config.
        6. How to setup the CA config.
        7. How to generate a cert and keys for each server (this part appears
        easy).
        8. Once a cert and keys are generated for each server, understand what
        exactly are in the files that are generated.
        9. Once I figure out what exactly is in the files generated, I should
        know which file(s) to move from server A to server B, and which to move
        from server B to server A.

    I guess I better tackle all this before even looking into coding. It looks
    like there's plenty of work ahead.

    Thanks!

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Kyle Lemons at Nov 2, 2013 at 1:11 am

    On Fri, Nov 1, 2013 at 1:12 PM, xtalk1 wrote:

    Thank you to all the people that replied. I think I need to:

    1. Understand what a CA cert is.

    A CA is a Certificate Authority. It's an entity that you trust to say
    "This certificate is valid." This is essentially accomplished by them
    signing a blob of data containing the public key and some other metadata
    with their private key and publishing their public key so others can
    validate it.
    1. Understand *why* I need a CA cert (I thought a CA cert was a third
    party thing, and I don't want any third parties involved -- so clearly, I
    have a misunderstanding here).

    In this case, you are your CA, because you only care about keys that you
    produce. Using a third-party CA is useful when you want other people to
    trust the certificates. The CA has to be a part of the "trusted" list in
    order for a certificate signed by it to be trusted, and there are a
    reasonably small number of these that are widely trusted by e.g. browsers.
    1. How to generate a CA cert.

    You can hack this all up in go, but the easiest thing to do is probably to
    use the openssl commandline.

    openssl ca: http://www.openssl.org/docs/apps/ca.html
    1. Understand what a CA config is.

    See docs above; you can mostly use the defaults (your openssl distribution
    has a default file you can copy).
    1. Understand *why* I need a CA config.

    It's where the `openssl ca` command picks out what things it applies to
    its signatures. If you're signing certificates that can be used as client
    certs, for example, you can enable this here.
    1. How to setup the CA config.

    Copy from default, read through it, making changes, and consulting the
    docs above :).
    1. How to generate a cert and keys for each server (this part appears
    easy).

    Technically you make a certificate request and then you run that through
    the openssl magic to get a certificate, but yeah, there are lots of
    examples of these commands floating around.
    1. Once a cert and keys are generated for each server, understand what
    exactly are in the files that are generated.

    The files you need:
    whatever.cert -> this is the certificate, which is the signed version of
    [who you are | your key's fingerprint] or something roughly of that shape.
      I think the openssl commandline spits it out as 0123.cert where 0123 is
    the serial number of the certificate.
    whatever.key -> this is the private key you can use with the certificate.
    your.ca.cert -> you'll need this to add to your allowed roots.
    1. Once I figure out what exactly is in the files generated, I should
    know which file(s) to move from server A to server B, and which to move
    from server B to server A.

    I guess I better tackle all this before even looking into coding. It looks
    like there's plenty of work ahead.

    Thanks!

    --
    You received this message because you are subscribed to the Google Groups
    "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Xtalk1 at Nov 4, 2013 at 6:51 pm
    Thank you for the detailed answer, Kyle.

    Unfortunately, we decided to go with Java for now, because we were able to
    find detailed documentation for precisely this scenario here:

    http://www.ibm.com/developerworks/library/j-customssl/index.html

    And here:

    http://www.ibm.com/developerworks/library/j-customssl/sidebar.html

    In other words, this *doesn't* mean Java is a better choice than Go in
    terms of language syntax and libraries. Java was chosen strictly because we
    were able to find detailed Java-centric documentation for this scenario
    easily, and I wasn't able to justify the extra time to research the
    analogous solution for Go.

    I'll probably work on this in my spare time, though. Thanks again for all
    the help.

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedOct 30, '13 at 10:12p
activeNov 4, '13 at 6:51p
posts8
users5
websitegolang.org

People

Translate

site design / logo © 2021 Grokbase