xpra icon
Bug tracker and wiki

Changes between Version 4 and Version 5 of Encryption


Ignore:
Timestamp:
07/28/16 10:30:14 (4 years ago)
Author:
Antoine Martin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Encryption

    v4 v5  
    55{{{#!div class="box"
    66== Introduction ==
    7 Access to Xpra's sessions over TCP (see [/wiki/Network network connection]) can be protected using [/wiki/Authentication authentication modules] but those do not protect the network connection itself from man in the middle attacks. For that, you need encryption.
     7Access to Xpra's sessions over TCP and unix domain sockets (see [/wiki/Network network connection]) can be protected using [/wiki/Authentication authentication modules] but those do not protect the network connection itself from man in the middle attacks.
     8
     9For that, you need encryption. There are two options supported at present:
     10* SSL
     11* AES
     12}}}
     13
     14{{{#!div class="box"
     15== AES ==
     16Use this option if you can securely distribute the AES key to each client.
    817[[BR]]
    9 Xpra's encryption layer uses the [http://www.pycrypto.org/ pycrypto] library to:
     18Xpra's AES encryption layer uses either the [http://www.pycrypto.org/ pycrypto] or the [https://pypi.python.org/pypi/cryptography cryptography] python library to:
    1019* encrypt the network packets with [http://en.wikipedia.org/wiki/Advanced_Encryption_Standard AES] (`Advanced Encryption Standard`) [http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29 CBC mode] (`Cipher-block chaining`)
    1120* stretch the "passwords" with [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2] (`Password-Based Key Derivation Function 2`)
    1221The salts used are generated using Python's [http://docs.python.org/2/library/uuid.html#uuid.uuid4 uuid.uuid4()]
     22
     23
     24----
     25
     26
     27The encryption key to use must be specified with the "{{{--encryption-keyfile=FILENAME}}}" command line option or it will fallback to the password from the [/wiki/Authentication authentication module] in use, which may not be as safe.
     28
     29The contents of this key are combined with salts to generate the secret used to initialize the AES cipher.
     30
     31----
     32
     33Example for TCP sockets:
     34* server
     35{{{
     36xpra start --start=xterm \
     37    --bind-tcp=0.0.0.0:10000 \
     38    --tcp-encryption=AES --tcp-encryption-keyfile=key.txt
     39}}}
     40* client:
     41{{{
     42xpra attach tcp:$SERVERIP:10000 \
     43    --tcp-encryption=AES --tcp-encryption-keyfile=./key.txt
    1344}}}
    1445
     46
    1547{{{#!div class="box"
    16 == Setup ==
     48== SSL ==
    1749
    18 Prior to version 0.11, the encryption key used was derived directly from the "{{{--password-file=FILENAME}}}" command line option.
     50This option can more easily go through some firewalls and may be required by some network policies. Client certificates can also be used for authentication.
    1951
    20 Starting with version 0.11, one can specify the encryption key to use with the "{{{--encryption-keyfile=FILENAME}}}" command line option or fallback to the password from the [/wiki/Authentication authentication module] in use.
     52There are a lot more options to configure and certificates to deal with.
     53See [https://docs.python.org/2/library/ssl.html], on which this is based.
    2154
    22 The contents of this key are combined with salts to generate the secret used to initialize the AES cipher.
     55It is only applicable to TCP sockets, not unix domain sockets.
     56Do not assume that you can just enable SSL to make your connection secure.
     57
     58For details, see #1252.
     59
     60----
     61
     62Example:
     63* server with TCP and SSL support:
     64{{{
     65xpra start --start=xterm \
     66    --bind-tcp=0.0.0.0:10000 --ssl-cert=./cert.pem --ssl=on
    2367}}}
     68or for SSL only:
     69{{{
     70xpra start --start=xterm \
     71    --bind-ssl=0.0.0.0:10000 --ssl-cert=./cert.pem
     72}}}
     73* client:
     74{{{
     75xpra attach ssl:127.0.0.1:10001
     76}}}
     77
     78If you are using temporary tests certificates and see this message: {{{[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)}}}, temporarily add {{{--ssl-server-verify-mode=none}}} to your client command line.
     79}}}