On the wire encryption

[Sai-Lai Lo]

>>>>> Emmanuel Saint-Loubert writes:

> I would like to implement on-the wire encryption with OmniORB. Does
> anyone know if ominiORB has filter-type capabilities (as in Orbix).
> Namely where a filter (function) can be interposed before or after
> marshalling of the message.
> Or does anyone in the ORL team could point me to the place where such
> capability could be added (by myself) ?

omniORB does not have a mechanism to insert Orbix-style pre/post
marshalling filters. While it seems like a reasonable way to insert call
tracing, allowing the application to insert/remove application specific
data on the wire using this mechanism, IMHO, is an invitation to *violate*
the on-the-wire protocol.

I guess you are thinking of using the said filter to encrypt the marshalled
data before sending it onto the wire and to decrypt the data at the other
end before unmarshalling. This is not practical because omniORB does not
always hold the complete request/reply message in its marshalling
buffer. In fact, for a very large message, part of the message may have
been sent onto the wire while the rest is still being marshalled. I'm not
going into the details here but suffice to say the marshalling mechanism in
omniORB is geared towards efficent bulk data transfer and minimal
buffer space requirement.


It seems to me the best place to insert on-the-wire encryption is at the
socket level. The idea is to intercept the send() and recv() calls and
encrypt or decrypt the data. You can take a look at
src/lib/omniORB/tcpSocket_UNIX.cc and locate where send() and recv() are
called. The harder part is how you are going to exchange encryption keys
and to assiciate a key to a connection. 


Regards,

Sai-Lai Lo

-- 
E-mail:         S.Lo@orl.co.uk          |       Olivetti & Oracle Research Lab
                                        |       24a Trumpington Street
Tel:            +44 223 343000          |       Cambridge CB2 1QA
Fax:            +44 223 313542          |       ENGLAND