0

I am trying to implement secure communication between a server and client in c++. The limitation is that both the client and server must run on windows and have to be in c++. This is for a research project I am working on at my university.

So far I have found that SChannel is the best option, but the documentation is extremely confusing and I can not find any guides/tutorials on how to use it. I have already looked at this link https://learn.microsoft.com/en-us/windows/desktop/secauthn/creating-a-secure-connection-using-schannel but still do not understand how to get it working. Could someone guide me through this if this is the best way?

I also looked into use SSLStream using the CLR to have .net run inside of a c++ application. However I can not use this because the client application is threaded and threads can't be used with CLR.

I already have a dummy client and server set up with communication between the two, I am just trying to secure and encrypt that communication.

Any help is greatly appreciated!

mplouque
  • 17
  • 2
  • 9
  • The subject is too broad for SO format. Possibly even opinion based. – Ron Jul 13 '18 at 15:54
  • If you are targeting Windows 10, you can use [Windows.Networking.Sockets](https://learn.microsoft.com/en-us/windows/uwp/networking/sockets). Use [C++/WinRT](https://aka.ms/cppwinrt) to access classes in this namespace from a C++ application. – IInspectable Jul 13 '18 at 15:54
  • What exactly is the question when it comes to SChannel? To say the documentation is confusing doesn't really say anything. – SoronelHaetir Jul 13 '18 at 16:01
  • The main question I have with schannel is just how to use it in general? I have no idea how to implement it. – mplouque Jul 13 '18 at 16:07
  • Well look up "schannel example"... Or better yet use a portable solution like [openssl](https://wiki.openssl.org/index.php/Simple_TLS_Server) – rustyx Jul 13 '18 at 16:34
  • 2
    @mplouque MSDN has examples of using SChannel, did you look at them? What exactly is confusing about it? – Remy Lebeau Jul 13 '18 at 17:07
  • What are you thinking of doing in terms of key management? Would it be OK to use the same pre-agreed key at both ends? – Paul Sanders Jul 13 '18 at 17:38

1 Answers1

2

Whichever SSL library you choose to use there are a few things you need to know as a beginner in this field:

The server and client implementations will end up looking quite different in places.

Your server is absolutely going to need a certificate with a private key. During development you clearly don't want to get one from Verisign or something so you need to create a self-signed certificate. You can do this with openssl or other tools.

The certificate consists of a private part and a public part. The public part needs to go to the client, and will be used to validate the connection. When you are using something like SChannel the certificates (private and public) will need to be installed in the certificate stores of the server and client respectively.

SChannel does not send or receive data for you. So the core of your implementation is going to be: when the network has data: read ciphertext from socket and write to SChannel. Read clear text from SChannel (if any) and pass to application. When the application has data to send, get clear text from Application and pass to SChannel. Get the resulting ciphertext buffers from SChannel and write to the socket.

buffers from the internet may be partial, and negotiations and re-negotiations means there's no 1:1 mapping of passing data into SChannel and getting data out.

You therefore can't get away with a naive implementation that calls SChannel once to pass data in, and once again to get un/encrypted data. There will potentially be nothing available, or a whole lot of packets to send between the client and the server, before you'll get any application bytes. i.e. You will need some kind of state machine to keeptrack of this.

Obviously, don't write both the client and server at the same time: Start with your client against an https server.

That's the general outline of the process - the things that confused me when I first encountered SSL and why none of the samples were nearly as simple as I had hoped them to be.

Chris Becke
  • 34,244
  • 12
  • 79
  • 148
  • Do we _know_ that the server is an _http_ server? – Paul Sanders Jul 15 '18 at 06:50
  • It doesn't matter: https servers are everywhere and if you can at least connect to it then you know you've done enough to get your clients negotiation mostly right. Otherwise you are stuck trying to figure out if a failure to negotiate is a bug in your client or server implementation – Chris Becke Jul 15 '18 at 07:27
  • Of course it matters! If the OP's server (whatever that is, it seems to be a bit of a nebulous concept in the context of the original question) is not a webserver then he can't use SChannel. So what we need to do is ask him (and I did try, but I never got a response). – Paul Sanders Jul 15 '18 at 10:20
  • And note that with schannel it's easy to use the windows event log to trace what is going on. (IE. missing certificate, some other problem). – SoronelHaetir Jul 17 '18 at 15:44