ASN.1 Encoding-Decoding

Question

I am currently developing a client-server program, the client in Java/C and server in C. I have to transport cryptographic data(like the client should pass data to Server to encrypt/decrypt, compute digest etc) and the server has to return the result to Client.

In this scenario, I realize the importance of using some transport protocol to identify data and pass data efficiently.

With this regard, my question is: Is ASN.1 a good protocol to use? I know that it is supported by BC(on Java) and OpenSSL on C. So is it a good idea to transport data between the client and server using ASN.1 notation?

Can you also please give me some starting points to this? Also if you have a better idea of an existing protocol please let me know.

Thanks!!

ASN.1 is an encoding, not a protocol. It provides a standard for serialization of data for network transport. I am not sure of ASN.1's efficiency, but I would be more concerned about the robustness of your implementation before it's efficiency. — this.josh, May 25 '11 at 16:48

score 9 · Answer 1 · answered May 11 '11 at 13:30

9

What BC and OpenSSL support is only a very small part of ASN.1. In fact for a long time there was no full ASN.1 implementation available, at least for the public. Telcos and telephone equipment manufactors probably have rather complete ASN.1 implementations. At the moment the most advanced ASN.1 implementation available to the public is developed as part of the OsmoCom project, Harald Welte blogged it: http://laforge.gnumonks.org/weblog/2011/04/12#20110412-mapv1_available

And to make matters worse, ASN.1, in particular it highly redundant encoding schemes (there are at least 3 different ways to encode strings in ASN.1) used to be the cause for several security issues in the last years, due to the problems it caused in properly processing x509 certificates. x509 is another broken technology from hell, and IMHO better avoided. Sure, SSL depends on it, but a getting a certificate signed by a "trusted" CA doesn't mean anything; any CA can sign for any domain, and after looking through, what your browser trusts by default I no longer trusted my browser.

So to make a long story short: ASN.1 is broken and should be avoided in new designs. It's only major widespread use outside of telephone networks is x509 which is broken, too. Thus I'd not use it. Use JSON, BSON, Protocol Buffers, Netstrings or something sane.

answered May 11 '11 at 13:30

datenwolf

159,371
13
185
298

The only problem is my C server is an embedded system and I dont want to use some additional libs with high overhead. I assumed asn.1 is aprt of openssl libs which I already use on the server side :( – pimmling May 11 '11 at 14:07
@pimmling: As I said, OpenSSL implements only a very limited subset of ASN.1, namely just those parts that are required to process x509 certificates. Also BSON and Protocol Buffers are extremely leightweight: The C implementation of BSON is mere 700 lines of code. – datenwolf May 11 '11 at 14:30
Thanks datenwolf! I have a small confusion. As I understand, these protocols help in serialization of data. As in, they help you put all your data into a nice array with defined headers so it is easier to unwrap at the other side. Now what if I write this protocol myself? say, define I message header which my Server and client can use to communicate. Why and how are these serialization important schemes important? – pimmling May 11 '11 at 14:37
Without giving your data some structure the recieving end has no way to decipher what's what. First you need to verify that the data you recieve is actually in some format you understand, otherwise all crap that may accidently or maliciously is sent will bring your process down. Also if your data has some kind of structure you need to transmit and format it in a system independent way. Never ever pass a raw data structure over a network, or hell will break loose. Designing good transport containers is difficult, writing robust parsers is hard. Better use some proofed, existing library. – datenwolf May 11 '11 at 14:46
The most advanced ASN.1 implementation available to the public is definitely *not* what OsmoCom are using, they use a patched version of ASN1C by Lev Walkin. ASN1C doesn't even support ASN1 2002. You might be confusing "public" with "free". – Oct 11 '11 at 19:19
@lttlrck: With public I meant: "Available to the public in source code form." Now if there is another, more advanced open source ASN.1 implementation, I'm highly interested in it. – datenwolf Oct 11 '11 at 19:48

score 3 · Answer 2 · answered May 12 '11 at 16:43

ASN.1 is alive and well, and is used within many standard protocols, both old and recent, including several standards that are currently being developed (for example, within 3GPP and IEEE 802). There are a few good and complete commercial ASN.1 tools available on the market. A typical ASN.1 tool includes an ASN.1 compiler that can generate source code from the ASN.1 message definitions, as well as encoding/decoding libraries for the different standard encoding rules. Typically, the application developer will write code that uses the data structures generated by the ASN.1 compiler and will invoke the encode/decode functions provided as part of the ASN.1 tool.

If you don't want to get a commercial ASN.1 tool (for whatever reason), and if you are going to write your own ASN.1 message definitions (as opposed to implenting an existing standard protocol), perhaps you could pick up one of the free ASN.1 tools available and limit your usage of ASN.1 to the syntactic features that are supported by the tool that you have chosen.

score 2 · Answer 3 · answered May 11 '11 at 12:38

2

ASN.1 has become something of a niche, used for X.509-related data and about nothing else.

You might want to look at Google Protocol Buffers instead.

answered May 11 '11 at 12:38

bmargulies

97,814
39
186
310

Can ASN.1 not be used to transport public keys or AES encrypted texts etc? – pimmling May 11 '11 at 13:06
Yes, but you will find it slow and hard to use. – bmargulies May 11 '11 at 13:58
2

Its used extensively in telecoms including four key LTE interfaces, that's not niche. It's not slow, but it *is* hard to use. – Oct 11 '11 at 19:06
OK, ASN.1 is not inherently slow, but good luck finding a nice clean open source / free library. – bmargulies Oct 11 '11 at 20:16

score 0 · Answer 4 · answered May 12 '11 at 17:05

0

In case you really want to use ASN.1 in Java: I had a look at open source ASN.1 libraries for java and found only BinaryNotes to be of a usable maturity. The tool does not support all state-of-te-art ASN.1 specialty-features (Extension points etc.) but for defining your own basic ASN.1 grammar and generating java classes that are able to encode/decode those messages it is quite useful with only little effort to put into it.

For the C part colleagues were using ASN.1C to compile a CODEC ot of an ASN.1 grammar - but I don't know any details.

answered May 12 '11 at 17:05

BertNase

2,374
20
24

Is ASN.1 a good encoding to use for the situation posed in the question? Why or why not? – this.josh May 25 '11 at 16:44
It is as good or as bad as GoogleProtocolBuffers -a language-independed encoding for structured data. The emphasisis in ASN.1 lies in efficiency, especially in bandwidth ans parser efficiency, if your embedded C client is low on compute power, ASN.1 is definately something to look at - the ASN.1 part of openSSL however is IMHO not suitable for custom messages of a custom ASN.1 grammar - it is for de- and encoding common data like X.509, so your first starting point would be to see whether the command-line `openssl asn1parse ...` can be used for encoding any data that might suit your use case – BertNase May 26 '11 at 04:26

ASN.1 Encoding-Decoding

4 Answers4