tcpcrypt - Simple, transparent encryption for any TCP application

intgr · 2010-08-27 14:32:58

Long story short, tcpcrypt is a new TCP extension and draft standard for automatic transport-layer encryption. Using it as simple as installing the package and running /etc/rc.d/tcpcryptd start
I created an AUR package here: http://aur.archlinux.org/packages.php?ID=40308

What does it do?

Opportunistic - automatically enabled if both ends support tcpcrypt, gracefully falls back to normal TCP if not
No configuration - Just works
Transparent - any regular TCP application can use it
No kernel compilation necessary - just run a daemon to enable (Eventually it'll be merged into the Linux kernel, but until then this is a VERY convenient solution)
Works on Linux, OSX, FreeBSD and Windows
Low overhead

It was recently covered in an LWN.net article and presented on USENIX Security Symposium. (IETF/RFC draft, Design paper PDF, tcpcrypt.org website)

Basically, it's what IPsec and TLS always should have been. The catch is, it doesn't do any authentication itself, but it makes it very easy for applications to do auhtentication (to prevent MITM etc). But un-authenticated encryption is still much better than no encryption at all.

They also have plans to improve TLS, such that encryption is done by tcpcrypt, with TLS only adding authentication (with PKI certificates as usual). In other words, both http:// and https:// would be encrypted with tcpcrypt, but https:// uses a server SSL certificate.

Testing

Record yourself among the first tcpcrypt users: Hall of Fame
If you install it on 2 machines, try ssh'ing between them and run tcnetstat -- it will show a list of connections
You can also test it by going to tcpcrypt.org; at the bottom it will say something like "Your tcpcrypt session ID is: DAC08BB7DBD2..."
In the worst case, the tcpcryptd daemon may crash and temporarily halt all your TCP connections. When that happens, run /etc/rc.d/tcpcryptd stop and un-encrypted connections will resume as if nothing happened
Please report bugs to their bug tracker: http://github.com/sorbo/tcpcrypt/issues

Last edited by intgr (2010-08-27 15:23:16)

Mustard · 2010-08-27 18:20:18

Sounds pretty interesting.....downloaded and installed.

Mustard · 2010-08-27 22:02:54

I noticed that it began to consume quite a bit of memory after a while...I had to restart the daemon when it filled my RAM.

intgr · 2010-08-27 22:26:47

Mustard wrote:

I had to restart the daemon when it filled my RAM.

You're right, it leaks memory quite a lot. I hadn't noticed and looked now, it was well into 700MB RES

Anyway, I uploaded a new PKGBUILD version that excludes the "lo" (localhost) interface from being encrypted.

Mustard · 2010-08-27 22:34:16

I reported the memory leak....

http://github.com/sorbo/tcpcrypt/issues#issue/1

faelar · 2010-10-11 19:46:28

I've waited for the issue to be fixed, but it seems I can't run tcpcryptd currently :

tcpcryptd: nfq_unbind_pf(): Invalid argument

Iptable rules are changed but then I can't visit any website. Is the problem know or is it something specific to my computer ?

version : local/tcpcrypt-git 20101011-1

intgr · 2010-10-11 20:05:26

The memory leak in tcpcryptd has been fixed, so anyone who was turned off by this bug can start using it again.

faelar wrote:

I've waited for the issue to be fixed, but it seems I can't run tcpcryptd currently :
tcpcryptd: nfq_unbind_pf(): Invalid argument

Weird, I built tcpcrypt-git right now (20101011-1) and it's working as expected.

Can you install ltrace, run this command as root and post its output?

ltrace -l /usr/lib/libnetfilter_queue.so.1 -l /usr/lib/libnfnetlink.so.0 tcpcryptd

Thanks!

Last edited by intgr (2010-10-11 20:27:07)

faelar · 2010-10-11 20:43:35

Initializing...
nfq_open(0xb75c43a0, 0xb74ecdfd, 0x5c5c5c5c, 0xb75c2ff4, 0xb75c43a0) = 0x8b6c0b8
nfq_nfnlh(0x8b6c0b8, 0xb74ecdfd, 0x5c5c5c5c, 0xb75c2ff4, 0xb75c43a0) = 0x8b6cd90
nfnl_rcvbufsiz(0x8b6cd90, 0x100000, 0x5c5c5c5c, 0xb75c2ff4, 0xb75c43a0) = 0x200000
nfq_unbind_pf(0x8b6c0b8, 2, 0x200000, 0x100000, 0xb75c43a0) = -1
tcpcryptd: nfq_unbind_pf(): Invalid argument
+++ exited (status 1) +++

intgr · 2010-10-11 21:20:40

faelar wrote:

nfq_unbind_pf(0x8b6c0b8, 2, 0x200000, 0x100000, 0xb75c43a0) = -1
tcpcryptd: nfq_unbind_pf(): Invalid argument

What kernel version are you running? Did you compile a custom kernel?

I searched around a bit and I found people reporting this problem with other software on kernel version 2.6.23 (1 2 3 4)

faelar · 2010-10-12 09:07:58

Yes I'm running the eeepc kernel :

local/kernel-eee 2.6.35.6-1

If you wan't to see the kernel configuration :

http://code.toofishes.net/cgit/dan/eee.git/

I'll check if that works with the default kernel...

EDIT : It works on my main workstation.

Last edited by faelar (2010-10-13 19:35:02)

intgr · 2010-10-14 12:28:53

I reported your issue here: http://github.com/sorbo/tcpcrypt/issues#issue/2
It would be great if you can help to track down the problem.

Arch Linux

#1 2010-08-27 14:32:58

tcpcrypt - Simple, transparent encryption for any TCP application

#2 2010-08-27 18:20:18

Re: tcpcrypt - Simple, transparent encryption for any TCP application

#3 2010-08-27 22:02:54

Re: tcpcrypt - Simple, transparent encryption for any TCP application

#4 2010-08-27 22:26:47

Re: tcpcrypt - Simple, transparent encryption for any TCP application

#5 2010-08-27 22:34:16

Re: tcpcrypt - Simple, transparent encryption for any TCP application

#6 2010-10-11 19:46:28

Re: tcpcrypt - Simple, transparent encryption for any TCP application

#7 2010-10-11 20:05:26

Re: tcpcrypt - Simple, transparent encryption for any TCP application

#8 2010-10-11 20:43:35

Re: tcpcrypt - Simple, transparent encryption for any TCP application

#9 2010-10-11 21:20:40

Re: tcpcrypt - Simple, transparent encryption for any TCP application

#10 2010-10-12 09:07:58

Re: tcpcrypt - Simple, transparent encryption for any TCP application

#11 2010-10-14 12:28:53

Re: tcpcrypt - Simple, transparent encryption for any TCP application

Board footer