dcsimg
Results 1 to 4 of 4

Thread: (VB6) - Personal Chat using TLS 1.3 Encryption

  1. #1

    Thread Starter
    Fanatic Member
    Join Date
    Dec 2012
    Posts
    669

    (VB6) - Personal Chat using TLS 1.3 Encryption

    Attached is a One-To-One Chat program that utilizes the same encryption scheme as TLS 1.3.

    So why would I choose to use this encryption scheme? TLS 1.3 offers some distinct advantages over previous Security schemes. SSL is a dead issue, and many sites no longer consider TLS 1.0/1.1 secure. So that leaves TLS 1.2/1.3. TLS 1.2 is currently a safe and secure protocol, but how long that will last remains to be seen. TLS 1.3 uses Forward Secrecy to calculate the Input Keying Material (IKM), and part of the Handshake Negotiation is now encrypted as well. There is some controversy over the NIST ECC Curve (P-256) that I chose to use . After the NSA had a vulnerability (some call it a backdoor) rigged into the Dual EC DRBG protocol, there is a distrust of NIST. But there is no actual evidence to indicate that the NIST P curves have been rigged.

    The scheme used here is not compatible with public Web Server sites, as most of the options available with such a connection have been stripped. The Hello packets only contain the public ECC key, and since there is only one thing in the packet, there is no need for the individual headers. As well the calculated Agreed Secret is actually an SHA256 Hash of the Agreed Secret. And there is only one encryption algorithm provided (AES-128-GCM). A private communication system does not need all the options that a public service does. I have provided for a version number to be implemented in the packet header of the Hello packets, and a version check has been added in case any of the protocols used become deprecated. That is the major advantage in using a well used public encryption protocol, as potential problems seem to surface there first.

    As far as the programs themselves, I have attempted to remove as much clutter as possible, and still keep them functional. The dropdown box on the Client program only contains two URLs. A fully functional program would probably provide for other locations to be added to the registry. There is only the one ALERT message provided (Version). A fully functional program would provide for more. There are no command buttons. A message is sent from the Input box simply by hitting the "ENTER" key. InkEdit control boxes have been used instead of Text boxes. In theory, this would allow for non-Latin character sets (eg. Chinese/Arabic) to be used. Although SimpleSock supports IPv6, these programs do not take advantage of that capability.

    To use the programs, you can operate both in separate IDEs, or you can compile one or both and move one to another machine. If you move one to another network, remember to configure your NAT router to forward the connection request on port 443 to the machine running the Server program. That is the port I am using for the Server program to listen on, but you can change it to whatever you desire. On the Client program, the dropdown box contains a URL for the "localhost", and a fictitious domain name. To connect to an IP address for example, attempt a connect with the fictitious domain name, and when that fails change the domain name to an IP address and hit "ENTER".

    Once connected, type in your message and hit "ENTER". I also enabled Spell Checking on the Input box.

    J.A. Coutts
    Attached Images Attached Images  
    Attached Files Attached Files

  2. #2

    Thread Starter
    Fanatic Member
    Join Date
    Dec 2012
    Posts
    669

    Re: (VB6) - Personal Chat using TLS 1.3 Encryption

    This version combines the 2 classes (clsCrypt & clsHKDF) into a single clsCrypt. As well, some of the functions performed in the calling form were moved to the class. This was done to eliminate storage of the encryption keys in the form itself. The creation of the keys, the selection of keys, and the updating of the Session Hash is now done in the Class itself. Because allocation of the encryption keys is reversed for use in the Client, a ClientFlg was added to the Client.

    J.A. Coutts
    Attached Files Attached Files

  3. #3

    Thread Starter
    Fanatic Member
    Join Date
    Dec 2012
    Posts
    669

    Re: (VB6) - Personal Chat using TLS 1.3 Encryption

    In this version, the Crypt Class was converted to a DLL to make it simpler and easier to use. This involved several more changes that would allow us to work with a compiled Library file. I also created a test program that would allow the Library file to be tested. As attached, the test program (prjTestDLL.vbp) contains the entire DLL code as a standard module. To use it with a Library file, copy the DLL to the Application directory, delete the .bas module, and remove the comment characters on the Private Declaration statements. I used DanSoft's DLL compiler to create a standard library file rather than an ActiveX DLL, because it does not require registration. The downside is that the routines used must be declared in the same way API calls are declared. The standard DLL must be placed in the application directory, the Windows directory, or the Windows Sytem32/SysWOW64 directory.

    Changes:
    1. All keys are not returned from the DLL, and most are not kept in memory.
    2. Get and Let functions were changed to standard functions and subs.
    3. Complex routines such as GetKeys, GetECCKey, and CryptData now return a non zero long upon failure to identify the failed part of the routine.
    4. The sequence numbers are automatically advanced on all Crypt/Decrypt functions.
    5. Since the DLL was designed to be used in a Client/Server type of application, some juggling was required to use it in a one sided test.
    6. At the present time, no allowance has been made for the use of Pre Shared Keys. All connections require Forward Secrecy.

    One should note that the use of a Hashed Agreed Secret allows a certain amount of key customization, as the raw Agreed Secret can be Appended and Prepended with values (either fixed or random) before being hashed.
    KDF_SECRET_PREPEND = 1
    KDF_SECRET_APPEND = 2
    This requires adding buffers to the ParameterList.

    J.A. Coutts

    Addendum: I have added the Client/Server programs that utilize the library file
    Attached Files Attached Files
    Last edited by couttsj; Oct 14th, 2018 at 12:45 PM.

  4. #4

    Thread Starter
    Fanatic Member
    Join Date
    Dec 2012
    Posts
    669

    Re: (VB6) - Personal Chat using TLS 1.3 Encryption

    Attached is a more refined version of Personal Chat. I personally use the compiled DLL, but since I cannot post compiled code, I have included the complete encryption code as a standard module and commented out the declarations.

    The first time the Client program is run, a default of "127.0.0.1|258" (::1|258 for IPv6) is loaded into the dropdown box, and this address (127.0.0.1) and port (258) will be saved when the program is exited. You can add any host address (including domain names) and port number into the text box, and it also will be saved when the program is exited. Invalid addresses produce an error message. When a link no longer proves to be useful, it can be deleted when it appears in the text box by using a Ctrl-D key combination. Selecting any address/port from the list attempts to establish a connection with the server program at that address/port. Also note that the selected address/port is automatically moved to the top of the list for the next time you attempt to connect.

    Once a connection is established with the other end, the 2 ends will negotiate a secure connection resulting in a "Handshake Complete" message in the Status Bar and a "CONNECTED!" message in the Message Box. The focus should automatically shift to the Input box at the bottom, allowing you to type in any message you desire. Outgoing messages will be preceded by "<-", and incoming messages will be preceded by "-->". With these type of systems, it is often unknown what the other party is doing. Are they responding to my message, or are they just thinking about it? A small blinking red dot appears on the right side of the status bar every time the other end hits a key. Also note that Spell Checking has been implemented on the Input box, and in theory it supports non-latin character sets.

    The Server operates very much the same. The big difference is that the Server must listen for a connection request on the same port as the Client is using. Most IPv4 computers are sitting behind a NAT router, and an internal Firewall. Therefore, you must configure your router to either forward the connection request on the External Port number directly to your machine, or configure it to use Port Triggering on that Port number. Port Triggering does not require fixed IP addressing, but Port Forwarding does. Fixed IP addressing can be accomplished by configuring your network adapter, or in most modern routers, by using DHCP to provide the same function. You can still use the Client software without setting up your router, but you will not be able to listen for an incoming connection.

    J.A. Coutts
    Attached Files Attached Files

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Featured


Click Here to Expand Forum to Full Width