[Development] websockets (was RE: Qt 5.3 Feature freeze is coming quite soon...)

Kurt Pattyn pattyn.kurt at gmail.com
Sun Jan 26 12:39:53 CET 2014 

On 26 Jan 2014, at 11:31, Konrad Rosenbaum <konrad at silmor.de> wrote:

> Depends. What is it used for? Is it just obfuscation or is it supposed to be 
> real security?

Well, there are 2 places where random numbers are used:
1. During the handshake phase
Client sends a handshake request containing a 128-bit random number converted to a string hex representation (Sec-WebSocket-Key).
The server appends a well-known UUID (published in the RFC) to that number and calculates a SHA-1 hash.
This hash in sent to the client, which in its turn appends the same UUID to the random number it sent before, and calculates a SHA-1 hash. If both the server-sent hash and the client calculated hash match, the handshake succeeds.

2. When sending data from client to server (not the other way)
The client generates a 32-bit random number.
This random number is stored in plain text in the header of each frame.
The data is XOR-ed with that 32-bit random number.

The server takes the 32-bit random number from the header and XORs it with the payload to get to the original data.

I really fail to see what the intention is of this mechanism. I really fail to see what could make this communication ‘secure’.

"The masking key needs to
 be unpredictable; thus, the masking key MUST be derived from a strong
 source of entropy, and the masking key for a given frame MUST NOT
 make it simple for a server/proxy to predict the masking key for a
 subsequent frame.  The unpredictability of the masking key is
 essential to prevent authors of malicious applications from selecting
 the bytes that appear on the wire.”

Why should the masking key be unpredictable if it is send unencrypted along with the masked data?
Why would a server/proxy predict the masking key if it can just fetch it from the header?
To me it looks like having a locked door with the key in the keyhole. Why would a burglar use a crowbar if he has the key?

> If the latter: is it the only way to generate security? (If so: in all 
> likelyhood you are affixed by an inclined plane wrapped helicly around an 
> axis. In laymans terms: screwed.)
> 
> If the former: unless it is absolutely necessary for understanding the other 
> side of the communication channel - don't bother implementing it. Obscurity 
> is no security.

Well, the standard requires the frames that go from client to server to be masked.
So yes, it is absolutely necessary, but in my opinion complete overkill.

> 
>>> I'd like others with more experience in this area to chime in though.
> 
> Getting milliseconds since Epoch gives you less than one bit of random 
> (entropy), if and only if nobody can predict precisely when you'll call for 
> the current time. Calling it several times does not increase entropy unless 
> there are sufficiently random intervals between calls and nobody can observe 
> you calling (i.e. you are working on a perfectly secured system). Micro- and 
> Nano-Seconds are slightly more random, but not much (fractions of bits).
> 
> You need about 128 bits of entropy for good security. After you've got that 
> you can stretch those with a secure random number generator. The q(s)rand 
> functions can be safely assumed to be completely insecure on most operating 
> systems and inadequate on all the others. Don't use them for security.
> 
> I would not recommend trying to implement your own PRNG either - getting it 
> right is horribly difficult. Getting the entropy gathering right in a cross-
> platform way is much worse effort…

I wouldn’t even dare :-) This is a research field on its own.

> 
> I wonder whether it would be possible to expose the low-level APIs of 
> OpenSSL to Qt, it has quite a good random number generator and it is used 
> for QSslSocket already.

Indeed, I planned to use the OpenSSL RNGs (the library has FIPS approved RNGs),
but that library is not available on all platforms I think.
Besides that, I am afraid this is a very expensive operation, certainly because another masking key
has to be calculated for every frame.

Konrad, reading the cases where random numbers are used, do you think it is worth the effort?
I am even considering to calculate the masking key just once and use it for every frame (would speed up the communication).

Cheers,

Kurt

> 
> 
> 	Konrad
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development

More information about the Development mailing list