Store

BSD Books

Feed

Categories

Ads

Recent Posts

Ads

Security Advisories

RSS FreeBSD Advisories

RSS NetBSD Advisories

Q: How do I encrypt file transfers with dd and netcat?

AddThis Social Bookmark Button


A: This question came to us in response to the article Backup Files and Partitions with dd and netcat.

Encrypting these files transfers is quite simple.

As in the previous article, we will setup the server to listen on port 9999 and redirect output to “backup.file”

server# nc -l -p 9999 | \\
           openssl aes-256-cbc -salt -d > file.backup
enter aes-256-cbc decryption password:

 
Once you’ve entered a password, netcat will sit there waiting for data and automatically terminate once it has received the file.

On the client side, the commands are similar, but rather than telling OpenSSL to decrypt the traffic, we’ll ask it to encrypt. We’ll assume the netcat server is 10.0.0.2.

client# openssl aes-256-cbc -salt -e < file-to-transfer | \\
          nc 10.0.0.2 9999
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

 
You’ll have to chose the same password as you did on the server, if you don’t you’ll receive errors such as

server# nc -l -p 9999 | \\
           openssl aes-256-cbc -salt -d > file.backup
enter aes-256-cbc decryption password:
bad decrypt
6194:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/usr/src/crypto/dist/openssl/crypto/evp/evp_enc.c:461:

 
As before, you can verify file integrity via checksums.

client# sha1 file-to-transfer
SHA1 (file-to-transfer) = 6476df3aac780622368173fe6e768a2edc3932c8

server# sha1 file.backup
SHA1 (file.backup) = 6476df3aac780622368173fe6e768a2edc3932c8

 
“How do I really know it’s encrypting the data?” you may ask. You could always sniff the wire, but here is a simple demonstration.

We’ll start be removing the decryption commands from the server and see what the result is.

client# cat file-to-transfer
this is a test

server# nc -l -p 9999 > file.backup

client# openssl aes-256-cbc -salt -e < file-to-transfer | nc 10.0.0.2 9999
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

server# cat file.backup
ëÇQÔ0^¥ôÖ(à0xKÑdÅ

server# openssl aes-256-cbc -salt -d < file.backup
enter aes-256-cbc decryption password:
this is a test

Posted: March 9th, 2007 under Answers, DragonFlyBSD, FreeBSD, NetBSD, OpenBSD, Security, System Administration.
Comments: none

Write a comment