Implement public key / private key exchange mechanism using TLS

[DangaRanga]

No description provided.

[gill876]

Would this be the case? Since the public keys can be shared to any client. After public key exchange, the message can be encrypted using the PyNaCl module.

[DangaRanga]

Initially I had thought of the client and the server possessing their own individual private keys which they'd use for communication, whilst using the public key as an extra layer of security to verify the integrity of the data.

[gill876]

I would like some verification if this TLS example from a repo would be suitable. The mechanism I had in mind was this

[palisadoes]

Is this going to replace pyNACL?

[gill876]

Initially I had thought of the client and the server possessing their own individual private keys which they'd use for communication, whilst using the public key as an extra layer of security to verify the integrity of the data.

Integrity of data is another ball game. The private keys would be kept secret by each communicator. For instance, say server.py sends its public key to client.py, client.py then uses server.py's public key to encrypt what it wants to send. Only server.py can decrypt the data sent from client.py, this provides encryption but no authentication. The PyNaCl module has a Box class which uses the public keys of the communicators to provide encryption and authentication.

However, there is no Certification Authority involved. So in the event of a MIA, the client would not be sure it is sending data to the actual server.

[gill876]

Is this going to replace pyNACL?

Well, I'm wondering if I'm suppose to replace the current PyNaCl module for the TLS.

[palisadoes]

Your new example seems to use pyNaCl to create public/private TLS keys. Couldn't the network exchange be done using flask instead of socket IO?

[palisadoes]

One of the issues is that this method will break if there is a one-way communication path. For example if the agent is behind a home router with NAT. It won't be possible for the pattoo server to request the private key from the agent.

[gill876]

Your new example seems to use pyNaCl to create public/private TLS keys. Couldn't the network exchange be done using flask instead of socket IO?

Oh yes yes, the socket was just for example purposes. What's the main ingredient is the exchange of the public keys

[palisadoes]

https://puppet.com/docs/puppet/5.5/man/key.html With puppet the agent creates it's own key and seems to send it to the puppet server using the puppet servers' public key.

https://puppet.com/docs/pe/2018.1/regenerate_puppet_agent_certificates.html Talks about how the agent keys can be regenerated when necessary.

Here is how it's configured: https://puppet.com/docs/puppet/latest/config_important_settings.html

Here are videos about the process:

• https://www.youtube.com/watch?v=j2kdB6LvI3U
• https://www.youtube.com/watch?v=s1Zp1qmqEfc

[gill876]

https://puppet.com/docs/puppet/5.5/man/key.html With puppet the agent creates it's own key and seems to send it to the puppet server using the puppet servers' public key.

https://puppet.com/docs/pe/2018.1/regenerate_puppet_agent_certificates.html Talks about how the agent keys can be regenerated when necessary.

Here is how it's configured: https://puppet.com/docs/puppet/latest/config_important_settings.html

Here are videos about the process:

• https://www.youtube.com/watch?v=j2kdB6LvI3U
• https://www.youtube.com/watch?v=s1Zp1qmqEfc

Okay thanks much Peter. I'll review them