AES Encryption

michael.bogaerts · October 20, 2017, 12:28pm

Hi all,

Strange problem with a .NET SDK Server and a Delphi SDK client. Both server and client have AES enabled.
If we disable AES on the client, the client is still able to call a method (and thus execute that method) on the server. The client fires an error when receiving the result “No AES envelope found” (which is OK).
So, how is it possible that the client, with AES disabled, is able to call a method?

The other way around seems not possible. If AES is disabled on the server and enabled on the client, the client can’t call the server.

Is this something we did wrong?

antonk · October 20, 2017, 12:56pm

Hello

Envelopes are a kind of ‘converters’ applied to incoming data stream to somehow convert it. If incoming stream is not marked as containing AES encrypted data then AES conversion is not applied to it.
When server sends data back to the client it applies all defined envelopes to the data stream.

The purpose of AES envelope is not to prevent server method calls if incoming request is not encrypted. Its purpose is to secure client-server communication.

That said, AES envelopes are considered obsolete because of the need to store password in the client app which makes them vulnerable. It is better to consider to switch to SSL/TLS traffic encryption instead.

Regards

DonaldShimoda · October 20, 2017, 1:13pm

How to do that?

antonk · October 20, 2017, 1:43pm

It is as simple as enabling it in the server channel SslOptions property and providing the centificate that will be used to encrypt communications.

Using TLS allows your clients to connect with the more secure https://, superhttps://, tcps:// and supertcps:// protocols.

A certificate can be either loaded from a storage file on startup, or auto-generated the first time the server is run. If provided via file, it should be a PKCS#12 certificate without password.

The default Remoting SDK Server template already provides code stubs you can simply uncomment and adjust to fit your needs:

  ApplicationServer server = new ApplicationServer("ROServer9");

  // TLS
  server.AutoCreateSelfSignedCertificate = true;
  server.NetworkServer.UseTLS = true;

  // server.NetworkServer.CertificateFileName = "</path/to/certificate>";
  // server.NetworkServer.CertificateThumbprint = "XX XX XX ...";
  // server.NetworkServer.Certificate = <certificate instance>

Self-signed cetificates will require additional code client-side to allow clients to accept them (by defult such certificates are rejected for security reasons): https://docs.remotingsdk.com/Clients/Tasks/HandlingSelfSignedCertificates/