ASN.1 Encoding-Decoding

Asked 11/5, 2011 at 12:32 Answered 12/5, 2011 at 17:5

I am currently developing a client-server program, the client in Java/C and server in C. I have to transport cryptographic data(like the client should pass data to Server to encrypt/decrypt, compute digest etc) and the server has to return the result to Client.

In this scenario, I realize the importance of using some transport protocol to identify data and pass data efficiently.

With this regard, my question is: Is ASN.1 a good protocol to use? I know that it is supported by BC(on Java) and OpenSSL on C. So is it a good idea to transport data between the client and server using ASN.1 notation?

Can you also please give me some starting points to this? Also if you have a better idea of an existing protocol please let me know.

Thanks!!

Spinode answered 11/5, 2011 at 12:32 Comment(1)

ASN.1 is an encoding, not a protocol. It provides a standard for serialization of data for network transport. I am not sure of ASN.1's efficiency, but I would be more concerned about the robustness of your implementation before it's efficiency. – Sacring 25/5, 2011 at 16:48

What BC and OpenSSL support is only a very small part of ASN.1. In fact for a long time there was no full ASN.1 implementation available, at least for the public. Telcos and telephone equipment manufactors probably have rather complete ASN.1 implementations. At the moment the most advanced ASN.1 implementation available to the public is developed as part of the OsmoCom project, Harald Welte blogged it: http://laforge.gnumonks.org/weblog/2011/04/12#20110412-mapv1_available

And to make matters worse, ASN.1, in particular it highly redundant encoding schemes (there are at least 3 different ways to encode strings in ASN.1) used to be the cause for several security issues in the last years, due to the problems it caused in properly processing x509 certificates. x509 is another broken technology from hell, and IMHO better avoided. Sure, SSL depends on it, but a getting a certificate signed by a "trusted" CA doesn't mean anything; any CA can sign for any domain, and after looking through, what your browser trusts by default I no longer trusted my browser.

So to make a long story short: ASN.1 is broken and should be avoided in new designs. It's only major widespread use outside of telephone networks is x509 which is broken, too. Thus I'd not use it. Use JSON, BSON, Protocol Buffers, Netstrings or something sane.

Pulmotor answered 11/5, 2011 at 13:30 Comment(6)

The only problem is my C server is an embedded system and I dont want to use some additional libs with high overhead. I assumed asn.1 is aprt of openssl libs which I already use on the server side :( – Spinode 11/5, 2011 at 14:7

@pimmling: As I said, OpenSSL implements only a very limited subset of ASN.1, namely just those parts that are required to process x509 certificates. Also BSON and Protocol Buffers are extremely leightweight: The C implementation of BSON is mere 700 lines of code. – Pulmotor 11/5, 2011 at 14:30

Thanks datenwolf! I have a small confusion. As I understand, these protocols help in serialization of data. As in, they help you put all your data into a nice array with defined headers so it is easier to unwrap at the other side. Now what if I write this protocol myself? say, define I message header which my Server and client can use to communicate. Why and how are these serialization important schemes important? – Spinode 11/5, 2011 at 14:37

Without giving your data some structure the recieving end has no way to decipher what's what. First you need to verify that the data you recieve is actually in some format you understand, otherwise all crap that may accidently or maliciously is sent will bring your process down. Also if your data has some kind of structure you need to transmit and format it in a system independent way. Never ever pass a raw data structure over a network, or hell will break loose. Designing good transport containers is difficult, writing robust parsers is hard. Better use some proofed, existing library. – Pulmotor 11/5, 2011 at 14:46

The most advanced ASN.1 implementation available to the public is definitely not what OsmoCom are using, they use a patched version of ASN1C by Lev Walkin. ASN1C doesn't even support ASN1 2002. You might be confusing "public" with "free". – Aspasia 11/10, 2011 at 19:19

@lttlrck: With public I meant: "Available to the public in source code form." Now if there is another, more advanced open source ASN.1 implementation, I'm highly interested in it. – Pulmotor 11/10, 2011 at 19:48

ASN.1 is alive and well, and is used within many standard protocols, both old and recent, including several standards that are currently being developed (for example, within 3GPP and IEEE 802). There are a few good and complete commercial ASN.1 tools available on the market. A typical ASN.1 tool includes an ASN.1 compiler that can generate source code from the ASN.1 message definitions, as well as encoding/decoding libraries for the different standard encoding rules. Typically, the application developer will write code that uses the data structures generated by the ASN.1 compiler and will invoke the encode/decode functions provided as part of the ASN.1 tool.

If you don't want to get a commercial ASN.1 tool (for whatever reason), and if you are going to write your own ASN.1 message definitions (as opposed to implenting an existing standard protocol), perhaps you could pick up one of the free ASN.1 tools available and limit your usage of ASN.1 to the syntactic features that are supported by the tool that you have chosen.

Poet answered 12/5, 2011 at 16:43 Comment(0)

ASN.1 has become something of a niche, used for X.509-related data and about nothing else.

You might want to look at Google Protocol Buffers instead.

Windowpane answered 11/5, 2011 at 12:38 Comment(4)

Can ASN.1 not be used to transport public keys or AES encrypted texts etc? – Spinode 11/5, 2011 at 13:6

Yes, but you will find it slow and hard to use. – Windowpane 11/5, 2011 at 13:58

Its used extensively in telecoms including four key LTE interfaces, that's not niche. It's not slow, but it is hard to use. – Aspasia 11/10, 2011 at 19:6

OK, ASN.1 is not inherently slow, but good luck finding a nice clean open source / free library. – Windowpane 11/10, 2011 at 20:16

In case you really want to use ASN.1 in Java: I had a look at open source ASN.1 libraries for java and found only BinaryNotes to be of a usable maturity. The tool does not support all state-of-te-art ASN.1 specialty-features (Extension points etc.) but for defining your own basic ASN.1 grammar and generating java classes that are able to encode/decode those messages it is quite useful with only little effort to put into it.

For the C part colleagues were using ASN.1C to compile a CODEC ot of an ASN.1 grammar - but I don't know any details.

Tabulate answered 12/5, 2011 at 17:5 Comment(2)

Is ASN.1 a good encoding to use for the situation posed in the question? Why or why not? – Sacring 25/5, 2011 at 16:44

It is as good or as bad as GoogleProtocolBuffers -a language-independed encoding for structured data. The emphasisis in ASN.1 lies in efficiency, especially in bandwidth ans parser efficiency, if your embedded C client is low on compute power, ASN.1 is definately something to look at - the ASN.1 part of openSSL however is IMHO not suitable for custom messages of a custom ASN.1 grammar - it is for de- and encoding common data like X.509, so your first starting point would be to see whether the command-line openssl asn1parse ... can be used for encoding any data that might suit your use case – Tabulate 26/5, 2011 at 4:26

Recommended topics

Hot tags