Apache Thrift encryption - Java

Question

I plan to use Thrift for Client/Server RPCs, and I would like to encrypt the exchanged data using libsodium. I know there is TLS builtin but the TLSTransportParameters do not seem to give much configuration possibilities.

Does someone know at which points i would have to extend thrift to enable this?

Answer 1

My firm created a custom Camellia transport layer for use with thrift. By creating a layered transport we were able to insert the cipher in between the enpoint transport (TSocket, TPipe, etc.) and the serialization protocol (TBinaryProtocol or what have you). This required 0 modifications to Thrift and was easy to port to the languages we used (C++, Java, Python). It also allowed us to add other standard transport layers to the stack when needed (e.g. TFramedTransport).

To build such a layered transport you simply expose TTransport to the layer above, and consume TTransport from the layer below. TTransport consists of the typical unix file methods: open, close, read and write, with the addition of the important flush() method which signals the message is complete and should be sent to the end point.

Thrift has a pretty nice architecture for making such extensions, so there are other choices you could make but I think that for message encryption often the transport layer is the right place to look. By placing your cipher just above the end point transport (TSocket, etc.) you will encrypt everything in the TCP payload.