Pages

Friday, November 21, 2008

xbox 360

Well like many people out there I have determined that Microsoft had rushed the xbox 360 out too fast. The initial production run has thermal issues. I have had the red ring of death 4 times now. I have had the E74 error once. To Microsoft's credit they have proven that they want to make it right. I have gotten rush service and advanced hand holding the more problems I have had.

This last time we got the E74 error. In looking up the cause I was surprised to see that this too was a thermal issue. After the last Red Ring O' Death they had sent me a box that was very cool even after hours of play. All the ones before that were hot to the touch. This new unit is cool as well.

Microsoft has bundled the Netflix service in the 360. After the implosion of HD DVD I thought Microsoft would have to license Blu Ray. I guess not. Initial reports on the service are good. So the question is do I splurge on another 360 for the upstairs TV? PS3 may have the cheapest Blu Ray player but unless all of them start to get cheaper, I think Microsoft will put a dent in the market for people who are just looking to watch a HD movie.

Thursday, November 20, 2008

A difficult interview question

In my role as system architect I get to interview the people for positions on my team. Most of my colleagues will ask the pure knowledge questions like "How would you implement an abstract class of vehicle given that you need subclasses of car and bus?" This kind of question shows that you understand OO concepts or you don't. Some of my questions are like this but I utilize some that are more vague. The one question that I always use will be

"Given a hypothetical project with 5 sub tasks, 3 of which you have done before and know how to do, and the last 2 are new techniques you have never done before - Given a hard deadline tell me in what order do you do the tasks?"

Most inexperienced people will say "I will complete the easy tasks and then complete the hard tasks." Some people with experience will say the opposite. Either answer is correct, but the real question is next - "Why". Many candidates have a difficult time clearly explaining why. My preferred answer places the unknown tasks ahead of the known tasks for one simple reason. It eliminates risk from the project. If you perform the 3 known tasks and then get to the unknown tasks and discover that they cannot be completed, then you have failed in completing the project and expended the energy to do the 3 known tasks. If you attempt the 2 unknown tasks first then you might discover in the early phases that the project cannot be completed before you attempt the 3 known tasks.

Net take away: Always take the path to eliminate risk from your project as soon as possible.

Tuesday, November 11, 2008

No https, No transaction

I'm in the middle of a big home improvement project right now. I'm casting some concrete countertops for my bar in the basement. I was searching for some materials for this and found a site that I wanted purchase from. So I drop the item in my order cart and whip out my trusty credit card and click "Checkout now". I'm about to input all my info including CVV when I noticed there is no https in the URL. I was so disappointed. I emailed the company to give them a heads up and then went and found a different location for the product I wanted.

Click to enlarge

One of my biggest annoyances is when you are shopping for items in a well laid out web catalog. You click on the item you want to look at. There is a link that says "enlarge". I click and I get an image about 1 - 5 % larger. What a waste of time. NewEgg knows how to present the merchandise.

Friday, November 7, 2008

How come?

When Firefox and IE give the security warning that page has secure and unsecure elements, HOW COME I can't see a list of what is unsecure?



When I click on details in IE I get



Come on.. throw me a bone people.


Thursday, November 6, 2008

A list of my favorite software

  1. Tomcat
  2. MySQL
  3. Eclipse / MyEclipse
  4. SQLYog
  5. Ubuntu
  6. Apache Commons
  7. Firefox

Password Management

We all have passwords. As IT professionals we have gotten used to them. Hopefully you have memorized them and they are not on a Post it next to your screen. What I want to discuss is separating passwords for different duties.

Consider for a moment a bank VP named Bob that is reasonably familiar with security. Bob is a careful guy and he doesn't utilize and easily guessed password. It's sufficiently sprinkled with different case, special characters and numerics. He's got this password thing figured out. Except he doesn't want to remember more than one password so he makes all his passwords the same. VPN login, work email, PC login, home email, iTunes login, and numerous other site share a variant of the same password. In some sites the id he enters is different. but they all use the same password.

Think about this. This means that if I can dig up the emails of executives for a given company and then cross reference that with similar emails in the same location I have potentially discovered the IDs for Bob. Now all I have to do is harvest his password from some lightly defended url. Unfortunately for the bank network security manager, his security is co-opted by Bob using his password in a different domain.

This is already being exploited by criminals: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133195

With the rise in popularity of social networking, criminals are attacking social network sites to harvest their passwords. These sites don't have greatly hardened security (really they are just protecting my list of friends) right? Wrong, people tend to want to use similar passwords for all sites. These users also have the potential to discuss what they do for a living. More than likely they have their email available on this site. The email credentials are a gold mine. Once an attacker has cracked your email account he doesn't even have to guess... he can open their email up and see password reset emails, and what websites the prey does business with. He could even ask that a password be reset.

To sign up for stupid web offers and free stuff, select a password that is used for just this purpose.

To protect your email from this, select an utilize a password only for your email account. Delete password reset type emails immediately after use.

To protect commerce types of accounts change that password and use it only with sites that you use your credit cards on.

To protect your banking and financial sites, again select yet another password.

To protect your work, again select yet another password.

This yields 5 separate passwords that you can use to mitigate your risk. This is not a perfect system by any means but it is better than having one password for all websites.

Securing Keystores I

The application I am working on is a secure document management system. Internal users and external users can share documents instead of passing them around by email. Security requirements have made encryption of these documents a certainty. Documents are uploaded via https so there is not problem in transport, but they have to reside encrypted on the disk as well. The IT Security group was looking for the following features.
  1. Key rotation - allowing a security manager to generate a new keystore and rekey all documents as needed.
  2. Keystore password stored on remotely.
  3. Keystore password > 25 chars.
Knowing that PBE of the keystore is potentially breakable I decided to wrap the keys. My goal is that an attacker could have both the keystore and the encrypted documents and still have significant difficulty in reading the documents. My basis for this technique is in rfc3394. It discusses using AES 256bit to wrap. I will be wrapping the keys with 2048 bit RSA.

If an attacker was to mount a brute force attack then they would have to first break the PBE on the keystore, then they would have to break the 2048 bit RSA wrapping the keys.

The keystore generation program will generate a keystore with a specified number of AES 256 bit keys. This number of keys will need to be substantially large to accommodate a unique key for each document. We use will use 50000. This should provide a set of keys randomly distributed within the keyspace. 
Given that there is a possibility of an attack against two or more encrypted documents we will ensure that no two documents are encrypted with the same key.

Each document will be encrypted with a randomly selected key from this pool. Allowing that the password based encryption of the keystore is breakable, I decided to use the keywrap classes to encrypt each secret key.


If you make the assumption that a keystore's PBE can be broken, then it would be relatively trivial to write a program to attempt to decrypt the files with the secret keys. We need a way to lock this keystore specifically to our code. To do this we will end up storing the RSA private key used to wrap the AES keys in our program as a byte array. This will lock this keystore to the code used to decrypt the files. Thus the attacker will have to grab the classes as well as the encrypted files and the keystore.
Below are the relevant parts of our keystore generator.

...snip...
String keyStoreEntryAlias = null;
 
// Change the output file location to where ever you want to store the new KeyStore
File keyStoreOutputFile = new File(keyStoreName);

KeyStore keyStore = null;    
 
  try
  {
     // NOTE: This creates numKeys of random SecretKey. If you lose the keystore and you have used it
     //       to encrypt some file you are HOSED. DO NOT lose the KeyStore file that is
     //       generated from this program. Keep a second copy on a CD and put it in a safe.
     //
     // We are using the AES encryption algorithm to represent our SecretKey
     
     // Create an empty keyStore
     keyStore = KeyStore.getInstance("JCEKS");
     keyStore.load(null, password);
     
     //create RsaEncrypter with nulls to use the embedded keys.
RsaEncrypter rsaEncrypter = new RsaEncrypter(null, null);

PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(rsaEncrypter.getPrivateKey().getEncoded());
String privateKeyStr = Base64.encodeToString(privateKeySpec.getEncoded(), true); 
System.out.println( "PrivateKey: \n\r" +  privateKeyStr  );

// to output embedded private key with some massaging.  add quotes take off []
System.out.println( "Embedded PrivateKey: \n\r" +  Arrays.toString(privateKeyStr.toCharArray())) ;

X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(rsaEncrypter.getPublicKey().getEncoded());
String publicKeyStr = Base64.encodeToString(publicKeySpec.getEncoded(), true);
System.out.println( "PublicKey: \n\r" + publicKeyStr );

// to output embedded public key with some massaging.  add quotes take off []
System.out.println( "Embedded PublicKey: \n\r" + Arrays.toString(publicKeyStr.toCharArray()) );

     for (int i=0; i<>
     {                            
        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
        keyGen.init(256);
        SecretKey key = keyGen.generateKey();
        byte[] wrappedKey = rsaEncrypter.wrapKey(key);
     
        //System.out.println( "NakedKey: " + key.getEncoded());
        //System.out.println("WrappedKey: " + wrappedKey.toString());
        SecretKeySpec skWrapSpec = new SecretKeySpec(wrappedKey, "AES");

        //create a alias for the key
        keyStoreEntryAlias = (String)RandomStringUtils.randomAlphanumeric(16);
    
        // test to see if key alias already exists           
        if (! keyStore.containsAlias(keyStoreEntryAlias) )           
        {                  
          
           // Add our secret key as an entry in the empty keyStore
           KeyStore.SecretKeyEntry skEntry = new KeyStore.SecretKeyEntry(skWrapSpec);
           keyStore.setEntry(keyStoreEntryAlias, skEntry, new KeyStore.PasswordProtection(password));
        }
     }

     // Write the keyStore to disk.      
     FileOutputStream fos = new FileOutputStream(keyStoreOutputFile);
     keyStore.store(fos, password);          
     System.out.println("AES 256 Key store created with " + keyStore.size() + " random RSA wrapped SecretKeys. \r\n");
     System.out.println("Alg    --- Aliases --- \r\n");
    
     Enumeration aliases = keyStore.aliases();
     StringBuffer buf = new StringBuffer("");
     while (aliases.hasMoreElements())                
     {         
        String keyName = (String)aliases.nextElement();
        SecretKey theKey = (SecretKey)keyStore.getKey(keyName,password);
        String keyStr = "";
        String algorithm = theKey.getAlgorithm();
        if (verbose)
        {            
           keyStr = Base64.encodeToString(theKey.getEncoded());
        }         
        buf.append( algorithm ).append("   ").append(keyName).append("|     ")
buf.append( keyStr ).append("\r\n-----------------------\r\n");
     }
    
     System.out.println( buf.toString() );
     System.out.println("File is: \"" + keyStoreOutputFile.getCanonicalPath() + "\"");
  }   
  catch (Exception e)   
  {                
     System.out.println("Error: " + e);
     e.printStackTrace();         
  }  
...snip...

Stay tuned ... I will reveal the RSAEncrypter and AESEcrypter source to show you how the wrapping and unwrapping occurs.


If you are looking for more information on the key wrapping technique these references may help.

http://www.faqs.org/rfcs/rfc3394.html

http://www.java2s.com/Code/Java/Security/WrapAndUnwrapKey.htm

http://books.google.com/books?id=WLLAD2FKH3IC&pg=PA50&lpg=PA50&dq=key+Wrapping+java&source=web&ots=O9EnrPo8xB&sig=8UuFnc04iXEhBqeduJLKZU46MFk&hl=en&sa=X&oi=book_result&resnum=3&ct=result

These two don't use the KeyWrap technique but they are similar.

http://www-users.york.ac.uk/~mal503/lore/pkencryption.htm

http://www.junkheap.net/content/public_key_encryption_java

Hello World

Is this thing on? What else did you expect for my first post... something profound?