Saturday, April 4, 2020

Things about IT security

Terminology

CA - Certificate Authority - basically a place that your app will trust for its digital certificate.
Certificate - A cert that contains the public key of the corresponding owner that owns the cert.

Handshaking

The www.youtube.com example is good.  When your browser talkes to www.youtube.com, Youtube gives back a cert that youtube owns, and signed by Google CA let's say.  The browser, since Google CA is its trusted CA list, will use the public key of Google CA to first verify that the cert is signed by Google CA, and then grab the public key from the cert.  It then use the public key to encrypt a secret key that the browser generates, and pass back to youtube.com. Youtube.com then uses its private key to decrypt the info from client, and then will start using the secret key the browser generates, and from now on, all information in this channel will be encrypted using this secret key, and this secret key is hard to be deciphered by anybody sniffing the channel.

Self Signed Certificate

Self Signed Certificate is a good thing used by app that does not go through the hassles of having cert to be signed by the trusted CA.  Remember, whenever a service wants to create a cert, it will first have to generate its own public/private key, and submit a certificate signing request to a trusted CA (Google CA let's say), and the trusted authority will sign the request using its own private key, so anyone having the CA's public key can verify that the cert is indeed from the trusted CA.   If you are developing an application in a staging environment (non live), it's quite a hassle to get trusted CA to do this process, so you may still generate your own key pair (public/private), and then you also create a certificate authority that also has its public/private key pair. Now you still submit CSR to this "certificate authority" and do the needy signing.  However, for your caller testing this service in staging environment, obviously the caller will not find this special "CA" to prove the certificate validity, but the caller can be configured to point to this special CA to do the necessary verification, and eventually grab the public key from the cert, and do all necessary business. This is called "self-signed certificate".

What is Root CA? Leaf CA? Man in the middle attack? 

https://searchsecurity.techtarget.com/definition/certificate-authority
https://www.thesslstore.com/blog/root-certificates-intermediate/


What is SSL and TLS

TLS is successor to SSL.  Both are important for the security of HTTP protocol.

mTLS


(reference:https://developers.cloudflare.com/access/service-auth/mtls/)

Mutual TLS is a common security practice that uses client TLS certificates to provide an additional layer of protection, allowing to cryptographically verify the client information. Basically put it this way, both client and server will ask for each other's certificate, that's where the word MUTUAL coming from: 
"In most cases when you try to access a secured HTTPS/TLS endpoint, you experience only the client-side check of the server certificate. The purpose of this check is to ensure that no fraud is involved and the data transfer between the client and server is encrypted. In fact, the TLS standard allows specifying the client certificate as well, so the server can accept connections only for clients with certificates registered with the server certificate authority, or provide additional security checks based on the information stored in the client certificate. This is what we call “Mutual TLS” - when both sides of the connection verify certificates. See the video below that gives you an introduction to mutual TLS and how it can be used to secure your APIs."

https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/
- This article explains very well for something missing in the above cloudfare diagram.  Essentially, when client first sends hello to server, it sends over a client random key.  When server first returns the "hello" message, it also sends over a random server key.  When the handshake is establishing (no matter it's TLS or mTLS), essentially client will send over one thing called "premaster" secret with server's public key, and so server can decrypt it using its private key.  With the information server-random, client-random and premaster secret, both sides can computer a symmetric key for all other subsequent information, and this is something that only both sides will know, which secures the communication channel.

What is end to end encryption (E2EE) then?

Previously when telegram promises that it has end to end subscription, while people thinking whatsapp cannot do, essentially it is to promise that even the communication software has no way to decrypt the message (have no key to decrypt).  That is, let's say you use telegram to send a message to Person B, the encryption cannot be decrypted whatsoever besides you and and Person B.   Recently people complaining Zoom , although promising end to end encryption, essentially it may not be the case.  So what is the diff here? Imagine this case:
  1. You send over something to a whatsapp friend, where whatsapp guarantees end to end encryption. Your message to whatsapp server is encrypted (TLS or mTLS, does not matter)
  2. Whatsapp gets the message, and forwards to the friend, over encrypted channel.
  3. However, this does not stop the immediate middle - whatsapp, to do whatever it can on the message. Don't forget in this case, both users are talking to the whatsapp server in the middle, so whatsapp server can do its "business"
So end to end encryption tries to guarantee that even the middle provider cannot interpret the message but simply just forwarding/routing. E2EE simply is a way that encryption take place between two users entirely, but no middle server in between do handle the exchange.  E2EE can be designed using TLS scheme though.  
private/public/asymmetric encryption
https://www.youtube.com/watch?v=AQDCe585Lnc


Reference

https://www.youtube.com/watch?v=T4Df5_cojAs

HSM

OAuth

Wednesday, February 21, 2007

Creating a partition in Activity Diagram

Today I get some free time, so I am trying to learn ways to create models in RSA, and really want to get on the boat of Model Driven Development. I am following a pretty neat tutorial, and at a point I was doing an exercise which helps me create an Activity Diagram.

There are differences in naming between UML 1.4 and UML 2.0, one of the differences is Swimlane vs Activity Partition in Activity Diagram. In RSA, when I create a partition, the default "ActivityX" partition will always show on the left side:
Which is really annoying. I was looking up google and could not find a single clue (did find one blog somewhere, but the author removed the flash clip he created himself).

Finally I had to go through trials and errors, and found out this little trick:

1. Right Click on the label Activity1 under the Activity1 "Tab" (with the blue color rounded rectangle)
2. Select Filters -> Show Compartment Title to shrink the column.
3. If you want to hide the column totally , do Filters -> Show Activity Compartment

To re-enable the column and the compartment title:
1. Right Click on the Activity1 "Tab" this time
2. Select Filters -> Show Activity Compartment to enable the column
3. Right Click on the column under the Activity1 "Tab"
4. Select Filters -> Show Compartment Title to enable the column title

Hope this helps!

Monday, November 27, 2006

Configuring DB2 V8.2 for local usage...but logging in with...

It was snowing heavily last night here at Vancouver. I had a feeling last night that I would stay at home working today. This morning I tried to drive to the main road (which should be safe for the people who do not have 4X4), but after several attempts I quitted. I then stayed at home and continued on my work at 7:30 am in the morning!

Later in the afternoon I needed to install DB2 V8.2 to my laptop. I just installed from a DVD which is a PE. After the software installation I just got stuck in the fixpack installation. After several rounds of investigation, thank God that finally I got the thing solved. It's so funny that I somehow realized it should be a bug in the fixpack installer.

After that I am ready to create my database. However, I got a SQL1092N error!

SQL1092N "DAIPOK" does not have the authority to perform the requested.

I was like full of question marks, and began to go back to the fundamentals. I checked that I was in the group of DB2ADMNS already. I then began my several rounds of googling, and nothing interesting and relevant returned !

I started to figure out that the id that I put to DB2ADMNS was actually my LOCAL id. I logged off from my domain, and logged in as local. I could create a database no problem. However, if I wanted to create a database when I logged onto the domain, I got that scary error again. I figured out that my database creation should only need to be done one time, so I decided to log on as local to create it. My stupidity as a drilling I.T. Specialist told me not to avoid the problem, but faced it with pride. I spent an hour doing some research on the web, and came across this article written by an IBMer:

How To Develope DB2 Application on an airplane


Man! This article rocks! Don't get into the detail (if you are busy) but just scroll way down to the bottom:

db2set DB2_GRP_LOOKUP=LOCAL,TOKENLOCAL

You can also do it through IBM DB2->Set-up Tools->Configuration Assistant->DB2 Registry.

Kudos to Leon! However, I want to suggest him to change the blog title. The title misled me to think he's creating a database application for an airplane -__-". May be it's just my English problem. :)

Friday, July 28, 2006

Wizard, tutorial...more obstacles

My quest to expand my knowledge on web development continues. Yesterday I was trying the tutorial that bundles with RSA, it is called "Display dynamic information on Web pages with JavaServer Faces". The tutorial is straightforward and fun. Technology has improved so much. It becomes a fun thing when an user just needs to create simple web application (comparing to the old school way where we needed to program our servlet, beans, JSP, JSP Tags and HTMLs....just for firing up a simple web application). With all the widgets in the palette, creating a high-level becomes drag-and-drop. I am pretty amazed by how the database connection is handled. It was a fun learning experience.

However, I got so stuck in one of the sections. It is section 2.5 - Using automatic key generation. I spent so much time on this section, but I still could not fetch the right key from the database. I spent a lot of time reading the code, but then I found out the code generated from wizards is no longer under my control. The code looks so delicate that I did not know what I could do to make stuff work. Eventually I had to read the help contents of automatic key generation from RSA.

Based on the tutorial, when one wants to use automatic key generation, they just need to double click the relational record in Page Data view, go to Key Generation and specify the appropriate parameters. What I find out is that this process only will change a XML file under WEB-INF/wdo (the metadata file that is related to the relational record); however, this process will not add a piece of decisive code into the PageCode of the JSP, which is:

autoGenerateKey(create_record,
getCreate_recordMediator(),
getRealPath(create_record_metadataFileName));

In order to generate this segment, either I can put it in manually, or if I use the relational record wizard, what I can do is to select "Auto generate key" in the "Advance tasks" when I am at the "Column Selection and Other Tasks".

I am not being negative, it's just that wizards and code generation somehow can become a nightmare to programmers. When we find that something do not work, we do not know whether it's our code, or it's the complicated code that was generated. Secondly, it's often a challenge to see things don't work after following closely to a tutorial. I hope that my sharing here can help other people. :)

Monday, June 26, 2006

Ouch! Took me a day to resolve the webservice client issue!

Recently I started to look into web service and all the nice binding tools with Swing components. I found that there's a nice tutorial in Rational Software Architect which is thorough and interesting. I started on it yesterday, and got stuck for the whole night and almost the whole day today (well, I am on a project, and this knowledge can be helpful to my project. Hopefully I don't sound like I have nothing else to do!).

The reason it took me so long is because I just cannot get the data back. My application looked DEAD. I then opened the TCP/IP monitor, and found that there's no traffic. The problem is I did not know whether I did something wrong in the binding, or the component is not firing off request whatsoever. I was in a very difficult situation because I am not familiar with the binding, nor I am an expert in webservices. I was at a point that I started to suspect whether the webapp is written correctly. I looked through the code in the webapp, but it did look perfectly fine!

Finally I had to debug the wizard-generated glue code for my client application step by step, until I found out an exception which is described here. After I added the jar back to the classpath of my little application, it then works fine. YEAH! It's one of a kind learning experience, and I hope my experience helps my other teammates who will be using web services and run against WTE 6.0.2 :)