General Musing

blaze your trail

Archive for the ‘pki’ Category

OCSP Troubles #security #x509 #certificate #revoke

with one comment

A company was having intermittent trouble with their new authenticated SSL, it wasn’t that they experienced trouble with the certificates, which came from a large international CA, or the authentication. There was a bug which caused the OCSP check on some certificates to fail. And after it had failed the first time for a certificate it would continue to fail for that certificate until the application server had been restarted. As this was a mission critical application for their customers between 8am-6pm they had taken to restarting the servers at 7am to ensure that there would be less issues during the day. This was obviously not a permanent solution so the vendor was called to fix the issue.

Read the rest of this entry »

About these ads

Written by Daniël W. Crompton (webhat)

June 23, 2011 at 7:05 am

OS registers to DNS #security #risk

leave a comment »

PostBox

Recently on NANOG I saw the item below, I was thinking about what this actually means. A computer would – similar to DynDNS – register itself and it’s hostname to a DNS server using some kind of authentication. Naturally I immediately thought this was a brilliant plan, and didn’t understand why nobody, with the exception of DynDNS, had thought of this before. The immediate afterthought was that this would be easy to implement with a soft-token, which is the software equivalent of a physical token like RSA’s SecureID, or complicated to implement with PKI infrastructure.

From: Mark Andrews <[email protected]>
Re: mailing list bounces

It will be much better when the OS’s just register themselves in
the DNS. Humans shouldn’t have to do this when a machine renumbers.
Named can already authenticate PTR updates based on using TCP and
the source address of the update. For A/AAAA records you setup a
cryptographically strong authentication first.

DynDNS uses username password, which is less secure than the cryptographically strong solution that Mark Andrews mentions below.

Image source: Bill McCurdy

Written by Daniël W. Crompton (webhat)

March 8, 2011 at 4:56 pm

Posted in mail, pki, security

Tagged with , , , ,

Forban: Local Opportunistic p2p #security

leave a comment »

Forban Logo

No, it’s not just another p2p/file sharing program. Forban is a local network p2p program, it’s meant for replicating ANY file to computers in the immediate proximity without requiring the Internet. As it is has a narrow focus on the local network it can also be used for Personal Area Networks consisting of laptop’s and mobile devices. I have yet to be able to install python on my digital camera, but I’m sure that this will be possible in the future.

It can be run in two modes, gossip and epidemic. Gossip mode, uses the gossip protocol to spread the files by disseminating the data the peer has to a random peer. Epidemic mode is similar to a real virus epidemic, spreading the files rapidly from one Forban server to another. Like any p2p network it requires that there are others running for it to communicate with, these can be intermittently connected to the network, whether it be a mobile device which comes into proximity of the LAN/PAN or a laptop.

It uses HTTP, and I doubt that adding authenticated HTTPS would be much of an issue once the PKI infrastructure is in place. This would make it ideal for rapidly sharing or backing up data without user interaction when you get to the office. And as it requires little user interaction, and with authenticated HTTPS this service can be left running in the background with minimal risk of the wrong people getting their hands on the data.

Forban is an old French word for pirate.

Written by Daniël W. Crompton (webhat)

February 1, 2011 at 10:28 pm

Posted in piracy, pki, security, technology

Tagged with ,

Did The LinkedIn Certificate Expire Again? #linkedin

leave a comment »

For the last 2 years has been running a bad poor IT management department, this have been my headlines for the last two years:

I am so sure of LinkedIn’s incompetence, as with their product they won’t ignore a chance to punish their customers for wanting to use their services.

In about two hours we should know.

Written by Daniël W. Crompton (webhat)

July 6, 2010 at 8:22 am

PCI is nice (or what I do) #pcidss

leave a comment »

Since I started working for my company I’ve been exposed to (Payment Card Industry Data Security Standard), “It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues.1 There are only a small amount of requirements that need to be implemented, although these can be pretty substantial for some customers. I can also be difficult to understand the details of these 12 requirements for compliance.2

Being a programmer by nature I’ve often been told that the nuts and bolts of what I do, the part I enjoy, are a little complex. PCI is something different, everybody can understand that credit card data needs to be protected from unauthorized access. Not just credit card data, but all data that could potentially be used in . Which means that a policy or control needs to be implemented to control this, and note any non-compliance.

PCI is just about protecting your “Cardholder Data“:

    Primary Account Number (PAN)
    Cardholder Name
    Service Code
    Expiration Date

I know first hand that most of the banks in the Netherlands, and in most of the world, are quick to discover credit card fraud. They are also quick to payout and correct the issue for the customer, because the chance that customers will loose faith in the bank is high if they don’t. Yet ultimately these customers are still paying for all the fraud committed with all the credit cards. Banks, payment service providers or retail merchants, who have your Cardholder Data, have all the data needed for this kind of financial identity theft and fraud, and more…

It may seem obvious that this data is stored securely, credit card use is ubiquitous. Yet the large banks have had the same problems with data leakage as small retailers, which means the data must be secured from the customer right to the bank who finally processes the payment to avoid this type of leakage. The problem is that payment service providers or merchants have traditionally not done this. They may handle the temporary authorization requests for the PAN or use the (BIN) from the card number for routing the payments to the specific issuer, so they may need the number. That’s fine, as long as they store the data securely and have a log of who accessed the data and why the data was accessed.

Now that’s out of the way I can tell you what I’m doing, I’m playing with RSA [now EOL'd] and RSA . Simply put DBSM is a framework which encrypts the data as in goes into the database and decrypts it as it comes out. It’s something that anybody who is paranoid like me had already been doing for a while, but the way I was doing it required me to write custom fragments of code for every application which needed to access the data. DBSM does it transparently, while at the same time checking the users who try to access it, so only the correct users gain access. RKM hooks into this by providing a framework for the policies or controls which grants the correct people/devices/programs a key to lock-up or unlock the data, different policies can be implemented for different types of data or device.

Now you know what I do.

More reading

Originally appeared here.

Technorati technorati tags: , , , , , , , , , , , ,

  • Link openen op nieuw tabblad
  • Downloaden

Written by Daniël W. Crompton (webhat)

May 18, 2010 at 3:55 pm

VeriSign PIP Browser Certificate workaround (PIN Request) #identity #openid

leave a comment »

VeriSign – Personal Identity Portal is a OpenID provider with multiple factor identification: Password +

  • Mobile Credential (phone or mail PIN)
  • Account Information Card (can be used by applications such as Microsoft CardSpace)
  • VeriSign browser certificate
  • VeriSign Identity Protection (VIP) Credential (Physical Token)

As I have a browser certificate linked to my old browser and couldn’t login with my current browser I had to figure out a workaround when I don’t have the browser certificate: PIN Request. On the page that does the browser certificate request there is a hidden link to get a PIN send by mail or mobile, which you can find here.

Hope that helps you.

Written by Daniël W. Crompton (webhat)

April 17, 2010 at 7:24 pm

Just Finished Reading “Cryptonomicon” #books

with 2 comments

Cryptonomicon - Neal Stephenson

As an early Christmas gift my father gave me vouchers he didn’t want to get him and myself some books we would enjoy. I went out and bought Anathem – which I will discuss in a following blog – and Cryptonomicon. He was very happy with my choice, we had both enjoyed and , and would be sure to enjoy these.

The book starts just before the age of modern cryptography, in a time when computers were people who performed computations, and weaves a story of the Waterhouse clan from grandfather’s fumbled first meetings with Alan Turing, through the cracking of the Enigma code, up to the modern age of fibre optics and Van Eck phreaking. It is ranges from witty to down-right hilarious, with lines like

“War is hell, but smoking cigarettes makes it all worthwhile.”

And it covers the art of cryptography in a way that I, a geek with some knowledge of cryptography, understand.

The story itself reads like a spy novel, with as much subterfuge in the WWII periode as in the modern age, where the discovery of information by lawyers and dentists can be as bad if not worse that the discovery by Nazis. In the end the WWII characters have died leaving legacies which ripple into the future, and those left alive are left fighting an enemy much worse than the Third Reich, corporations.

I really liked Cryptonomicon.

Written by Daniël W. Crompton (webhat)

March 29, 2010 at 11:03 am

Follow

Get every new post delivered to your Inbox.

Join 3,126 other followers

%d bloggers like this: