The past week happened to be sort of a Security Week. On separate ocassions I was working with symmetric key cryptography and PKI using certificates with digital signatures.

Symmetric keys were more straightforward. Create a cipher, throw in the secret key and data – viola – you have the encrypted data. What’s left is just to keep the secret key safe. DON’T overwrite it yourself!

PKI with Java needed more effort. As usual it was the confusion between the terms: keystore, certificate, signature, CA, keytool, etc. Despite understanding it before, the knowledge just got lost somewhere at the back of my brain.

So what I’ve figured out AGAIN today was: Certificates were invented as an attempt to solve the problem of public key distribution, through a trusted Root Certification Authority. A certificate contains a public key, information about the certified entity, and a signature.

The signature is created by encrypting the HASH of the certificate information and public key using the private key of the certificate issuer. Therefore the signature algorithm is described using a hash algo WITH an encrytion algo, e.g. SHA1withDSA. To verify the signature, calculate the hash using the hash algo on the certificate. Use the issuer’s public key to “decrypt” the signature to get the original hash. If both hashes match, its a valid signature. You do not have to calculate the hash yourself, Java has Signature classes that will compute the hash internally; you just supply it with the relevant data.

A keystore is a database of key pairs and certificates. Certificates may also be contained in independant files. The keystore is protected by a password, and individual key pairs within the keystore is protected by another separate password, each key pair has its unique password.

The keystore can be manipulated using the keytool command line tool. My preferred method is using Windows tools such as KeyToolGUI to help manage and generate keys. Of course if you’re on Unix then too bad. Using keytool you will be able to generate key pairs, export public keys to certificates and import other certificates. A Java application can also read from the keystore (with appropriate passwords) to access key pairs and certificates for the corresponding public/private keys. The keys can then be used in code to encrypt, decrypt, sign, verify signatures, etc.

Sample code are not provided as they can be readily found on the web and by referencing APIs.

Task: Play MobTV video on Creative Zen Vision W.

MobTV explicitly states Creative Zen Vision W cannot play their video. We realized the videos uses Microsoft’s Digital Rights Management (DRM), and requires a unique machine-dependant license file to play the video. This can be obtained by logging into MobTV as prompted when the video starts.

Although Zen specification states that it is using Windows Media Player (WMP), it seems unlikely that it will be able to establish an internet connection to MobTV to acquire the license.

Fortunately we were able to find a tool for removing the protection on the file. The site also provided a detailed description on the algorithm used by Microsoft for protecting the media.

Once the video has been unprotected, it can be converted into a Zen playable format and transferred to the device for viewing pleasure.

— Disclaimer —

This article is meant to be educational. I am not responsible for any damage to your device should you decide to try any of the steps mentioned in this article.

This article helps users with VALID MobTV licenses to view their video on a mobile device. Users are not supposed to share their non-protected content with others who do possess the necessary MobTV licenses.

Exactly a month since the last update! haven’t been experiencing much new things. However, I got my hands dirty on a Solaris machine on Friday, so here it is.

The OS was installed completely, but had no other users except root so I was denied telnet access. Soon I found out that user management in Solaris isn’t like Control Panel > User Accounts. Though somewhere someone said there was a UI user management tool in CDE, we were on the Java Desktop. So down we went into the Terminal.

We managed to finally create users after many trial and errors of different switches to find out what was required and how to fill in the options. We first created a group:

groupadd [groupName]
groupadd test

Simple enough. The useradd command was tougher:

useradd -d [homedir] -g [groupName] -s [shell] [loginID]
useradd -d /home1/test -g test -s /usr/bin/tcsh test

The example I found for the shell path was “/usr/local/bin/tcsh”. Yours could be somewhere else so do an intelligent search for shells with “ls *sh” as you traverse the “/usr” directory. Apparently even as root I had problems using “/home/test” as the home directory, with an error “Invalid Operation”. WTF?

To assign a password to that user, type the following and the shell will prompt you for the password.

passwd [loginID]
passwd test

Well I mentioned I had problems with the home directory so I was trying to adjust it by using “usermod”. Didn’t seem to work. Finally I resorted to “userdel” and redoing “useradd”… 🙁

Once the user was created, I was able to telnet, ssh and ftp into the machine remotely, even perform su to root for adminstrative access.

Stumbled upon the RSS on Microsoft Watch, which included instructions for using USM with RSS. USM allows you to automatically subscribe to the RSS simply by clicking on the RSS link.

Previously, the RSS links to the XML file when you click on it. It is required to copy the link and register it with your favourite RSS reader. With this mechanism, the instruction to register the RSS is embedded within the click using a specific MIME-type, which can be handled by a USM application. The application would interpret the RSS URL and register the feed with your favourite RSS reader that the USM application supports.

The protocol is fully specified at this location:

http://www.kbcafe.com/rss/usm.html

I was told by one of our users today, “This feature is very straightforward, very logical and intuitive one…”.

What I felt he meant was a nicer way of saying: “Use common sense and you’ll know la…”. Yet we know we don’t understand enough about that feature.

In reality, common sense isn’t so common after all. I mean, what I think is common sense, is based on my experience and what I think everyone should know. However, that is so not true. It is related to one’s experience and culture, and how he/she see things.

This common sense problem becomes more problematic when dealing with user requirements. The user feels that the requirements are complete, because the omitted details are so logical, sensible, and can be automatically and “inituitively” interpreted by anyone. And so he may choose not to go into the level of detail necessary to save time and saliva. That assumption may lead to incorrect implementation, due to domain ignorance of the developers, especially if they don’t make an effort to clarify the requirements.

Of course it’s unlikely you’ll get totally complete and totally unambiguous requirements, but you should try to understand as much as possible. On one extreme is believing there’s such thing as a “complete requirements”, and the other end is believing there’s no such thing so we can ignore requirements gathering.

Better be shot during requirements stage than to be strangled after development when the product don’t meet user expectations. The cost of change would be too high then.

XAMPP is a ready-built apache web server with the attached modules, all ready for it. Instructions say jus unzip and use!

Izit real?

http://www.apachefriends.org/en/xampp.html

Another nifty Firefox plugin. Considered a download manager, allows you to download stuff. Stunned me the first time with an amazing mp3 download speed of 177 KB/s…

At first I was looking for something that can do pauses and resumes – unlike Firefox’s built-in download manager. Kinda sucks anyway. Known as DTA, it is supposed to do some other stuff like grab more than links. Will try it over time.

The Password Hasher is a Firefox extension that lets you create and remember complicated passwords easily.

The motivation comes from combining the need for strong passwords and the preference for easy-to-remember passwords. By hashing your simple password into a complicated one, you are able to secure your password since it’s difficult for hackers to guess. Yet you can use it with ease since you’re “generating” the actual password based on a simple keyphrase that you know.

I’ve not tried it myself so I do not know the actual benefits or quirks, but the idea is great. One of the first negative thoughts I have was is the hash based on a key? What if you lose the key, such as during a PC crash/reformat? You lose ALL your passwords?!

https://addons.mozilla.org/firefox/3282/

On your Screen Saver dialog, there’s a check option beside the number of minutes to wait before activating your screen saver. Sometimes its “On resume, password-protect”. Sometimes its “On Resume, show welcome screen”.

The difference is when the “Fast User Switching” service is enabled. When enabled, the welcome option will be shown, otherwise password-protect will be shown.