Tuesday, March 31, 2009

ScheduledThreadPoolExecutor vs. Timer (Java)

I read that the Timer object was replaced by the ScheduleThreadPoolExecutor class in a book on multi-threaded programming or maybe it was a book on design patterns. I stuck this information away in the back of my mind as I had previously written some code using the Timer class, and had been given Spring beans using timers.

Recently I started working on a something similar to my existing code using the Timer object. Since it was so similar I thought I would just copy my other project, modify it slightly, and be done with it. I ran into a problem where the execution of the code seemed to just stop without terminating the thread and no error message.

I switched to the Executor class and was able to get an error message. Apparently the Timer object has a problem with unchecked exceptions.

Then I switched over to the ScheduledThreadPoolExecutor - same thing. Execution hangs. No error message.

Here is a simple example of Executor:


public class ExampleExecutor
{
private static final int NTHREADS = 100;
private static final Executor exec
= Executors.newFixedThreadPool(NTHREADS);

public static void main(String args[]) {

while (true) {

Runnable task = new Runnable() {
public void run() {
doMyThing();
}

private void doMyThing(){
//do something
}

};

exec.execute(task);
}
}
}

Thursday, March 26, 2009

What is the difference between TLS and SSL?

In seeking the technical differences between TLS and SSL I uncovered many web pages which glossed over the topic and lacked any true answer or technical detail. Like this one which basically describes SSL on Yahoo Q & A.

This page, though vague, at least states that they are different standards and TLS uses stronger encryption mechanisms.

Many web sites claimed TLS was basically the same as SSL since it is based on SSL. If this were true, why would the IETF bother to create a new version and give it a different name on top of that? This made no sense.

Additionally why are most banks switching to TLS and requiring those who communicate with them via email to use it if there is no difference?

I ended up pulling up the IETF web site and pulling up the actual standard to take a look at what it had to say:

RFC Number 4346: TLS 1.1

In short, SSL3.0 and TLS are different according to a few blurbs I pulled out of the above TLS 1.1 Standard document:

_____________

IV

Unlike previous versions of SSL and TLS, TLS 1.1 uses an explicit IV in order to prevent the attacks described by [CBCATT]. We recommend the following equivalently strong procedures. For clarity we use the following notation....
__________

The SSLv3 specification was not clear about the encoding of public-key-encrypted data, and therefore many SSLv3 implementations do not include the length bytes, encoding the RSA encrypted data directly in the ClientKeyExchange message.

This specification requires correct encoding of the EncryptedPreMasterSecret complete withlength bytes. The resulting PDU is incompatible with many SSLv3 implementations. Implementors upgrading from SSLv3 must modify their implementations to generate and accept the correct encoding. Implementors who wish to be compatible with both SSLv3 and TLS should make their implementation's behavior dependent on the protocol version.

Implementation Note: It is now known that remote timing-based attacks on SSL are possible, at least when the client and server are on the same LAN. Accordingly, implementations that use static RSA keys SHOULD use RSA blinding or some other anti-timing technique, as described in [TIMING].
__________

When SSLv3 and TLS 1.0 were designed, the United States restricted the export of cryptographic software containing certain strong encryption algorithms. A series of cipher suites were designed to operate at reduced key lengths in order to comply with those regulations. Due to advances in computer performance, these algorithms are now unacceptably weak, and export restrictions have since been loosened. TLS 1.1 implementations MUST NOT negotiate these cipher suites in TLS 1.1 mode. However, for backward compatibility they may be offered in the ClientHello for use with TLS...


[Goes on to list ciphers]
______

In previous versions of SSL, CBC mode was used properly EXCEPT that it used a predictable IV in the form of the last block of the previous ciphertext. This made TLS [I think they mean SSL since talking about PREVIOUS versions] open to chosen plaintext attacks. This version of the protocol is immune to those attacks. For exact details in the encryption modes proven secure, see [ENCAUTH].
____________


By the way if you're using SSL 2.0 - get rid of it ASAP and you may want to use TLS enforcement from Postini or another provider in your email solution:

Because TLS includes substantial improvements over SSL Version 2.0, attackers may try to make TLS-capable clients and servers fall back to Version 2.0. This attack can occur if (and only if) two TLS-capable parties use an SSL 2.0 handshake.
_____________


And as a final note...

For TLS to be able to provide a secure connection, both the client and server systems, keys, and applications must be secure. In addition, the implementation must be free of security errors.

The system is only as strong as the weakest key exchange and authentication algorithm supported, and only trustworthy cryptographic functions should be used. Short public keys, 40-bit bulk encryption keys, and anonymous servers should be used with great caution. Implementations and users must be careful when deciding which certificates and certificate authorities are acceptable; a dishonest certificate authority can do tremendous damage.

Monday, March 23, 2009

XSL Space Character

Tab:	
Space: 
Non-Breaking space: 

Test Mail Server For Inbound TLS

Do you really know who is at the other end of your email communication? Read about TLS.

Here's how to test if your server supports TLS:

At command prompt use nslookup to get the mail server for a domain (in this example checking postini.com)

> nslookup
> set q=mx
> postini.com

The results have a line for each mail server like this:
postini.com MX preference = 5, mail exchanger = postini.com.s8a1.psmtp.com

> exit

Now use telnet to test the mail server above (after exchanger = ) to find out if supports TLS:

>telnet postini.com.s8a1.psmtp.com 25

after you connect:

>ehlo postini.com

If you see this in the output, the server supports inbound TLS communication:

> 250-STARTTLS

Unfortunately...a lot of mail companies support inbound, but not outbound TLS. Yahoo for example, supports sending mail using TLS however when I turned on end to end TLS enforcement, people using Yahoo could not send me email. That means email from them to me is never encrypted and highly insecure.

Java SSL Certrificate Request

Install Java and set up a path to the bin folder under your Java root if you haven't done so already.

Run the following commands from a command prompt (go to start menu and choose run, then type in cmd and hit enter to get a command prompt window).

_________________________________

Side note: These are the instructions on the Network Solutions web site including generating the request using RSA which according to Java defaults to MD5 signature algorithm.

In generating a public/private key pair, the signature algorithm (-sigalg option) is derived from the algorithm of the underlying private key: If the underlying private key is of type "DSA", the -sigalg option defaults to "SHA1withDSA", and if the underlying private key is of type "RSA", -sigalg defaults to "MD5withRSA". Please consult the Java Cryptography Architecture API Specification & Reference for a full list of -keyalg and -sigalg you can choose from.

MD5 is less secure than SHA and was a recent hack demonstrating how to spoof certain SSL certificates using MD5. Network Solutions says the CSR is generated using MD5 but doesn't matter because the certificate is signed using SHA1.
_________________________________


You can change the names below in red to whatever you want.

1. Go to the directory where you want to create the keystore file.

2. Type the following:

keytool -keystore mykeystore -alias mykeyalias -genkey -keyalg RSA

3. Answer the following questions. Make sure it matches what you put in your domain name registration. The full domain name is entered at the first and last name prompt (oddly enough). For example:

Enter keystore password: password
What is your first and last name?
[Unknown]: your.domainname.com
What is the name of your organizational unit?
[Unknown]: Whatever
What is the name of your organization?
[Unknown]: Your Company Name Here
What is the name of your City or Locality?
[Unknown]: Seattle
What is the name of your State or Province?
[Unknown]: WA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=your.domainname.com, OU=Whatever, O=Your Company Name Here,
L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Enter key password for
(RETURN if same as keystore password): supersecretpassword


Save the above information because you will need to type it in exactly if you ever need to recreate the certificate.

4. Type the following to generate a certificate request (CSR) file. The contents of this file will be given to the SSL Certificate Authority to generate a trusted certificate:

keytool -certreq -alias mykeyalias -keystore mykeystore -file myrequest.csr

5. Copy the contents of myrequest.csr and provide it to your certificate authority.

6. The certificate authority will give you back one or more files which you then need to import back into your keystore (in the order and according to the directions you get from your certficate authority). The command will look something like this:

keytool -keystore mykeystore -import -mykeyalias jetty -file mynewcert.crt -trustcacerts

More: Java Keytool

Installing Your Network Solutions SSL Certificate on Java Based Web Servers

These instructions were incorrect on the Network Solutions web site for about the last three years, at least for the certs I have purchased from them. Maybe they have updated it by now.

Installing Your Network Solutions SSL Certificate on Java Based Web Servers

There are 4 certificates that you will receive from Network Solutions:

1. AddTrustExternalCARoot.crt
2. UTNAddTrustServer_CA.crt
3. NetworkSolutions_CA.crt
4. yourdomainname.crt

These must be imported in the correct order:

1. AddTrustExternalCARoot.crt
2. UTNAddTrustServer_CA.crt
3. NetworkSolutions_CA.crt
4. yourdomainname.crt

Use the keytool command to import the certificates as follows:
keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore domain.key

Use the same process for the UTNAddTrustServer_CA.crt certificate using the keytool command:
keytool -import -trustcacerts -alias utnaddtrustserverca -file UTNAddTrustServer_CA.crt -keystore domain.key

Use the same process for the NetworkSolutions_CA.crt certificate using the keytool command:
keytool -import -trustcacerts -alias networksolutionsca -file NetworkSolutions_CA.crt -keystore domain.key

Use the same process for the site certificate using the keytool command, if you are using an alias then please include the alias command in the string. Example:

keytool -import -trustcacerts -alias yyy (where yyy is the alias specified during CSR creation) -file yourdomainname.crt -keystore domain.key

The password is then requested.

Enter keystore password: (This is the one used during CSR creation) After the password is entered information will be displayed about the certificate and you will be asked if you want to trust it.
Trust this certificate? [no]:
(The default is no so type 'y' or 'yes')

Then an information message will display as follows:
Certificate was added to keystore

ProntoScript

I recently finished a project using ProntoScript which is used to create customized functions on some Philips remote controls with touch screens. I got a call to troubleshoot some issues displaying images from security cameras on the touch screen. I made a few code changes, however the main problem was the camera software was set up so the remote control software didn't have permissions to view the photos coming from the security cameras. We made some changes to the settings to allow the calls from the remote control to access the camera images.

The only issue is, by allowing a guest user to access the security camera with no login, anyone who can get to that URL could view the images over the Internet. I recommended that my client do something like set up a proxy server that could login to get the images from the camera, so only the remote control camera could get to the proxy with no login on the local network, but anyone coming over the Internet would have to login to view those images. There may also be a way to pass a login to the security cameras but I was not asked to look into that further (so far).

Sunday, March 22, 2009

Adding String of XML nodes to Document Node - JDom

Let's say you have a JDom XML Document and you have a string of XML content. You want to add the XML content in the String to a particular Node or Element in the Xml document. Here's how in a nutshell, though you'll probably want to organize these differently in the actual implementation.

1. Convert the XML String to XML as follows:

String s = "<nodes><node>one</node><node>two</node></nodes>"
SAXBuilder sb = new SAXBuilder();
InputStream is = IoTools.inputStreamFromString(s);
Document doc = sb.build(is);

2. Get the element you want to update

//assuming you have instantiated XML Document doc2Update elsewhere
String xpath="/some/node/in/document";
Element e = (Element) (XPath.selectSingleNode(doc2Update , xpath));

3. Add the document content to the element

e.addContent(doc.getRootElement().cloneContent());