Network Layers (Keep in mind when working with diffrent protocols)
Difference between HTTPS and SSL
SSL (Secure Socket Layer) or TLS (Transport Layer Security) works on top of the transport layer, in your examples TCP. TLS can be used for more or less any protocol, HTTPS is just one common instance of it.
This will be the first part of a series of posts on Cryptography /SSL Certificates / IPSec /SSH and will cover the useful facts/tools/commands as well.
How everything starts ... :)
Me : Shall we have pizza for lunch?
Tommy : Oh yeah, lets order online. Shall we use your card?
Me :
(I'm afraid to expose my credit card information to an online pizza website)
What is Cryptography?
Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it.
Var
Description(PlainText)
m
Message (Plain-text)
c
Cipher-text
E
Encryption Algorithm
D
Decryption Algorithm
ke
Encryption Key
kd
Decryption Key
Goal of Cryptography : (Privacy) Thieves should not be able to learn m (message / plain-text)
Same key is used to encrypt data as well as to decrypt data.
: Everyone shares same secret key. (k = ke = kd)
Faster than Asymmetric key/Public key Encryption.
Problem: Secured channel must be used to transfer the only available key.
- Wait ... EncryptionisNOT All !!!
*| Message Authenticity and Integrity - Message Authentication Code (MAC)
Message Authentication Code (MAC) is a short piece of information used to confirm that the message came from the stated sender (its authenticity) and has not been changed.
A MAC requires two inputs: a message and a secret key known only to the originator of the message and its intended recipient(s).
This allows the recipient of the message to verify the integrity of the message and authenticate that the message's sender has the shared secret key.
If a sender doesn’t know the secret key, the hash value would then be different, which would tell the recipient that the message was not from the original sender.
Two keys are used in the process (public key and private key)
: Only one party has the secret key. ( ke != kd)
Slower when compared to Symetric Key Encription.
Like a lot of things in computing, it comes to a trade off between performance and computing when you have to decide whether to use Symmetric key encryption or asymmetric key encryption .
- Wait ... EncryptionisNOT All !!!
*| Message Authenticity and Integrity - Digital signature
Digital signature is a mechanism by which a message is authenticated proving that a message is coming from a given sender.
E.g : Much like a signature on a paper document.
Suppose that Rose wants to digitally sign a message to Jack. To do so,
she uses her private-key to encrypt the message;
she then sends the message along with her public-key (typically, the public key is attached to the signed message).
Since Rose’s public-key is the only key that can decrypt that message, a successful decryption constitutes a Digital Signature Verification, meaning that there is no doubt that it is Rose’s private key that encrypted the message.
Key Types, Key Sizes and Algorithms used to generate Keys
Public key
A large numerical value that is used to encrypt data.
The key can be generated by a software program, but more often, it is provided by a trusted, designated authority.
Made available to everyone through a publicly accessible repository or directory.
Private Key
Another large numerical value that is mathematically linked to the public key.
In asymmetric cryptography, whatever is encrypted with a public key may only be decrypted by its corresponding private key and vice versa.
Algorithms
RSA and DSA are two of the algorithms which are used to encrypt public/private keys in cryptography.
RSA - (Rivest, Shamir, & Adleman public key encryption technology)
DSA - (Digital Signature Algorithm)
Key Sizes
The key size (bit-length) of a public and private key pair decides how easily the key can be exploited with a brute force attack.
There is no requirement for the key length to match the block size in any way;
However, cryptographers are in love with binary, so key length will usually be a power of 2 like 128 or 256, and so will block size be.
The more computing power increases year after year, it requires more strong keys to secure transmitting data.
RSA claims that 1024-bit keys are likely to become crack-able some time between 2006 and 2010 and that 2048-bit keys are sufficient until 2030.
An RSA key length of 3072 bits should be used if security is required beyond 2030.
Certificate chain? A certificate chain is an ordered list of certificates containing,
User Certificate /End entity Certificate /Leaf Certificate
Intermediary Certificate/s
Root Certificate
The chain or path begins with the User certificate, and each certificate in the chain is signed by the entity identified by the next certificate in the chain.
Is a digitally-signed statement issued by a Certificate Authority to a person or system.
It cannot be used to sign other certificates.
Its the certificate which will be installed on a site. (E.g: https://pizzahut.com)
-Intermediate Certificate/s
Any certificate that sits between the User Certificate and the Root Certificate is called a chain or Intermediate Certificate.
A certificate used to sign other certificates, which is not self-signed.
An intermediate certificate must be signed by another intermediate certificate, or a root certificate.
-Root Certificate
The Root CA Certificate is always signed by the CA itself.
A self-signed certificate used to sign other certificates.
The root certificate carries critical importance; The signatures of all certificates in the chain must be verified up to the Root CA Certificate.
Self Signed Certificate ?
A certificate which is not signed by a CA.
A certificate with a subject that matches its issuer, and a signature that can be verified by its own public key.
Certificate standards
Certificate Standard defines the format of public key certificates.
X509 standard (format for public key certificates)
Certificate
Version Number
Serial Number
Signature Algorithm ID
Issuer Name
Validity period
Not Before
Not After
Subject name
Subject Public Key Info
Public Key Algorithm
Subject Public Key
Issuer Unique Identifier (optional)
Subject Unique Identifier (optional)
Extensions (optional)
...
Certificate Signature Algorithm
Certificate Signature
CSR (Certificate Signing Request) ?
CSR contains information such as your domain name, your organization’s name, your location, and is filled out and submitted to a Certificate Authority(CA) such as SSL.com.
The information in a CSR is used to verify and create your SSL certificate.
Most importantly, it also contains the public key that will be included in your certificate.
A CSR (Certificate Signing Request) which needs to be submitted to a Certificate Authority(CA) looks like (Most CSRs are created in the Base-64 encoded PEM format),
How do I generate a CSR and private key?
If you are familiar with OpenSSL,
you can use the following command to generate a CSR and private key
Note : The private key must not be shared with any party (Not even with the CA) except your intended parties. CA only requires the CSR to provide you with a SSL certificate.
Certificate Containers / Key Stores
Certificate container standards PKCS#12(.p12 extension) : a standard for a container which can hold an X509certificates and the corresponding private keys.
E.g : If you're examining a PKCS#12 file (typically .p12 extension), then you already know:
It contains at least one X509 client certificate, which contains a public key; and
It contains the corresponding private keys.
What are types of key stores?
Useful facts when working with Certificates
Useful commands in private key/certificate conversion
There are dreamers and there are realists in this world...
Dreamers
Realists
You might think the dreamers will find the dreamers and the realists would find the realists to work with, but more often they are not. The truth is the opposite ...
Dreamers need the realists to keep them from souring too close to the sun ...
And the realists, without the dreamers they might not ever get off the ground ...
The important fact here is, you and I both are lucky to have these pumpkins and poppies in our teams.. (No matter what industry we are in...)
This will be the first part of a series of posts on Continues Inspection / Code Quality Assessment with SonarQube and will cover the use case with installation / configuration details.
What is SonarQube?
SonarQube is a central place to manage code quality. It visualizes reporting on and across projects and enables us to replay the past evolution of projects. If you are aware of code quality checking plugins such as checkstyle, findbugs, PMD, etc. SonarQube is found as a collection of these plugins and more.
SonarQube,
Analyzes source code and byte code.
Computes hundreds of metrics.
Provides moment-in-time quality snapshots (Associates metrics with analysis snapshots).
Gives trends of lagging and leading indicators
Tracks developers’ 7 deadly sins (Explained in below)
Shows the results in dashboards and widgets , which are accessible any browser.
What is Code Quality?
in Gibberish -
Code Quality is a collection of factors such as Usability, Maintainability, Error management and Efficiency of a code.
in Simple Language -
It is an Indicator about, How quickly developers can add business value to a software system.
Why Measure Code Quality?
Because,
A system is never “Finished”. (We don’t know where we need to modify it in the future)
You can not improve if you don’t measure
The Broken Windows Theory !
If system was a person, Source Code is the Heart of the System.
What to Measure as Code Quality?
The makers of SonarQube, SonarSource has introduced us 7 facts to Measure as Code Quality. They call them "The 7 Deadly Sins"
Bugs and Potential Bugs
Coding Standards Breach
Duplication
Lack of Unit Tests
Bad Distribution of Complexity
Spaghetti Design
Not Enough or Too Many Comments
How to Measure Code Quality?
Of course that's where we use SonarQube. Its a tool for measuring the quality of code...
SonarQube is just a part of code quality management process. Code quality management process may also include,
Code Reviews (includes Code Freezes as well)
Pair programming, etc.
Code Freeze - If the current level of code quality is below than the acceptance level, new code generation will be stopped at a point. Then all team members will start working on improving the code quality until they reach the acceptable quality level. Only then the development shall begin again...
It is important to keep in mind that you should use the aforesaid quality management methods alongside SonarQube. If not your expectations on using this amazing tool might not be rightfully achieved.
"Start where you stand, and work with whatever tools you may have at your command, and better tools will be found as you go along" - George Herbert
SonarQube for every Programming Language?
SonarQube was initially developed for JAVA
Today it supports over 20+ languages (C, C++, Android, Java, JavaScript, etc.)
