Monday, February 18, 2013

Certificates

Introduction
Certificates is a new way to prove identity. Unfortunately this topic sometimes is hidden from publicity and still is a mystery for average Internet user. I would like to share some knowledge about certificates, their structure and the way how I understand them. This article covers very basic questions about certificates  that users may have.

Certificate structure (simplified)
What is certificates for? The main purpose is to verify identity (prove that information written in certificate belongs to certificate owner). 

Certificate consists of three main parts:
  • Information - everything that you can see when open certificate in MMC console or other certificate viewer;
  • Public key - a unique sequence that belong to certificate owner;
  • Signature Algorithm - methods that was used to create certificate signature (usually it is built from encryption algorithm and digest algorithm. For example SHA1 with RSA)
  • Signature - another unique sequence that represent result of applying encryption and digest.
Lets take a closer look to every part

Information: 
Here we can add any information we would like to present and prove.
According to Internet standard RFC2459 there are mandatory fields
- issuer - id who created signature
- subject (owner) - owners name or other owners unique information
- serial number - issuer certificate serial number. A pair serial/issuer creates an unique certificate id
- not before, not after - expiration date and effective date.
- constrains - main purpose for the certificate. For example if constrains is main exchange - it should not be used for SSL, ets.

Public key:
This section contains a public key of any asymmetric cryptographic system. The most popular asymmetric system are RSA and Diffie–Hellman

Information + public key also called TBSCertificate. Every
TBSCertificate contains the names of the subject and issuer, a public
key associated with the subject, a validity period, a version number,
and a serial number; some may contain optional unique identifier   fields. (from RFC)


Signature algorithm and Signature:
In order to verify certificate, a verifier should know how to verify certificate signature. For example, if algorithm is SHA1 with RSA then this means that in order to verify certificate signature we need to get SHA1 from certificate and then it should match with data we have got by decrypting signature with issuers public key. The most popular message digest algorithms are SHA1, MD5, MD4, MD6. 


How to create signature?
Issuer is an authority who sign certificates.
In order to create issuer signature. Issuer gets a digest of certificate data (for example it can use SHA1 algorithm for this) then using private key encrypts digest. As result you will have an encrypted certificate digest.

How to verify signature?
Anyone could verify certificate signature in order to confirm that certificate content belongs to owner.
In order to verify certificate signature we should:
- Decrypt signature it using issuers public key;
- Get digest of certificate;
- Compare results. on one hand you have decrypted signature, on other hand digest. They should be the same because issuer created signature in the same way.


This verification is based on assumption that no one, except issuer, doesn't have issuers private key.

Lets have some example:
Root or self signed certificate

Private key        : 44 33 22 11 
(Private key stored separately from certificate and it is confidential) 


Certificate Root
Issuer             : Government
Subject            : Government
PublicKey          : 11 22 33 44
Signature Algorithm: RSA with SHA1
Signature          : 55 44

This is a simplified version of root or self-signed certificate. Issuer and Subject here are the same. Signature in this case is a digest encrypted with issuers private key. Because issuer and owner are the same, there is no way to prove that private/public key belongs to owner.

It could be compromised by replacing public key and signature. That is why we have many trusted authorities that could prove each other identities. This is partially solved by distributing root certificates together with firmware or operating system.

Another example:

Private key        : DD CC BB AA 
(Private key stored separately from certificate and it is confidential) 


Certificate Library
Issuer             : Government
Subject            : Computer
Public Key          : AA BB CC DD
Signature Algorithm: RSA with SHA1
Signature          : EE FF


In case if we trust Certificate Root. We can verify and confirm that information in certificate is not compromised and belongs to Library.

Why we can trust "Certificate Library"?

Because Root we trust has been verified and proved by its signature that  "Certificate Library"  belongs to Library, and because we trust "Certificate Root" we can say that we trust "Certificate Library ".


Lets find out what is Library certificate signature in this case:
Signature          : EE FF


This is suppose to be an encrypted digest. Digest we get from "Certificate Library" body and encrypted with issuer (Certificate Root) private key.
In our example signature EE FF is the result of
RSA([issuers private key], SHA1( Certificate Library's TBSCertificate))


[EE FF] = RSA([ 44 33 22 11], SHA1( "TBSCertificate Library" ))


Using similar approach we can build a certificate trusted chain. For example you don't trust issuer and don't trust issuer's issuer but you do trust issuer's issuer's issuer.


Why it works?
Signature verification works because we made some assumptions. 

First (the most important) is that for asymmetric encryption systems for key pair (public/private keys) there is no easy way (mathematicians didn't find one yet) to calculate private key based on public key.

The nature of asymmetric systems allows to encrypt message with private key and decrypt message using public key. That is true in opposite direction.

Second assumption is related to one way hash functions that are used to create certificate digest. for long enough input data it is possible to generate unique digest and there is no easy way to find out what is input data from digest.



.




Monday, June 13, 2011

Undersranding android gestures

Android gestures is another dark horse because it is wrapped into an Android library and it becomes a part of SDK.

From Android SDK it is clear that gesture library should be put in a raw folder in resources or it could be just a separate file in private or public folder, but what is the gesture library format?. You can browse Android SDK here that describes only high level design.

I still cannot find gesture library format but I saw on the market there are many applications that uses gestures.

My first clue was to use Gesture Builder from Android example SDK.
It is located under \samples\android-8\GestureBuilder

Lets take a close look:

GestureLibrary lib;
// create lib instanse from file name pass empty file
lib = GestureLibraries.fromFile(new File("gestures")));
..
lib.addGesture("gesture's name", gestureProcessor); // adding
lib.save();

// We could build gesture object  from overlay
private class GestureProcessor implements GestureOverlayView.OnGestureListener {
    public void onGestureStarted(GestureOverlayView overlay, MotionEvent event) {
    }

    public void onGesture(GestureOverlayView overlay, MotionEvent event) {
    }

    public void onGestureEnded(GestureOverlayView overlay, MotionEvent event) {
       mGesture = overlay.getGesture();
       if (mGesture.getLength() < LENGTH_THRESHOLD) {
         overlay.clear(false);
       }
}


Saturday, January 29, 2011

Multilayout ListView

This is a multi Layout view sample. You can  use it when you need to display the same amount of data (in sample text and images but it should be located differently
You need to build a special ListView adaptor 

Source code for MultiLayout Adapter is bellow







Beginning Android 2

Code Highlighting

Highlighted code in my samples

I found excellent javascript project. It was written by Alex Gorbatchev, and it is free (Thanks Alex!). I will use it to highlight code samples. There is no need to host JS and CSS inside your blog system, you can just reference files instead.
The most popular programming languages are supported here

You can download project and use it in your web sites or you can use hosted version of highlighter. Unfortunately, Google blog system doesn't allow you to insert link tag, but I have used loadjscssfile function to load script and css files.
Lets test hosted version: (javascript example) Here is a function that loads scripts and css.
function loadjscssfile(filename, filetype)
{
   if (filetype=="js"){
       var fileref=document.createElement('script')
       fileref.setAttribute("type","text/javascript")
       fileref.setAttribute("src", filename)
   } 
   else if (filetype=="css"){
       var fileref=document.createElement("link")
             fileref.setAttribute("rel", "stylesheet")
             fileref.setAttribute("type", "text/css") 
             fileref.setAttribute("href", filename)
   } 
   if (typeof fileref!="undefined"){
      document.getElementsByTagName("head")[0].appendChild(fileref)
   }
} 

var pathToScript = "http://alexgorbatchev.com/pub/sh/current/"; 
loadjscssfile(pathToScript + "styles/shCore.css", "css"); 
loadjscssfile(pathToScript + "styles/shThemeDefault.css", "css"); 
loadjscssfile(pathToScript + "scripts/shCore.js", "js"); 
loadjscssfile(pathToScript + "scripts/shBrushJava.js", "js"); 
loadjscssfile(pathToScript + "scripts/shBrushJScript.js","js"); 


Android Java example:
import android.widget.TextView;
public class TestClass {
    private static final int[] LAYOUTS = new int[] {
        R.layout.center,
        R.layout.left, 
        R.layout.right 
    private final Context _context;
    private final ArrayList _data = new ArrayList();
    public TestClass(Context context, ArrayList data){ 
        _context = context;
        _data.addAll( data );
  
    }
}
 

Tuesday, January 11, 2011

Java pre-processor

How Eclipse works to compile project?

If we are looking for android project compilation process, it contains from many builders
- before resource generator builder;
- resource builder;
- Java compiler;
- package builder;

Next builder will be started after previous one was finished successfully.


Sometimes you may want to use one source for different incompatible platforms (like JavaME MIPS2.0 or Java SE or some other Java specific platform like Android).

The best approach here to have you project separated from Java SDK by creating wrappers on SDK layer and then refer only wrapped classes in your project. Then when in and script for package builder build your project together with Java specific library wrapper.(recommended)

Another way to dial with this problem is to have a preprocessor like C preprocessor and wrap platform specific code. This approach is less clear and it feels like some comments you cannot remove. (not recommended) 

If you need Java cross platform but it is difficult to separate api in your project - you have to redesign you project.

Custom Java preprocessor (also could be done using ant script as well as using external preprocessor tool (like C preprocessor). To understand how it works I have created my own custom preprocessor using ant

Eclipse defines 4 targets
  • before clean
  • manual build
  • auto build
  • during clean 
I have created a simple xml file with 4 targets that is shown below:
  <project name="new builder" >
  <target name="before_clean"/>
  <target name="manual_build"/>
  <target name="auto_build"/>
  <target name="during_clean">
  </project>

Do you have other solution how to build the same app on different Java platforms? 

Sunday, January 9, 2011

Google Translation

I would like to share a Google Translate JavaScript plug-in.
To add a translation to your web pages you can use JavaScript and Google translate services.


Here is a sample that add a translate combo box to your page:
// define div tag where translation combobox will be placed
<div id="google_translate_element">
</div>


// define "new" translate element function  
<script>
function googleTranslateElementInit() {
  new google.translate.TranslateElement({
    pageLanguage: 'uk',

    includedLanguages: 'et,tl',
  }, 'google_translate_element');
}
</script>


// add all necessary sources to do the translation 
<script src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>

pros:
- easy to use 
- using it you can create a copy of your blog/site to other languages 

cons:
- not all languages supported 
- engine itself is quite new and translation is not perfect


if you need translation to any language remove includedLanguages parameter

There are some useful links that may help you with building your copy:

Tuesday, January 4, 2011

Android and Ant builder. Part 2

About ant commands :
You can create your own command processor with ant (you are able to create elements and ant is able to process commands in ants way (using xml to join parts )

For example for search and replace there is a command that is mapped to java or to implemented in other language application


 <replaceregexp file="file"   match="pattern"    replace="pattern"  

 flags="options"
 byline="true|false" /> ;

 
it is actually a prepared a java class(s) that do the job

Is Ant depends on Java JRE or it is a separate native application? I think it is...
Probably that's why Java and Ant is so close...

I also would like to understand how preprocessor works in Eclipse. It may helps me with my tasks