Using tc to simulate low bandwidth, latency and jitter.

Sometimes you'ld like to get a better idea how your application will perform or user experience will alter when the network connection is slow or poor.

For example, you have a remote site and would like to know what CIFS file shares will perform like, or work out how many remote desktop sessions you can handle etc..

Linux comes with tc from the iproute package. This offers a huge array of options for traffic shaping.

more

Posted Tue 16 Sep 2014 17:07:51 BST

I've recently done some work on an application that provides a way of sharing text data. The data is encrypted on server, but the server operator cannot decrypt or modify the data.

Here is some notes on the cryptographic scheme. It's an implementation of Authenticated Encryption and Associated Data.

The application has 2 modes of working, one with user defined passphrase to the data, and one without. Both are very similar.

The encryption function used is AES256-CTR, with a random initial value, the HMAC is HMAC-SHA512, with pbkdf2 for key derivation function.

Initial configuration

We generate 3 salts that we use later for key generation

$salt_{enc} \overset{R}{\leftarrow} \{ 0,1 \} ^{128}$

$salt_{hmac} \overset{R}{\leftarrow} \{ 0,1 \} ^{128}$

$salt_{filename} \overset{R}{\leftarrow} \{ 0,1 \} ^{128}$

These salts remain constant for the application, and if changed we cannot retrieve any data from the application.

Encryption without user defined passphrase

For each use of the application

We generate a random 128 bit nonce to seed some key derivation functions.

$nonce \overset{R}{\leftarrow} \{ 0,1 \} ^{128}$

We generate a random 96 bit initial value for a 128 bit counter, this gives ability to encode up to 2^{32} blocks

$iv \overset{R}{\leftarrow} \{ 0,1 \} ^{96}$

We use the nonce and a key derivation function to generate keys for encryption, a hmac, and a random filename

$KDF(salt_{enc}, nonce) = K_{enc}$

$KDF(salt_{hmac}, nonce) = K_{hmac}$

$base64.encode(KDF(salt_{filename}, nonce)) = filename$

We encrypt the plaintext and calculate an HMAC tag for the counter initial value concatenated with the encrypted data

$t_{hmac} = HMAC(K_{hmac},salt_{hmac}, iv || E(K_{enc},iv,plaintext))$

We encode the filename random with base64, and use that as the filename to store the tag, iv and encrypted data

$t_{hmac} || iv || E(K_{enc},iv,plaintext) {\rightarrow} {filename}$

and return the nonce as the to the client encoded in the url

$base64.encode(nonce) {\rightarrow} url$

To decrypt and return the message

We take the url that is requested and base64 decode it to get the nonce

$nonce {\leftarrow} base64.decode(url)$

This is used to generate the stored filename, encryption and hmac keys

$KDF(salt_{enc}, nonce) = K_{enc}$

$KDF(salt_{hmac}, nonce) = K_{hmac}$

$base64.encode(KDF(salt_{filename}, nonce)) = filename$

Read the data stored in filename, parsing the first 64 bytes as a HMAC tag, the next 12 bytes as a counter initial value, and the remaining as the cipher text

$data {\leftarrow} filename$

$t_{hmac} = data[:64]$

$iv = data[64:76]$

$ciphertext = data[76:]$

We decrypt the ciphertext, and recalculate the HMAC tag to compare

$plaintext = D(K_{enc}, iv, ciphertext )$

${t'}_{hmac} = HMAC(K_{hmac},salt_{hmac}, iv || ciphertext)$

if ${t'}_{hmac} == t_{hmac}$ we return the $plaintext$ otherwise we return a file not found

Encryption with a user defined passphrase

This is very similar, but we use a user defined passphrase to generate the keying material.

For each use of the application

We generate a random 128 bit nonce to seed some key derivation functions.

$nonce \overset{R}{\leftarrow} \{ 0,1 \} ^{128}$

We generate a random 96 bit initial value for a 128 bit counter, this gives ability to encode up to 2^{32} blocks

$iv \overset{R}{\leftarrow} \{ 0,1 \} ^{96}$

We use the user passphrase, nonce and a key derivation function to generate keys for encryption, a hmac, and a random filename

$KDF(salt_{enc}, passphrase) = K_{enc}$

$KDF(salt_{hmac}, passphrase) = K_{hmac}$

$base64.encode(KDF(salt_{filename}, nonce)) = filename$

We encrypt the plaintext and calculate an HMAC tag for the counter initial value concatenated with the encrypted data

$t_{hmac} = HMAC(K_{hmac},salt_{hmac}, iv || E(K_{enc},iv,plaintext))$

We encode the filename random with base64, and use that as the filename to store the tag, iv and encrypted data

$t_{hmac} || iv || E(K_{enc},iv,plaintext) {\rightarrow} {filename}$

and return the nonce as the to the client encoded in the url

$base64.encode(nonce) {\rightarrow} url$

To decrypt and return the message

We take the url that is requested and base64 decode it to get the nonce, additionally we recieve the passphrase

$nonce {\leftarrow} base64.decode(url)$

This is used to generate the stored filename, encryption and hmac keys

$KDF(salt_{enc},passphrase) = K_{enc}$

$KDF(salt_{hmac}, passphrase) = K_{hmac}$

$base64.encode(KDF(salt_{filename}, nonce)) = filename$

Read the data stored in filename, parsing the first 64 bytes as a HMAC tag, the next 12 bytes as a counter initial value, and the remaining as the cipher text

$data {\leftarrow} filename$

$t_{hmac} = data[:64]$

$iv = data[64:76]$

$ciphertext = data[76:]$

We decrypt the ciphertext, and recalculate the HMAC tag to compare

$plaintext = D(K_{enc}, iv, ciphertext )$

${t'}_{hmac} = HMAC(K_{hmac},salt_{hmac}, iv || ciphertext)$

if ${t'}_{hmac} == t_{hmac}$ we return the $plaintext$ otherwise we return a file not found

Posted Sat 14 Jun 2014 20:08:10 BST

High Performance Samba Server on Freebsd

Problem

A midsize educational organisation has a requirement to upgrade the operating system on several hundred desktop computer from Windows XP to Windows 7. The timescale to complete the reinstallation is the summer recess. A master disk image has been prepared and tested. The installation process involves PXE booting the the machines into a Windows PE environment, then mounting a cifs file share where a Windows Imaging Format disk image is accessed. The WIM images and associated files are greater then 20 gigabytes in size, and will be accessed simultaneously by all client's being reimaged.

Solution

Legacy hardware was reinstalled with FreeBSD, using the ZFS filesystem, and Samba to provide a file sharing solution where constraining factors became the edge network and client PC's rather than the disk access on the image file server.

more

Posted Thu 08 May 2014 22:53:34 BST

Saw this on the tails website.

Infrastructure as code

We want to treat system administration like a (free) software
development project:

We want to enable people to participate without needing an account on the Tails servers.
We want to review the changes that are applied to our systems.
We want to be able to easily reproduce our systems via automatic deployment.
We want to share knowledge with other people.

This is why we try to publish as much as possible of our systems configuration, and to manage
our whole infrastructure with configuration management tools. That is, without needing to log into hosts.

Posted Fri 02 May 2014 12:09:46 BST

In network protocols it's generally good practice to send an meaningful error message to clients. Examples from SMTP where one might see messages like "Unable to deliver because no such mailbox exists" help the sender realise that they have misaddressed an email, or an HTTP server might give a 404 error "Page not found" or a 401 error "Access Denied".

It turns out in cryptography that this is not such a good idea, and that leaking information about whether a block of cipher text is correctly padded or not can allows us to decrypt the whole of the text. There is a good wikipedia article here http://en.wikipedia.org/wiki/Padding_oracle

more

Posted Sat 01 Feb 2014 19:15:29 GMT Tags:

Stanford Crypto 1 course

Perils of the Many Time Pad

I've been doing the entry level crypto MOOC from Stanford/Coursera by Dan Boneh.

This is my solution to the first of the optional programming questions, but using some different data. The question provides several ciphertexts that have been encrypted with the same key.

The encryption is simple XOR with a random key, but the same key is used each time. The question shows the error of using a one time pad more than once.

There is a hint provided,

"Hint: XOR the ciphertexts together, and consider what happens when a space is XORed with a character in [a-zA-Z]. "

My solution involved two parts.

more

Posted Thu 23 Jan 2014 23:10:17 GMT Tags:

The Exim4 Cheat Sheet

Here are some useful things to know for managing an Exim 4 server. This assumes a prior working knowledge of SMTP, MTAs, and a UNIX shell prompt.

more

Posted Thu 09 Jan 2014 14:05:03 GMT Tags:

Monitoring Juniper SRX240 with MRTG

Quick MRTG config to get number of current sessions on a Juniper SRX Cluster

WorkDir: /var/www/mrtg-srx-sessions
EnableIPv6: no
WorkDir: /var/www/mrtg-srx-sessions
Options[_]: gauge,growright,nopercent,avgpeak

PageTop[_]: SRX240Sessions
YLegend[_]: SRX240 Sessions in Use
ShortLegend[_]: Sessions
LegendI[_]: node0
LegendO[_]: node1
MaxBytes[_]: 1000000000
AbsMax[_]: 1000000000
Title[srx240-sessions]: SRX240 Cluster active sessions
Target[srx240-sessions]: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6.0&.1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6.10:public@192.168.1.1


more

Posted Wed 08 Jan 2014 14:37:31 GMT Tags:

Mathjax and Ikiwiki

Following the instructions http://wiki.math.cmu.edu/iki/wiki/tips/20130930-ikiwiki/010-setup.html#index1h2 repeated here

Using a plugin to load MathJAX

So far this seems to be the safest and simplest option.

more

Posted Tue 07 Jan 2014 23:39:18 GMT Tags:

Installing Debian on HP DL360e Gen 8

Recently purchased an HP DL360e Gen 8 1U server. I was expecting the installation to be pretty simple, but it was a bit of a struggle because of the lack of a free software driver for the embedded RAID controller, an HP B320i

more

Posted Tue 07 Jan 2014 11:02:33 GMT