All things security - Single Sign On technology, Certificates, Encryption. Security Blanket

I recently had a round-the-world trip to speak at 2 Sun Tech Days events - Sydney and Johannesburg.  Both events went very well, I presented on "New Security Features in Solaris" and "OpenSolaris: A Definition" in Sydney.   In Johannesburg, I presented the same security talk, as well as the OpenSolaris talk again along with Jim Hughes and his "Nevada" talk.  It is always good to get out in front of customers and hear feedback.  I think they also appreciate talking to the engineers who help build the stuff instead of people a few steps removed, it gives them a much better chance of hearing the detailed kind of answer they are looking for, especially when they are asking deep, technical questions.

As always, I travelled with my camera and managed to use a lot of my free time to shoot.  I posted a tiny fraction of the shots on my flickr account in 2 sets.  Have a look -  Sydney and Africa.

 


 

In late June I attended Trusted Computing Group meetings in Rome (yes, Italy, not New York).  Sun is an active participant in the TCG and has been for several years.  My areas of interest are in those working groups that deal with the interactions between different parts of the system and also interactions between systems (hosts).  More and more computers these days are shipping with TPMs (Trusted Platform Modules - a hardware chip soldered directly to the motherboard), so we are interested in taking advantage of the TPMs to make the overall system more secure.    In Solaris, we do not yet have the plumbing (i.e. driver and basic OS support) in place for TPMs but there is work being done in this area that anyone can contribute to if they are interested.  Look for more in the future!

Oh yeah - and Rome was amazing.  I had never been there before, and it is an incredible city.  Consider the history of that area, its been populated for well over 2000 years and there are bits and pieces of history dating way-WAY back all over the place.  I took some pictures - have a look.

 

Information about the Solaris Key Management Framework project - now available on OpenSolaris.org[Read More]

The Key Management Framework project is in the final stages and getting ready for putback.  Read on to learn about the new PKI interfaces are are going to be introducing soon.

Alot of updates and changes have been documented since the last project update.  We survived the architecture committee commitment review and have had significant feedback on the design from other security people inside of Sun.  We also had some outside comments as well via the kmf-discuss (at) opensolaris.org mailing list.  All of these things have been incorporated and documented.   We hope that this project will fill a need for developers and admininstrators who want to use PKI technology but find the current interfaces lacking in one way or another.

One of the features I think is most interesting is the concept of a system-wide PKI policy database.  This database will contain a set of policy statements which consist of parameters that affect how certificates are validated by the applications.    Because KMF can manage certificates in NSS databases, OpenSSL files, or PKCS#11 tokens, the policy can be applied to objects in any of those places (provided the application goes through the KMF interfaces).   We are also greatly expanding the list of commands for the Solaris pktool(1) utility to include certificate create/delete/import/export/list commands  symmetric key generations, and many other PKI object manipulation commands.   Check out our design documents the files page for more details on these and other KMF features.

So, if you are a developer or administrator interested in upcoming Solaris PKI features, please have a look at our project and send feedback, we want to hear from you.

These days, while most bands are being completely undermined by destructive (but utterly useless) DRM technologies (see: Sony BMG Lawsuit Settlement), it is refreshing to know that there are bands out there that "get it" and are taking advantage of new distribution channels offered by the internet rather than fighting them and treating their fans like criminals (thank you, RIAA).

Pearl Jam has long been a favorite band of mine. When their contract with Sony ended a couple of years ago, they decided to take things in a different direction. They are rolling out a new album in May and will be releasing their first single from that album next week - available as a FREE, Non-DRM-encumbered, MP3. Nice. What a novel concept - give people music in a truly portable format, don't try to force them into using a proprietary music player or platform, just give me (or sell me) the music and let me decide how/when/where I want to play it.

Since 2000, Pearl Jam have released CDs of every concert immediately following the shows. You could usually order the show from the internet the next day and you would receive a link to where you could immediately download the entire show in MP3 format (albeit in a low-quality bitrate) while waiting for your double-CD to arrive in the mail about a week later - with no DRM crap to restrict your use of it. Their ticket sales for fanclub members (of which I am a proud member, #183XXX) are handled smoothly and fairly (compared to the fiasco with the recent U2 tour and their fanclub tickets). Seniority counts, I was in the 10th row last time they came around to the DC area and hope to do at least as well this year. Again - they get it. They saw that fans were selling crap quailty bootlegs for $20 or more and decided to put out high-quality CDs of all their shows for $12 a pop. Its a win for both the fans and the band. The fans win because they can purchase a copy of their show for a great price, the band wins by getting a little extra revenue from the sales and ALOT of goodwill from happy fans. Why don't other big bands do this (U2, I'm looking at you) ? Heck, for the prices I paid for U2 tickets (face value, I did not scalp), they should be including an autographed CD for free!

Established bands like Pearl Jam or U2 have enough clout within the industry to make their own rules (to some extent) and give their fans what they want. Unfortunately, too many younger, less established, bands don't have the power to control how their companies distribute their music and treat their fans. So, you end up with crippled and destructive CDs being sold as "enhanced" and marketed as if they are actually doing YOU a favor by giving you inferior quality compressed tracks in a proprietary media format (WMV). Thank God they are still forced to deliver real CDs that actually play in cars and older CD players and computers.

When I buy a CD, I immediately want to rip the tracks and put it on my iPod. I am not ripping the tracks and sharing them on the internet, I just want to play them on my device and on my terms. I also want to rip them at better quality than what is offered by iTunes or some of the other online music stores. Thankfully, anyone running an OS other than Windows can do this pretty easily - Mac OSX, Linux, and Solaris all have tools for quickly and easily extracting the raw .WAV files from a CD which can then be converted to whatever format you like and stored on whatever device you like. On Solaris (at least in recent Nevada builds - see OpenSolaris.org) you can use the cdda2wav (1) command to quickly extract the .wav files and then use other tools to turn them into MP3 or WMV or whatever format you prefer. Similar tools are available on Linux and Mac OS X obviously has it's own utilities (iTunes for one). On Windows you can also do this as long as the CD is not encumbered by lame DRM "protection" and/or you have your CD "autoplay" feature disabled.

It all comes down to the culture of openness and freedom versus the culture of lock-everything-down-and -try-to-control-everything. People want openness - open standards, open source - and freedom - freedom to use media on their terms, not someone elses. Success will come to companies that embrace these concepts not those that fight against them (hello again RIAA and MPAA).

OpenSolaris Key Management Framework

Just today I unveiled a new (and my first) OpenSolaris project - Key Management Framework (KMF). We are trying to make it easier to develop PKI applications and manage PKI objects (X.509 certificates, keys, CRLs, etc). The project has been under development for some time now and we will start dumping our documentation and (eventually) code on the OpenSolaris site for comment in the coming weeks/months.

So, if you are interested, join our discussion list and send comments.

As if the FBI does not have its hands full with terrorism, organized crime, white-collar crime, and other threats to society, the Washington Post is reoprting that the FBI has been directed - BY CONGRESS - to divert resources to investigating pornography. Not child-pornography, but regular, consenting adult stuff. Apparently, it is a running joke inside the FBI and noone really wants to be part of it because they all know it is a joke, but the geniouses that we elected into congress think it is "Real Important" and are mandating some extra attention. Seriously, does our country not have enough Real Problems to solve that are more important than investigating businesses that have already passed constitutional muster several times? Go after the spammers and phishers that are putting porn links onto computers without consent - that would be GREAT. Go after the spyware sellers and makers (some of whom are backed up by largely legitimate corporations) - again, GREAT. This move reeks of political influence from the religious right who seem to think that they have a mandate to legislate their own version of morality on everyone, regardless of constitutional protections and existing laws.

Is it 2008 yet?

I read two articles today, both of which relate to the topic of electronic voting. The first was from the Washington Post about the Carter-Baker panel that has several recommendations for fixing the voting system (including adding MANDATORY PAPER TRAILS), the other is from Brad Friedman and it claims that Diebold is aware that their software is open to hacks and that they are suppressing any dissent on the subject internally by threatening to fire people. Yeah, that'll work. The story is already all over the internet. Noone from Diebold has ever really explained exactly why they are so adamantly opposed to paper trails and an open review process. The sad thing is that the government is not squeezing them on this matter and they are allowed to continue doing business with no oversight or scrutiny.

BlackBoxVoting.org has lots of intresting reports on that sad state of electronic voting systems in America. What really gets ones blood boiling is the fact that this is 2005. A full 5 years after the 2000 election debacle and we STILL DONT HAVE anysort of security standards for these boxes. There is no mandatory verfiable paper trail, there is no oversight of the security of the systems being used, and we have no more reason to trust the system today than we did 5 years ago. I would rather go back to paper ballots and "hanging chads" than to trust the future of our country's elections to software that has not been rigorously examined and thoroughly vetted by software security experts, not just by the software engineers at the company that builds the systems.

This is not a Democrat or a Republican issue, it is something that should concern anyone with an interest in the future of the country. Write to your congressman about this issue - support Rush Holt's HR 550.

Instructions on just how to hack the Diebold code are all over the internet, its not as if this is a theoretical issue. Yet, here we are, 5 years later, and still no closer to a real solution. The next presidential election is 3 years away, congressional elections are coming up next year. It's infuriating that our government is so completely inept that it cannot address this issue in a timely manner.

I updated my Photoblog this past weekend and migrated it to start using the PixelPost system. This is my first foray into the world of MySQL and PHP programming, but I found it to be surprizingly easy and smooth. I was already pretty familiar with CSS and scripting, so it wasn't much of a problem. The really nice thing is the way it keeps track of things in the MySQL db and the nice administrative interface so I can upload pics and keep track of comments and categories with a nice interface.

So, for anyone interested in managing their own photoblog site (as opposed to using Flikr or one of the other blog services) and learning a bit about the LAMP (Linux/Apache/MySQL/PHP) paradigm, I highly recommend PixelPost. Most major web hosting services (I use Lunarpages) offer all of the pieces you need to get started with something like this - including MySQL DBs, and PHP support.

A really cool security feature was just recently added to the Thunderbird email client - support for GSSAPI authentication. This extends the ability to do secure single-sign on with Kerberos to your email reading. Unless your current mail server (POP or IMAP) is SSL-protected, your username/password passes over the network in the clear. If your organization uses Kerberos for security (and convenience of single-sign on), you can now extend it to mail clients.

Solaris does not include pop3 or imap server software, but there are some open source implementations that already have the necessary server-side support for this secure authentication - The U-W IMAP Server is a popular IMAP server implementation.

Here is the announcement from the Kerberos mailing list. (Thanks to Simon Wilkinson)

=======================================================================
The Thunderbird beta (1.5b1) that was released yesterday contains new
support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP
servers.

It would be really good to get some test coverage against different
servers, and in different environments. I originally wrote and tested
the code against the U-W IMAP server - it's also been tested against
various servers using Cyrus SASL for their GSSAPI support.

The beta can be downloaded from
http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html

Cheers,

Simon.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

In the last couple of months (prior to the Hurricane), there was a bit of news about some school districts wanting to promote the theory of "intelligent design" as a legitimate scientific theory, right alongside Darwin's theory of evolution. The problem is that it is not a theory and is not scientific. That an entire state would choose to "educate" its children in the area of science in this way is pretty controversial, for obvious reasons. Apparently, some guy wrote an open letter to the Kansas school board that pretty much deflates the whole concept of "intelligent design" in a humorous way (well, at least to me).

I recently broke down and bought the digital camera that I'd been coveting for quite a while - The Nikon D70. For the past 2.5 years, I have been shooting with a Coolpix 5700, which is a very respectable camera that has served me well all over the world (Singapore, China, etc). If anyone wants the old one, I'm selling it on EBay

The new one give me alot more control over my images - things like really controlling the depth of field with the aperture settings can make a big difference in some shots. non-SLR models don't have big enough lenses or long enough focal lengths, which means that the aperture setting has little effect on the depth of field. For example, if you just want the foreground to be in focus and you want the background blurred, you need to set the aperture to a pretty wide open setting (F4.5, for example). On a non-SLR camera, you may be able to set the aperture, but the result is virtually indistinguishable from when the aperture is set to the other extreme (F22). With a true SLR and a quality lens, you can really control what parts are in focus and what parts are not, and ultimately it makes a big difference in the overall impact of the images.

So, my wife and I spent our recent 10 year anniversary in Las Vegas and I took some time off from throwing money away at craps to exercise the new gear out in the desert at Red Rock Canyon National Conservation Area. I went *early* in the morning while the sun was still low and the temperature was a very comfortable 74. I think the results were pretty good, though I always see things I could have done better.

My co-worker (Will F.) has posted a great blog posting about Kerberos Encryption types and how they are used and negotiated on systems that support different sets of encryption methods. Solaris 10 versus Solaris 8, for example.

Anyone who has wondered about how Kerberos encryption methods are used would not be disappointed by downloading his Presentation and reading it a few times.

Big News

Everyone has probably already seen the regarding Sun and Microsoft and announcement regarding interoperability. This is a very cool announcement and it is something that we have been working on for quite a while in lots of different ways.

The technical details in these announcements are typically glossed over and discussed at a very high level. At my level, I've been involved in various "Microsoft Interoperability" projects for several years, mostly involving Kerberos and single-sign on technologies. I have worked with Microsoft people in various IETF working groups for several years and always found them to be very smart and easy to work with. As engineers, we are usually more interested in getting stuff to work correctly and less interested in the executive level sparring that has occurred in the past.

Regarding the new interoperability

This document describes the protocols used to achieve the web-based single-sign on that is covered by the agreement. Note that this is NOT the same as the GSSAPI/SPNEGO web-based single sign-on technology that I described here. This new interoperability protocol is based on Web Single Sign-On Metadata Exchange Protocol, which involves XML, SOAP, HTTP, and a bunch of "WS-*" protocols. It does not involve any Kerberos or GSSAPI token exchanges.

The other SSO protocol

HTTP Auth-Negotiate with GSSAPI/SPNEGO is useful for extending the Kerberos SSO to internal web sites that only need to authenticate the user. The Web SSO MEX protocol gives the server access to alot more information beyond just the users authentication credentials, the "metadata exchange" part of the name (MEX) refers to all of the other information that can be conveyed in the exchange. The Kerberos SSO exchange typically only involves authentication credentials (tickets) but not alot of extra data associated with the identity being asserted.

Kerberos by itself would never get us close to the level of interop provided by Web SSO MEX. Web SSO MEX allows for interop across environments that use Liberty and WS-Federation and makes it possible to use the Java Enterprise System OR Windows 2003 Servers, which is a big win for enterprise customers that typically have a mix of both and have been frustrated in the past by the inability to leverage both in a compatible way. This announcement should not discourage companies from moving forward with Kerberos integration and improving internal security. Kerberos SSO is more than just web authentication, it can be applied to lots of other non-Web based protocols as well. In Solaris 10 (and later) SSH, LDAP, FTP, telnet, rlogin, and rsh are all Kerberized. Other protocols like SMTP (mail), POP, and IMAP can also be Kerberos enabled with combinations of protocols like SASL/GSSAPI/Kerberos thus extending SSO to almost all of the most commonly used protocols inside of an enterprise (big or small).

So, while I view this announcement as a very positive step forward for Sun, I think there may be some confusion by some over the details of the protocols being used (or not used as the case may be for Kerberos). As I learn more, I will try to clarify the differences more in the future.

Remember the day when concert tickets were in the $10-$20 range? Me either. Well, that's not true either. I do recall paying around $14 for several shows at the Pittsburgh Civic Arena (since renamed "Mellon Arena"), back in my high school years. Today, great seats for a popular tour can easily go well above $100 a seat, (which, I *think* is well above the inflation rate). I read that the Rolling Stones are offering their "Gold Circle" seats for their upcoming tour for about $450. Ouch. I like the Stones (or, at least I like the music they made back in the 1967-1971 period, plus Some Girls and Tattoo You a little later), but I think I would have to settle for some of the cheaper and more distant seats if I were to go to that one.

Which brings me in a roundabout way to my real topic ... U2. I love U2. Really. I'm going to the show in Philadelphia tomorrow night. Then I gotta wait 5 months for their 2 October shows in Wash DC. For all of these shows, I decided to pay up for the expensive seats and have a good view of things. It worked out great last tour, I was right next to the stage, about 10 rows up. I suppose I could have taken my chances on the $50 GA tickets and tried to get lucky to get into the "bomb shelter" (i.e. inside of the catwalk circle that extends out into the floor). Odds are low (I've read its about 1 in 5) and if you don't make it you are likely stuck craning your neck all night and dealing with lots of pushing and shoving for a bad view. I'd love to get into the cirle, but I'd prefer to pay for a known quantity in this case.

The cool thing about this tour is that Sun is powering the "ONE" campaign, as fellow blogger MaryMary has blogged about extensively. She was actually lucky enough to meet Bono (and some other celebs). I am not hooked into that part of the business and will have no such access, but I am looking forward to the show(s).