Hanno's blog - Linux

Secure RSA padding: RSA-PSS

nospam@example.com (Hanno Böck) — Fri, 14 May 2010 23:22:43 +0200

I got selected for this years Google Summer of Code with a project for the implementation of RSA-PSS in the nss library. RSA-PSS will also be the topic of my diploma thesis, so I thought I'd write some lines about it.

RSA is, as you may probably know, the most widely used public key cryptography algorithm. It can be used for signing and encryption, RSA-PSS is about signing (something similar, RSA-OAEP, exists for encryption, but that's not my main topic).

The formula for the RSA-algorithm is S = M^k mod N (S is the signature, M the input, k the private key and N some big prime number). One important thing is that M is not the Message itself, but some encoding of the message. A simple way of doing this encoding is using a hash-function, for example SHA256. This is basically how old standards (like PKCS #1 1.5) worked. While no attacks exist against this scheme, it's believed that this can be improved. One reason is that while the RSA-function accepts an input of size N (which is the same length as the keysize, for example 2048/4096 bit), hash-functions usually produce much smaller inputs (something like 160/256 bit).

An improved scheme for that is the Probabilistic Signature Scheme (PSS), (Bellare/Rogaway 1996/1998). PSS is "provable secure". It does not mean that the outcoming algorithm is "provable secure" (that's impossible with today's math), but that the outcome is as secure as the input algorithm RSA and the used hash function (so-called "random oracle model"). A standard for PSS-encryption is PKCS #1 2.1 (republished as RFC 3447) So PSS in general is a good idea as a security measure, but as there is no real pressure to implement it, it's still not used very much. Just an example, the new DNSSEC ressource records just published last year still use the old PKCS #1 1.5 standard.

For SSL/TLS, standards to use PSS exist (RFC 4055, RFC 5756), but implementation is widely lacking. Just recently, openssl got support for PSS verification. The only implementation of signature creation I'm aware of is the java-library bouncycastle (yes, this forced me to write some lines of java code).

The nss library is used by the Mozilla products (Firefox, Thunderbird), so an implementation there is crucial for a more widespread use of PSS.

Free and open source developers meeting (FOSDEM)

nospam@example.com (Hanno Böck) — Sun, 07 Feb 2010 10:34:05 +0100

After reading a lot about interesting stuff happening at this years FOSDEM, I decided very short term to go there. The FOSDEM in Brussels is probably one of the biggest (if not the biggest at all) meetings of free software developers. Unlike similar events (like several Linuxtag-events in Germany), it's focus is mainly on developers, so the talks are more high level.

My impressions from FOSDEM so far: There are much more people compared when I was here a few years ago, so it seems the number of free software developers is inceasing (which is great). The interest focus seems to be to extend free software to other areas. Embedded devices, the BIOS, open hardware (lot's of interest in 3D-printers).

Yesterday morning, there was a quite interesting talk by Richard Clayton about Phishing, Scam etc. with lots of statistics and info about the supposed business models behind it. Afterwards I had a nice chat with some developers from OpenInkpot. There was a big interest in the Coreboot-talk, so I (and many others) just didn't get in because it was full.

Later Gentoo-developer Petteri Räty gave a talk about "How to be a good upstream" and I'd suggest every free software developer to have a look on that (I'll put the link here later).

I've just attended a rather interesting talk about 3D-printers like RepRap and MakerBot.

SSL-Certificates with SHA256 signature

nospam@example.com (Hanno Böck) — Mon, 01 Feb 2010 23:23:34 +0100

At least since 2005 it's well known that the cryptographic hash function SHA1 is seriously flawed and it's only a matter of time until it will be broken. However, it's still widely used and it can be expected that it'll be used long enough to allow real world attacks (as it happened with MD5 before). The NIST (the US National Institute of Standards and Technology) suggests not to use SHA1 after 2010, the german BSI (Bundesamt für Sicherheit in der Informationstechnik) says they should've been fadet out by the end of 2009.

The probably most widely used encryption protocol is SSL. It is a protocol that can operate on top of many other internet protocols and is for example widely used for banking accounts.

As SSL is a pretty complex protocol, it needs hash functions at various places, here I'm just looking at one of them. The signatures created by the certificate authorities. Every SSL certificate is signed by a CA, even if you generate SSL certificates yourself, they are self-signed, meaning that the certificate itself is it's own CA. From what I know, despite the suggestions mentioned above no big CA will give you certificates signed with anything better than SHA1. You can check this with:
openssl x509 -text -in [your ssl certificate]
Look for "Signature Algorithm". It'll most likely say sha1WithRSAEncryption. If your CA is good, it'll show sha256WithRSAEncryption. If your CA is really bad, it may show md5WithRSAEncryption.

When asking for SHA256 support, you often get the answer that the software still has problems, it's not ready yet. When asking for more information I never got answers. So I tried it myself. On an up-to-date apache webserver with mod_ssl, it was no problem to install a SHA256 signed certificate based on a SHA256 signed test CA. All browsers I've tried (Firefox 3.6, Konqueror 4.3.5, Opera 10.10, IE8 and even IE6) had no problem with it. You can check it out at https://sha2.hboeck.de/. You will get a certificate warning (obviously, as it's signed by my own test CA), but you'll be able to view the page. If you want to test it without warnings, you can also import the CA certificate.

I'd be interested if this causes any problems (on server or on client side), so please leave a comment if you are aware of any incompatibilities.

Update: By request in the comments, I've also created a SHA512 testcase.

Update 2: StartSSL wrote me that they tried providing SHA256-certificates about a year ago and had too many problems - it wasn't very specific but they mentioned that earlier Windows XP and Windows 2003 Server versions may have problems.

BIOS update by extracting HD image from ISO

nospam@example.com (Hanno Böck) — Thu, 14 Jan 2010 21:16:17 +0100

Today I faced an interesting Linux problem that made me learn a couple of things I'd like to share. At first, we found an issue on a Thinkpad X301 notebook that was fixed in a newer BIOS version. So we wanted to do a BIOS update. Lenovo provides BIOS updates either for Windows or as bootable ISO CD-images. But the device had no CD-drive and only Linux installed. First we tried unetbootin, a tool to create bootable USB sticks out of ISO-Images. That didn't work.
So I had a deeper look at the ISO. What puzzled me was that when mounting it as a loopback device, there were no files on it. After some research I learned that there are different ways to create bootable CDs and one of them is the El Torito extension. It places an image of a harddisk on the CD, when booting, the image is loaded into memory and an OS can be executed (this probably only works for quite simple OSes like DOS, the Lenovo BIOS Upgrade disk is based on PC-DOS). There's a small PERL-script called geteltorito that is able to extract such images from ISO files.
It's possible to boot such harddisk images with grub and memdisk (part of syslinux). Install syslinux, place the file memdisk into /boot (found in /usr/lib/syslinux/ or /usr/share/syslinux/) and add something like this to your grub config:

title HD Image
root (hd0,0)
kernel /boot/memdisk
initrd /boot/image.img

Or for grub2:

menuentry "HD Image" {
set root=(hd0,2)
linux16 /boot/memdisk
initrd16 /boot/hdimage.img
}

Now you can select bios update in your boot menu and it should boot the BIOS upgrade utility.

(Note that this does not work for all Lenovo BIOS updates, only for those using an El Torito harddisk image - you can mount your iso with mount -o loop [path_to_iso] [mount_path] to check, if there are any files, this method is not for you)

Videos aus ARD Mediathek herunterladen

nospam@example.com (Hanno Böck) — Fri, 08 Jan 2010 22:39:56 +0100

Ich stand heute vor dem Problem, ein Video aus der ARD-Mediathek herunterladen zu wollen. Die gibt es meistens nur noch als Flash und ohne Download-Link.

Die Videos werden über RTMP übertragen, was ein Flash-eigenes Videostreaming-Protokoll ist. Im gulli-Forum fand ich eine Anleitung. Ich habe darauf basierend ein kleines Skript ardget geschrieben, mit dem man das bequem erledigen kann. Aufzurufen einfach über
ardget "[URL der Mediathek]"

Die Anführungszeichen sind notwendig, weil die URLs &-Zeichen enthalten, die sonst von der Shell fehlinterpretiert werden. Da die Videos teilweise mit Javascript-URLs verlinkt sind, filtere ich das auch entsprechend, man kann also den kompletten javascript: beginnenden Link übergeben. Benötigt wird entweder flvstreamer oder rtmpdump, sollte ansonsten in jeder gängigen Unix-Shell funktionieren.

O2 DSl-Router die Macken austreiben

nospam@example.com (Hanno Böck) — Fri, 18 Sep 2009 18:47:34 +0200

Seit kurzem bin ich in Besitz eines Internetzugangs von O2. Dabei wird ein Router (DSL Router Classic, das Ding stammt wohl von Zyxel, eine genaue Typbezeichnung habe ich bisher nicht gefunden), der gleichzeitig auch VoIP macht, mitgeliefert.

Dabei sind bei mir zwei Probleme aufgetaucht, die vielleicht auch anderen (potentiell intensiveren) Internetnutzern aufstoßen, deswegen teile ich hier mal mit wie man dem Ding beibringt, normales Internet anzubieten.

Zunächst ist mir aufgestossen, dass wenn ich viele eMail-Konten gleichzeitig abholen wollte, bei einem Teil davon Verbindungsfehler auftraten. Etwas geklicke durch das Webinterface brachte mich auf den Punkt »Firewall« (»Firewall« wird ja heutzutage für alles und nichts als Buzzword benutzt). Dahinter verbergen sich einige Limits für Verbindungen, die doch ziemlich niedrig gesetzt sind. Was mir vermutlich die Probleme bereitet hat, ist die Begrenzung auf 10 unvollständige TCP-Verbindungen.
Ich habe eine Weile drüber nachgedacht, ob ich die Funktionalität einer solchen »Firewall« aus irgendeinem Grund nützlich finde und bin drauf gekommen, dass, solange ich meinem Rechner vertraue, mir das Ding nur Probleme bereitet und es schlicht ausgeschaltet.

Ein weiteres Problem lies sich nicht so einfach Lösen: SSH-Verbindungen, bei denen ich eine Weile nichts gemacht hatte und auf denen auch keine Ausgabe kam, standen still. Mutmaßung: TCP-Verbindungen werden gekappt, wenn länger keine Daten über sie fließen. Nur fand sich nirgends eine Option, um dem beizukommen. Nach etwas Suchen im Netz bin ich dann drauf gestoßen, dass das Teil ein Telnet-Interface hat (Benutzername: admin, Passwort identisch mit Webinterface), über das man sich einloggen kann und einige Optionen setzen, die das Webinterface nicht anbietet (siehe solariz.de: Zyxel Router P-334 optimieren).

ip nat timeout tcp 3600

war dann das Zauberwort, welches den TCP-Timeout höher setzt (eine Stunde erschien mir passabel, Voreinstellung war 300, also 5 Minuten).

LPIC-1

nospam@example.com (Hanno Böck) — Thu, 09 Jul 2009 10:23:17 +0200

After passing the second exam at the Linuxtag, I'm now officially allowed to call myself LPIC-1.

Looking for router firmware alternatives

nospam@example.com (Hanno Böck) — Thu, 11 Jun 2009 14:16:44 +0200

A couple of projects exist for alternative router firmwares. I used to work with Buffalo Routers combined with DD-WRT.

Now DD-WRT became quite unusable for two reasons. First there was a Cross Site Request Forgery reported on bugtraq a while back, where one of the DD-WRT developers answered in a way that clearly showed he doesn't really understand what CSRF is - so already from a security point of view, DD-WRT seems to be a no-go.

Beside, DD-WRT development more or less is stale at the moment - there are commercial spin-offs and there's been some controversy if everything they did was compliant to the GPL. Fact is there were no new releases since several months - with open security bugs.

Now I've been looking for alternatives. What I'm looking for should be

a ready-to-use router firmware with easy web-interface configuration from the start, not something like OpenWRT
free software
obviously, a project that handles security-reports in a sane way

For now, Gargoyle the only one suitable. It doesn't officially support my Hardware, but it works anyway. I haven't looked deeper into it (e. g. didn't do any security analysis myself), but it seems to do the basic tasks. If you have suggestions of other projects, please leave a comment.

USB hard drives with SMART

nospam@example.com (Hanno Böck) — Thu, 07 May 2009 21:08:18 +0200

A common way to check the health state of a hard disk is SMART. It gives various informations about occuring errors. In Linux, there's the smartmontools package containing tools to read SMART data of hard drives (smartctl -a /dev/[hddevice] gives you a bunch of information).

I found it always frustrating that SMART didn't work with USB drives. It's a standard bound to IDE/ATA. Although common USB-drives are internally IDE/SATA, sending the SMART commands to the drive requires proprietary extensions. But now, the smartmontools-developers have included support for some USB drives. It worked with the USB HDs I had available for testing.

There's no release yet containing the USB-support. If you're on Gentoo, you can fetch a live-CVS ebuild here.

LPI / LPIC - ein kleines Resumee

nospam@example.com (Hanno Böck) — Sat, 21 Mar 2009 09:35:38 +0100

Ich habe, wie ich kürzlich bereits erwähnt habe, auf den Chemnitzer Linux-Tagen die erste LPI-Prüfung abgelegt. Die LPI ist eine Institution, die Zertifizierungen für Linux-Kenntnisse anbietet. Es existieren verschiedene Levels, nach Bestehen der zweiten Prüfung darf ich mich dann LPIC-1 nennen.

Zwar darf ich natürlich zu konkreten Inhalten der Prüfungsfragen nichts sagen (das muss man während der Prüfung unterschreiben), möchte aber dennoch einige allgemeine Anmerkungen dazu loswerden.

Zunächst mein Haupt-Kritikpunkt: Die Prüfung bezieht sich auf alte Inhalte, und zwar auf sehr alte. Eine Frage bezog sich auf Spezifika eines 2.0-Kernels. Ich erinnere mich noch dunkel, dass zu der Zeit, als ich gerade mal anfing, mich mit Linux zu beschäftigen, gerade das Neuerscheinen von Kernel 2.4.0 ein heißes Thema war. Das ist nun schon knapp 10 Jahre her. Das war sicher das extremste Beispiel, aber es zieht sich durch mehrere Fragen durch. Nehmen wir jemanden, der sich sehr kompetent mit Linux auskennt, aber sich vielleicht erst seit 3 Jahren mit Linux beschäftigt. Er hätte schlicht das Problem, dass ihm xfree86 einfach nie begegnet ist. Bei den nicht gerade günstigen Preisen der Prüfung hätte ich schon erwartet, dass sie halbwegs dem aktuellen Stand der Entwicklung entsprechen.

Ein weiterer, sicher schon oft genannter Kritikpunkt, ist die Frage der (nicht vorhandenen) Distributions-Neutralität. Im Flyer des LPI wird explizit damit geworben wird, dass die Zertifizierungen Distributions-übergreifend seien. Das ist, um es deutlich zu sagen, schlicht gelogen. Es handelt sich nur um einen kleinen Teil der Fragen (bzgl. rpm), die man auch einfach weglassen könnte, es würde der Prüfung nichts nehmen.

Jenseits dessen noch eine eher grundsätzliche Anmerkung: Große Teile der Prüfung beziehen sich auf das mehr oder weniger Ausweniglernen von Befehlen und Parametern. Das ist natürlich komplett realitätsfern. In jeder realen Situation, in der meine Linux-Kompetenz gefordert ist, habe ich natürlich die Möglichkeit, mir die man-Pages und Dokumentationen von Programmen anzusehen. Insofern sollte man sich klar sein, dass ein LPI-Zertifikat auch nur sehr beschränkt Auskunft darüber gibt, wie fähig man tatsächlich mit einem Linux-System umgehen kann.

Chemnitzer Linux-Tage 2009

nospam@example.com (Hanno Böck) — Sat, 14 Mar 2009 18:40:32 +0100

Ich bin mal wieder, wie in den Vorjahren auch schon, auf den Chemnitzer Linux-Tagen. Die Linux-Tage in Chemnitz gehören inzwischen zu einer der zentralen Veranstaltungen der freien Software-Community.

Morgen werde ich mich zum ersten Mal an einer LPI-Prüfung versuchen. Habe mich kaum vorbereitet und bin mal gespannt ob man das auch so schafft. Wenn es nicht klappt werde ich mir evtl. entsprechende Literatur zulegen und es erneut versuchen.

Bilder gibt's hier: http://pictures.hboeck.de/clt2009/

Filling the proprietary gaps: Real Video (RV30/RV40) support in ffmpeg

nospam@example.com (Hanno Böck) — Thu, 25 Dec 2008 15:38:07 +0100

The free software projects for media playing did a good job in the past on supporting a wide variety of formats. From the common to many very obscure formats, current versions of the free software mediaplayers were usually able to play them. Today it's even common to suggest vlc for Windows users if they can't play unusual media formats.

Though there were a few exceptions, the most notable probably the long-time missing support for many of the Real formats. While these are rarely used today, many archived videos in the Internet still rely on it. For example, many german television stations provide real video files on their webpages.

Recently and without much public notion, ffmpeg first got support for RV40, some weeks later also for RV30. This fills a long time gap in free software support for video formats. ffmpeg is used by all major free software video players (vlc, xine, mplayer), so you should get the support within some time in all of them. For now, it's quite easy to checkout mplayer from subversion and build it on your own.

Want something to try out? Here's a video from Desert Planet in real format.

The only gap I know of a format that really got usage in the wild and that is not yet supported by free software is WMA3.

Auch dieses Jahr wieder tuXmas

nospam@example.com (Hanno Böck) — Wed, 24 Dec 2008 19:38:05 +0100

Die Linux User Group Backnang hat, wie auch in den letzten beiden Jahren, zu Weihnachten eine DVD herausgebracht, die vollgepackt ist mit freien und frei kopierbaren Inhalten aus dem Netz. Die Idee dabei ist, durch eine möglichst vielfältige Auswahl auf die große Menge freier Inhalte aufmerksam zu machen.

Im Gegensatz zu den Vorjahren war ich dieses Mal daran kaum beteiligt. Umso mehr freut es mich, dass es auch ohne mich geklappt hat. Also viel Spass mit der tuXmas DVD 2008.

Interview on FSFE webpage

nospam@example.com (Hanno Böck) — Wed, 17 Dec 2008 17:28:21 +0100

As an FSFE fellow, I got interviewed for their webpage.

You can read it here.

A critique on the FSFE campaign on PDF readers

nospam@example.com (Hanno Böck) — Sat, 13 Dec 2008 13:35:40 +0100

The Free Software Foundation Europe has recently started a campaign promoting free PDF readers. The idea is to replace the tons of »Get Adobe Reader to view the PDF«-Buttons with ones that don't promote a proprietary product for viewing PDFs. On the page, they list a couple of free PDF readers for various operating systems.

While I fully support the intention of this campaign, I think there's a big strategic misconception. As a small sample, let's take this PDF (an old advertisement for a Linux installation party). It's created with Scribus, based on a transparent SVG tux image I got from Wikipedia. On the right, you can see the PDF rendered with Evince (one of the three Linux-based solutions listed there). The others (kpdf and okular), although based on the same poppler-libarary, show a different rendering, though it's not better.

Loading the same PDF in the only listed Windows program SumatraPDF (which will, sad but true, probably the one most people will look for) gives an even more interesting result (see on the left). Though, after resizing the window, it changes it's opinion and renders the PDF, although still broken as you can see on the right (results may be false as I only tried it in WINE).

Continuing with the problems, SumatraPDF is unable to fill in PDF forms. Luckily today Linux-based PDF readers are able to do that, though one of the listed programs (kpdf) is not.

In fact, those are no reasons not to start a campaign for free PDF readers. But it should start with a completely different focus, like »we have some coders wanting to improve free PDF readers, send us your wrong rendered PDFs« or something like that. And then start improving the free PDF readers. And then promote them. Doing it the other way round with a »there is no problem, just take a free PDF reader« message and then giving them ones with grave problems is just lying to people. There's a good reason why for example the Scribus project promotes the Adobe Reader.

Oh, and before you ask, yes, I have reported the bug about the misrendered transparency a long time ago.