Linear feedback shift register

Modern ciphers are classified mainly as stream ciphers and block ciphers. LFSR is a simple method to generate a stream cipher. 

Stream ciphers are generated by adding each bit of plaintext with long generated bits called the keystream. Keystream is made out of a small secret called the seed, which is developed into a very long sequence of bits. 

Stream ciphers are generally based on states, an update function that navigates from one state to another and an output. 

You can read more about LFSR here

Following is the implementation of LFSR in magma with the given specification:

INPUT: 	(P,L,t)  	
         - P is the connection polynomial for the LFSR
			- L is a list for the initial state 
(note that Degree(P) eq #L) 
			- t the length of the keystream that we get 
from the initial state


OUTPUT (Ks,S)		
         - Ks is a List of length t which contains the keystream
			- S is a list of length t+1 which contains 
the states of the LFSR
			  (so S is a list of lists)

function RightLFSR(P, L, t)
	C:= Coefficients(P);
	C:=Reverse(C);
	
	V:=[];
	L;
	
	for i in [1..t] do
		V[i]:=L[#L]; // The output value is 
                             //the last bit of each stream excluding 
                             //the last register value.
		k:=GF(2)!0;
		L1:=L;
		//Shift the register to the right
		for j in [1..#L1]do
			if j+1 in [1..#L] then
				L[j+1] := L1[j];
			end if;
		end for;
		//XOR the values based on the polynomial
		S:=[];
		for j in [1..#L] do
			S[j]:=L1[j]*C[j+1]; // The previous state of                         
                         // the register before 
                          //shifting is taken to find the first bit.
			k:=k+S[j];
		end for;
		L[1]:=k;
		L;
	end for;
return V;
end function;

R<x>:=PolynomialRing(GF(2));
RightLFSR(x^5 + x + 1,[GF(2)!1,0,0,1,0],8);
//Calling the function above

The divine manifestation

Mind works so strange. 
For the past one year, I had told this
To myself, for plenty of times! 
Haven’t you also felt the same?
At least once in your life?
 
Being one among the luckiest fraction 
In the world, I am privileged to say,
That my mind works so strange!
 
I build palaces of dreams with imaginations..
I live in that world..
It makes me feel so real.
I find it hard to believe that the images that 
I see in front of me are images.. 
They are not real.
The rails, the grass, the buildings,
the people, the cars, the dogs,
the birds, the mountains, the clouds,
They are all images, of my imagination.
 
I got an idea to feel myself in others. 
Not very sure how that works.
But I just got a glimpse of it! 
I found myself manifesting in different forms.
I found my body trembling out of pain.
All beings manifested from me.
May be that is also a part of my minds imagination.
 
That was just for a fraction of a second. 
And then back to my dream of believing 
That I am a tiny creature with an ugly body
with a huge mind full of garbage,
with a beautiful brain, so polished and new
the one which is the least used..
 
Aaah.. no.. don’t fool me again..
I am not this! I am that.. 
Seems like Maharshi’s dialogue when he left home..
But please don’t misunderstand.. 
That was just a desire.. 
Not the truth! 
One day, I would reach that heights..
So high.. that the differences diminishes..
Like the view from an aeroplane..
I would see them all merging into one.
I would see them merging into me!
 
Until then, I need to play around 
with the part of myself
that is cheating me showing a fake world.
I need to remember to wake up
Not to fall deep and deep into 
the fallacies of imagination..
But to awake, I need a call
from the Divine mother..
Who needs to take me in her hands,
and fly to those heights,
that would diminish the differences..
 

Multi tier web architecture

It is easy to build an application these days. You can find kids developing mobile apps, websites, etc, and playing around with them. Running an application, with a business logic, and a nice, cool look, would make the application interesting. But there is the element of engineering is missing in it. And it is inevitable in case of large applications, especially distributed ones. 

When you are building an application, a large system, say for managing a company’s employees’ details or a search engine like Google, or even a student management system in a University, etc, the development is no more just the logic and the looks. There are so many more details to be considered. How many people can use the system at the same time? What is the maximum server load? How do you perform software updates while the site is already running? How to connect  the server,  the database, the user? How to handle multiple servers, shutdown one without affecting the other? What to do in case of a catastrophic failure of a system ?etc … It is found that software developers prefer component based frameworks, where a component is a separate element, which could be used for executing an abstract functionality. There are some techniques used by the web tier to handle the distributed application by dividing the whole application to multiple components, and interacting with each other using interfaces, and remote method invocations. 

Multi-tier deployment

Multi-tier deployment

Enterprise JavaBeans, or EJBs are used for deploying server side distributed components meant to perform server side operations.  It performs tasks different from the client side operations like rendering GUI’s, performing client side validations, deal directly with end user or end application. EJB’s on the other hand, perform activities like executing complex algorithms, access the database (eg: JDBC API), integrate with other systems etc. A distributed component, also called as a remote object is callable from a remote system. It means that it is not only accessable to an in-process client but also to an out-of process client that is located somewhere in the network. Some of the clients that access distributed objects are : 

  • Application clients that execute on users desktop and connect to EJB though network.
  • Web servers, that manage dynamically generated web pages. These web servers need to connect to the EJB server to get the actual business logic to generate the web page. 
  • Web services – There are no human users, but instead there is a system trying to access the distributed components via a web application. Here, the EJB’s can act as a web service client. 

My next post explains more about remote method invocations, and distributed components. 

Naming Services and JNDI

A naming service provides the facility to find an object based on a name. Whenever we need to associate name to things, we can use a naming service. It is similar to the idea of telephone directory that we use. JNDI and registries are other examples to a naming service.

During development, if is useful to have the powerful containers like Glassfish. It contains the web server, like tomcat, the application server, embedded in it. The user is not aware of the embedded features in a big container like JBOSS or glassfish.

But, during actual deployment, you want to have, DMZ – Demilitarized Zone.  We need to separate everything, like the web tier and persistence tier, and logic tier and put firewall in between so that web tier and persistence layers are separated. It gives more security and granularity. When you learn the technology, you use just one machine! But in real world scenarios, we need to split up the whole application to different modules that essentially runs on different machine.

JNDI becomes more relevant in such scenarios. It acts as the binding between different tiers by providing API’s that can connect and look up for things or data in each other.

Naming services are made with a hierarchical organisation similar to the structure of a tree. The leaves are the actual data in the structure. JNDI is also having a tree structure.

JNDI consists of a set of set of APIs that allows us to interact with directory services like LDAP, NIS etc. Some of the advantages of using JNDI are as follows:

  1. You can use multiple frameworks. All we need to change is the binding.
  2. You just have to learn one API, and hides you from protocol and implementation details.
  3. You can save java objects using JNDI
  4. You can also link different directory services using JNDI.

Directory services like JNDI and relational databases are used for storing data. But there are significant differences between the two.

  1. Directory services are hierarchical in structure and not relational.
  2. Before relational db, we had hierarchical db, which had an internal model similar to that of directory service.
  3. Most of the operation in directory services is read and we rarely perform write.
  4. As a result, dir services are more optimised for read and writing works slower in a directory service.

Now we take a look at the API part of JNDI. It has a set of APIs.

The term binding in JNDI is the association of a name with an object. To use JNDI, we need to acquire a context. A context is a set of bindings. In the hierarchical structure that I mentioned above, each leaf is a collection of pairs – <name, object>. A context can contain many leaves of the type above. JNDI names look like urls. There is a special prefix as java:. Java is a special token that represents a scheme and in this scheme there are some predefined locations. In order to acquire a context, you need to provide IP address of server, port number, the starting location within JNDI trees. It might be protected by password as well.

Some of the operations in JNDI are as follows:

  • list() – list the directory structure as in a file system
  • createSubcontext() – creates a sub context, similar to creating a folder in a directory.
  • bind() – creates an association, write a pair,name value in the current context
  • rebind() — forces binding something that is already in the tree.

 

Is OpenID secure?

OpenID, as the name suggest is an open identification solution, that helps for authentication with a single ID. There are thousands of websites that asks for authentication, and it is irritating register in all of them, creating an account for each with unique usernames and passwords. Most of the times, the requested username wont be available and users needs to come up with something new which is more likely that you forget it the next time you use the website. 

OpenID tries to solve this issue by providing one idetity provider, namely google, facebook or yahoo etc, to provide credentials for registering to a new website. The following steps describes how OpenID works in a step by step manner with an example.

Consider the three actors coming in the scenario:

  • Alice (end user)
  • Google (identity provider)
  • travelplan.com (consumer) – A website that helps you to make a travel plan.

 OpenID workflow:

  1.  Alice visits the website, travelplan.com, and finds that she needs to make an account to start using it. 
  2. Alice also finds an option to login using her gmail credentials. 
  3. She clicks on the “login using gmail” option.
  4. travelplan.com send a request to Google to verify the user Alice, and get the user identification details for Alice.
  5. Google checks for user, and prompts Alice to enter the credentials for her google account. 
  6. Here the password is not shared!!
  7. Once google identify the user, it asks for user’s authorization to allow the website, travelplan.com to use the identity details like name, emailId etc.
  8. If user clicks allow, then an authentication token is send to travelplan.com, that contains user identity details with which the user can proceed in travelplan.com 

The idea is really interesting due to the special feature that the user credentials like password is not shared with the consumer, the travelplan.com website. This makes life easier as you don’t have to remember usernames and passwords for hundreds of websites and can manages with one single identifier provider like Google or Facebook. But there are so many security issues related to this functionality of OpenID. Some of them are mentioned below:

Phishing attacks:

It is more likely that the websites could be a phishing site. Users could be redirected to malicious page containing what looks like a regular OpenID page. When user clicks on that, he/she might be redirected to another page that might look very similar to the user’s identifier’s page (eg:-Google, Facebook). If user enter the password of his Gmail account in this malicious page, he is at the risk of losing security over the n number of other websites that he had connected with OpenID and of course including the identifier site. 

Man in the middle attacks:

OpenID uses Diffie-Hellman which is subject to interception attacks. Thus the limitations and attacks possible on DH are all applicable to OpenID as well.

Denial of Service attacks:

In the steps mentioned above, we need to notice that there are two requests generated. One from user to website, another from website to the identifier provider. Thus there is a high chance for DoS attacks through OpenID if it is not handled properly in the implementation by providing delays in multiple requests coming from an IP, or other usual methods used to prevent DoS.

Session related atatcks: 

When a user used openID, there are many active authenticated sessions in his browser. So attacks like session swapping, CSRF, and XSS are possible, making your browser more vulnerable. 

Privacy breaching:

OpenID can cause a major blow to your privacy. Your OpenID provider can keep track of every single site that you log in using it. The protocol doesn’t provide a way to hide this information from the provider. 

 There are few other attacks like replay attacks, silent authentications also associated with OpenID. 

Thus, it is important to make sure that the user uses this openID, only for websites with minor information compromise, even if a security breaching happens. Also, it is more likely to have a good number of identifier providers, for eg:- a dummy email account, which could be used through OpenID to login to websites. That makes your life more secure in the cyber world. 

References:

[1] http://en.wikipedia.org/wiki/OpenID

[2]https://sites.google.com/site/openidreview/issues

[3] http://www.untrusted.ca/cache/openid.html

[4] http://wiki.openid.net/w/page/12995216/OpenID_Phishing_Brainstorm

Volatility – A python framework for forensics

I recently came across Volatility which is an advanced forensic framework implemented in Python. This is an effective tool for digital artifacts extraction from volatile memory or the RAM. Volatility can analyze raw dumps, crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), expert witness (EWF), and direct physical memory over Firewire

There are a set of plugins that could be used with Volatility, that makes it really special. There are some of the plugins that I found really interesting.

  1. dlldump: Extract specified dll from the memory
  2. pslist: Prints all the process by following the EPROCESS lists.
  3. psscan: Find process that were previously terminated or unlinked by a rootkit. It has the ability to list hidden/unlinked process.
  4. dlllist: Display every dll that a process calls.
  5. file_scan: List file_object in physical memory
  6. malfind: Finds hidden or injected code and injected dlls useful in analysis of malware. It also displays process, flags, memory segments etc. 
  7. svsscan: Scans for windows services
  8. API hooks: Detects API hooks in process and kernel memory.
  9. callbacks: Display instance of software listings for callbacks.
  10. iehistory: Reconstruct Internet Explorer cache/history. 

If you are interested in exploring more about Volatility, these are some good tutorials that helped me to get started:

Kernel Datastructures

Kernel data structures are those data structures that exist in physical memory and are accessible only by the kernel and its subsystems. Like other datastructures, these contain pointers, data, addresses of other data structures or addresses of routines etc. Here are some of the major kernel ds in Windows:


typedef struct _ACL
{
      UCHAR AclRevision;
      UCHAR Sbzl;
      WORD AclSize;
      WORD AceCount;
      WORD Sbz2;
} ACL, *PACL;

This data structure is associated with access control lists that manages the permissions of various users to objects like files etc.

This link mentions about a set of data structures in Windows Vista. 

Every data structure has a purpose and although some of them are used by several kernel subsystems, they are not very hard to understand. There are many research going on where a process signature is obtained by analyzing these kernel ds during the execution of a current process. This kernel based signatures are made to detect attacks like rootkits where processes are hidden from the list of processes in the system by manipulating the process header. The kernel datastructure that maintains the processes is called EPROCESS.  

If you are interested to explore more about kernel data structures, this could be a good place to begin with.