Intro to HSMs

Hardware Security Modules(HSMs) are basically dedicated cryptography devices, and are often one of the first links in the chain of trust in so much of what we do with technology today.  They allow you to offload sometimes computationally expensive, cryptographic functions like signing or encryption and are often required in industries whose regulations require tight control of private key material(e.g. banking, certificate authorities).  They also allow you to have reliable auditing capabilities and are designed to be extremely difficult to tamper with.  This article does not try to sway you one way or the other in terms of using an HSM, whether or not you need an HSM is usually determined by regulation or security requirements and not performance reasons. If you want are not interested how I arrived at the numbers, click here to see the results. Read Full Article

So if you know me you probably know that you rarely see me without headphones on.  I am not really a collector of anything, except when it comes to heaphones.  I own way more headphones than anyone should.  My latest pair were a Christmas gift from my amazing wife, a pair of Bose Soundlink On Ear Bluetooth headphones(they are absolutely amazing).

The Problem With Standards

I love standards, they make everyones lives easier, but the problem with bluetooth is that it often shows its age.  Anyone who has even a little bit of experience knows that bluetooth might be described as “finicky”.  The way bluetooth deals with different devices is with different profiles. Read Full Article

I love SSH, coupled with byobu(an updated GNU screen) it is amazingly powerful.  But sometimes it is really useful to be able to view a GUI application on the remote server end.  Some people think that they need to use VNC to do this.  VNC is terrible, and there is a better way.

Things you will need:

  • An X capable SSH client
    • On Linux you don’t have to worry about this
    • On Windows I recommend MobaXTerm
    • On OS X I think you just need to install something like XQuartz
  • A server that has a graphical environment installed on it
    • Ubuntu Desktop is an easy example
    • Gnome/KDE/XFCE/X11 etc.
  • SSH server installed on the server
  • A GUI application that you want to run over SSH

In my example I’m going to be connecting from a Windows computer, using MobaXTerm, to a Ubuntu Desktop machine, and running WireShark(yes I know about tshark).

Make sure sshd is installed on the Ubuntu machine.

$ sudo apt-get install ssh

Back on the Windows machine, we SSH to the Ubuntu machine. Notice that we are specifying -X which allows us to run X applications over SSH

$ ssh -X username@

Then we run our application

$ wireshark

And there you have it:

That is Wireshark running on the remote Linux machine.  Notice the GTK/Ubuntu looking buttons, and the Windows colored Window frame.

Thanks for stopping by!

Photo Credit


Most IT people are somewhat familiar with Wireshark.  It is a traffic analyzer, that helps you learn how networking works, diagnose problems and much more.

2015-02-11 22_29_11-

One of the problems with the way Wireshark works is that it can’t easily analyze encrypted traffic, like TLS.  It used to be if you had the private key(s) you could feed them into Wireshark and it would decrypt the traffic on the fly, but it only worked when using RSA for the key exchange mechanism.  As people have started to embrace forward secrecy this broke, as having the private key is no longer enough derive the actual session key used to decrypt the data.  The other problem with this is that a private key should not or can not leave the client, server, or HSM it is in.  This lead me to coming up with very contrived ways of man-in-the-middling myself to decrypt the traffic(e.g. sslstrip or mitmproxy).

Session Key Logging to the Rescue!

Well my friends I’m here to tell you that there is an easier way!  It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file.  You can then point Wireshark at said file and presto! decrypted TLS traffic.  Read on to learn how to set this up. Read Full Article

VPN Introduction

I have been doing some work with VPNs lately, having set up a PPTP(Point to Point Tunneling Protocol) VPN for some Android network analysis that I have been doing lately.  It is easy to set up on a server and a mobile device, but PPTP generally isn’t secure unless you are using (P)EAP.  I wanted to try out something that overlaps with something that I’m pretty knowledgeable about, TLS/SSL, with something I have never had to actually set up, an SSL VPN.  Most people who use a VPN to connect into work use an SSL VPN.  Probably either from someone like Cisco or Juniper.  They are pretty easy to set up on the router side of things, and relatively easy for client device to get set up.  Other advantages are that they can be run over port 443, so they won’t be blocked by most firewalls, and that they use the verification properties inherent to TLS/SSL rather than some sort of challenge-response handshake.  Using TLS/SSL allows them to also be flexible about key sizes and cipher suites used and upgrade them as the future requires.
Read Full Article

I’m very excited to announce the launch of AM I SHA-1 – the SHA-1 Checkinator. This is a site that I have been working on for a few months off and on. Ever since Google announced that they were going to sunset support for SHA-1 support in Chrome, I felt that it would be cool to have an easy site to check your SSL/TLS certs. It isn’t difficult to check your certificates yourself, but not everyone is able to analyze their own certificates and understand the context under which they need to act to upgrade their certificates before the end of 2016. The tool/site I made takes a URL and downloads and parses the certificates for a site, and then helps you determine what action if any is required on your certificates. I realize that there are several tools out there that check for this already, but most of these are bundled into more extensive tests and the tests often take a long time to run. My goal with this site, was to be lean and quick so I focused on just checking for the presence of SHA-1 signatures in chain and leaf certificates. Plus it was a great learning experience.
Read Full Article

The Setup

I have been testing out different ways to optimize this site for performance, purely as a learning experience.  I have come across several guides explaining how server-side caching works, some of them are really good, and some of them a bit out of date in terms of what I consider “best practice” in the industry these days.  Most of the guides to server side-caching do not include the notion of SSL/TLS.  Just like setting up a web server with SSL/TLS is more complex than setting up a web server without, setting up a cache with SSL/TLS is more complex than setting up a cache without.  The goal of this article is to discuss some of the most popular methods and some of their advantages/disadvantages.

This article will be more about the overarching concepts and flow of information than actual configuration, but I’m hoping to do articles on how to actually configure the different options in future posts and incorporate them into this article.
Read Full Article

The Setup

I recently decided that I wanted to learn about Nginx. You may know that Nginx is a web server that has been growing in popularity in the last few years. People use it as an alternative to more traditional web servers like Apache or IIS. They even use it in conjunction with Apache or IIS with Nginx acting as a reverse proxy. Nginx excels at serving up static content and can use fewer resources than Apache or IIS if properly configured, in some scenarios. The one drawback that I had heard about with Nginx was it doesn’t have the breadth of modules that you find in Apache. To illustrate one of the differences, under Apache PHP is loaded as a module while Nginx loads it via FastCGI. Using FastCGI Nginx is able to get comparable performance with potentially lower resource usage.

In terms of configuration Apache is certainly an acquired taste, but once you get it, it is not all that complicated and many of the directives are well documented in the Apache docs. Coming from Apache, configuration of Nginx is surprising easy to pick up. Several things that take 2 or 3 lines on Apache take only 1 on Nginx.
Read Full Article

EDIT: There is an updated version of this article for Ubuntu 16.04 here.

I love to mess around with Linux in my home lab and I like to check out the state of Samba from time to time. I have documented the steps that I took to get Samba 4 working as a Active Directory Domain Controller and also made a screencast that I have cross-posted on YouTube. I chose Ubuntu because they have pretty recent packages of Samba, more info about binary packages for different Distributions on the Samba Wiki. If you are following this as a guide, I’m assuming that you have already installed Ubuntu 14.04. If you do watch the screencast, it is best viewed in HD!

Read Full Article