Monday, October 21, 2013

Random Secrets in Cryptographic Operations

Often we might need to generate random secrets and use them in cryptographic operations when we are implementing cryptographic protocols.

For an example, I recently had to implement Zero Knowledge Protocol with Pedersen Commitment where I need to generate a random secret and convert it to a BigInteger in order to compute the pedersen commitment.  

In this simple post, I thought of noting down the way I found how to do it in Java.

First, we can generate a random secret using "SecureRandom" in java. The article: "Proper Use of Java's SecureRandom" explains how to use SecureRandom properly in order to get it working in a uniform way across different platforms. 
In our example, we generate the random secret by feeding a pre-defined seed - our secret - into the pseudo random number generator of the SecureRandom, so that we can generate the same random secret at a later time as well.

Next, we can convert it to a BigInteger value so that we can use it in cryptographic computations.

Following code shows how the above two steps are implemented:
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;

public class Test {
    public static void main(String[] args) throws NoSuchProviderException, NoSuchAlgorithmException,
                                                  UnsupportedEncodingException {
        String password = "secret";
        //generate random secret using password as the seed
        SecureRandom randSec = SecureRandom.getInstance("SHA1PRNG", "SUN");
        randSec.setSeed(password.getBytes("us-ascii"));

        //create BigInteger of length 256 from the output of the SecureRandom's pseudo random number generator
        BigInteger randSecBI = new BigInteger(256, randSec);

    }
}



How to convert strings to big integers and vice versa

This is a very simple post on something I found useful in recently.

When creating cryptographic elements, we might need to convert Strings to BigIntegers and vice versa.

A good example is: when you want to hide a secret value using a commitment scheme such as pedersen commitment (I avoid explaining the pedersen commitment here and will leave it for a future post).

Following code demonstrate how you achieve the $subject in java:
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;

public class Test {
    public static void main(String[] args) throws UnsupportedEncodingException {
        String identifier = "secretPW";
        //convert string to big integer
        BigInteger identifierBI = new BigInteger(identifier.getBytes("us-ascii"));
        System.out.println("Identifier: " + identifier + " converted to Big Integer: " + identifierBI);

        //convert the big integer back to identifier and verify
        String verifyIdentifier = new String(identifierBI.toByteArray());
        System.out.println("Big Integer converted back to string val: " + verifyIdentifier);
    }
}


Note: as in line 8 above, it is good to mention the encoding when converting the string to bytes so that your code will run in the same way even when deployed in different platforms.

Monday, September 30, 2013

How to build an Android app with Eclipse in Ubuntu

Recently I had to write an Android app and I followed the official Android app development guide at http://developer.android.com/training/index.html

Here in this post, I intend to write down the steps I followed, issues I came across and how I did overcome them. I followed the approach of downloading the SDK separately and integrating eclipse with it, because I needed to use it with some other IDE too. You also can follow the other approach where you can download the ADT bundle which has an Eclipse IDE with built-in Android Developper Tools.

Step 1: Installing Android SDK

Download the Android SDK from http://developer.android.com/sdk/index.html and unzip it to a location of your choice.
Change directory to [android_sdk_home]/tools and run ./android. This starts the Android SDK Manager through which you can install the platform tools, APIs etc. Check and install the necessary artifacts as shown below:


While installing, you might come across an error saying: "Stopping ADB server failed (code -1)", after the first installation completes, you might need to re-run the Android SDK Manager following the same steps above and the above error will not occur during the installation. It is important that you get rid of that error because it causes problems while you run the program later.

Step 2: Setting up the IDE

I used eclipse for my first app and you can setup eclipse for Android application development by installing ADT plugin as mentioned in http://developer.android.com/sdk/installing/installing-adt.html

If the Android related options are not shown in the tool bar of eclipse once you restarted it after the installation of the plugin, go to Window->Custom Perspective->Command Groups Availability and check Android SDK and AVD Manager. Then go to the other tab in the same window: Toolbar visibility and check the same. You will see Android development options in the toolbar as shown below:



Step 3: Creating the Android Application and Running it on the Emulator

You can follow the post at http://developer.android.com/training/basics/firstapp/creating-project.html to create an Android project in eclipse and identify its main component. Then you can follow the post: http://developer.android.com/training/basics/firstapp/running-app.html in order to get to know how to run your app in an emulator.

You can read more about Android Emulator at http://developer.android.com/tools/devices/emulator.html

You have to create and run a virtual android device which is used as the emulator to run your app. You can do this via Android Virtual Device Manager which can be started either through the icon in the eclipse tool bar above or through command line, by executing ./android avd command.

If you are using a 64-bit Ubuntu version, you may get an error saying: "Failed to start emulator: Cannot run program "/home/hasini/android//tools/emulator": error=2, No such file or directory" when you are trying to run the emulator.
In this case, you need to install ia32-libs with: "sudo apt-get install ia32-libs"

After that you can successfully create a Android Virtual Device and run your project in it by Run->Run As->Android Application in Eclipse.
Following is a screen capture of my first hello world Android App:


That's it. Hope this post helps if you too came across the same problems I did, in creating my first android app.

Tuesday, July 2, 2013

WSO2 Identity Server in the SCIM Interop at Cloud Identity Summit 2013

WSO2 Identity Server is remotely participating in the SCIM Interop which will be held in parallel to Cloud Identity Summit 2013...

Following are the connection details of the publicly hosted WSO2 IS instance for this interop:

SCIM User Endpoint URL : https://209.126.229.93:9443/wso2/scim/Users

SCIM Group Endpoint URL : https://209.126.229.93:9443/wso2/scim/Groups

Credentials for Basic Auth Authentication:

          User Name : interopUser
          Password : interop#321

Details for OAuth Bearer Token Based Authentication:

          Client Id : 00bZzLviiM1QOSvtFv7ZQDOWBNEa
          Client Secret : CsN87SjTCG_X9qGN6xcfwJOakrga
          Access Token URL : https://209.126.229.93:9443/oauth2endpoints/token
          Authorize URL : https://209.126.229.93:9443/oauth2/authorize

For more details, you may refer my previous posts on how to authenticate to SCIM REST endpoints via OAuth and how to consume SCIM endpoints through curl...

Please let us know your feedback...

Update on 8th July: Interop testing was performed during the week of 1st July - 5th July with selected  two partners: PingOne & Salesforce. The graphic below was designed to illustrate the WSO2 Identity Server - SCIM integration with two partners in the SCIM-Interop - CIS 2013.


Monday, July 1, 2013

OAuth Bearer Token based Authentication for WSO2 IS SCIM endpoints

WSO2 Identity Server acts as a SCIM Service Provider (both hub and spoke type service providers) as well as SCIM Service Consumer.

My previous post (WSO2 Identity Server as a SCIM Service Provider) explains how to consume SCIM REST endpoints in WSO2 IS, with curl - using Basic Auth authentication.

WSO2 IS supports OAuth bearer token based authentication for SCIM REST endpoints from its 4.5.0 release onwards...
This post explains how to leverage OAuth 2.0 feature of IS in order to authenticate to SCIM REST endpoints of IS...

Step 1:
Login to IS (default credentials admin:admin) management console and create a new entry for an OAuth client application. After creating the application entry, click on it to view its details as below.


Now copy the Client Id, Client Secret & Access Token Url for future use.

Step 2:
Now lets obtain a valid access token in order to get authenticated to SCIM REST endpoints.
We can use resource owner password credential grant type for this. Format of the the curl command to obtain the access token is:

curl --user Client Id:Client Secret -k -d "grant_type=password&username=username&password=password" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2endpoints/token

You need to replace the bold strings in the above command with valid values copied from the step 1 above and the username & password of the resource owner. (You can use admin,admin for that in default pack)

Once you execute the above command, you will get a response as below:

{"token_type":"bearer","expires_in":3600,"refresh_token":"16e3de3b7af4e7a43b7e56cd9362ff","access_token":"492d8b51cb815bbe143f219ac2cf61c3"}

Copy the access token value in the above response.

Step 3:
Now we can consume the SCIM REST endpoints using the above access token.

For an e.g; you can use a curl command like below to create a user through SCIM REST endpoints:

curl -v -k --header "Authorization: Bearer access_token" --data "{"schemas":[],"name":{"familyName":"gunasinghe","givenName":"hasinitg"},"userName":"hasi","password":"hasinitg","emails":[{"primary":true,"value":"hasini_home.com","type":"home"},{"value":"hasini_work.com","type":"work"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

You need to provide the access token copied in the above step 2, for the bold string in the above command...

That's it.. You can refer more curl commands to consume SCIM endpoints from my previous post. And also, you can use the SCIM sample clients in WSO2 IS samples to invoke the SCIM endpoints using both Basic auth and OAuth.

Tuesday, April 16, 2013

Enterprise Security and Identity Management Use Cases with WSO2 Identity Server

This is the set of slides used in WSO2Con 2013 - tutorial session on the topic: "Enterprise Security and Identity Management Use Cases with WSO2 Identity Server", along with demos for each of these use cases.

I plan to blog about individual samples used to demonstrate each of these use cases in my future posts.


Sunday, February 3, 2013

I have a dream...

I had a dream - silent yet strong..
I was scared to make it to words..
thinking it wont be a reality..
It became so strong day by day..
And one fine day,
I did give words to my dream..
Then I realized - it is not an easy path..
that I have to walk towards my dream..
Still, I do love to walk that tough path..

I love to live with that wonderful dream..
hoping it will come true one day..
I do have faith and belief in my dream..
I will stay devoted to my dream..
without expecting anything in return..
My dream itself brings the pleasure of my life..
If it comes true, I will be the happiest..
If it doesn't come true, I will still be proud..
about living in such a dream once in a life time..

And I will protect it from all external harm..
Just like a mother would protect her only child..

Friday, January 4, 2013

Authorization with XACML when authenticated with X.509 certificates

Use Case:

In addition to authentication, authorization is a mandatory security requirement in most of the cases where users try to access various resources based on their privileges.
Usually the same user identifier is used for both authentication and authorization.


The most common scenario is to authenticate the users with their user names and use that user name to authorize the user based on their roles and privileges.

In this post, we are going to implement a scenario where X.509 certificates are used in authentication and authorization is also performed in the flow, using XACML.

WSO2 ESB will be the point of authentication and policy enforcement while WSO2 Identity Server will be the policy decision point.

Deployment:


1. Proxy service at ESB fronts a back end web service (lets say echo service hosted in the ESB itself) which is the actual resource accessed by the user.
2. Proxy service is secured with WS-Security Sign & Encrypt policy where users are authenticated with their signatures based on X.509 certificates.
3. ESB or the PEP identifies the user identifier as the DN in the certificate and sends the authorization request to the PDP-which is Identity Server.
4. Identity server evaluates the authorization request based on the defined XACML policies and returns the decision.
5. Based on that decision, ESB grants or denies the user the access to the actual web service.

Implementation with WSO2 Enterprise Service Bus and Identity Server:

1. Setting up Identity Server.

- Download Identity Server 4.0.0 from here and unzip it.
- Change the port offset in carbon.xml to 1. (Since we are running both ESB and IS in the same machine)
- Start the server, login to management console and go to Entitlement->Administration to upload the XACML policy.
- Obtain the XACML policy from here and import in to IS.
- Promote the policy to PDP as shown in the below diagram.



2. Setting up ESB

- In ESB, we need to create a proxy, add Entitlement mediator to its in sequence and secure the proxy service with Sign & Encrypt - X.509 policy.
- Download and unzip ESB 4.5.0.
- Obtain the proxy service configuration from here and deploy it in [ESB_Home]/epository/deployment/server/synapse-configs/default/proxy-services folder and start ESB.
- In proxy service configuration, you might notice we have configured the entitlement callback class to org.wso2.carbon.identity.entitlement.mediator.callback.X509EntitlementCallbackHandler which extracts the user identifier from the X.509 certificate.

3. Running the client.

In order to invoke the above created proxy service and run the end to end scenario, obtain the sample secured client from here and run it main class named : SignEncryptClient.

You can try changing the certificates that the client uses and observe the authorization decision.