I want to implement part of HSM but first I need to simulate it in software.
I want to have a complete isolated enviroment(?) that works like real HSM.
My chosen API is pkcs#11 .
should i do something like cryptech,implementing pkcs#11 as rpc ?
Can i translate pkcs#11 commands and use one of the many cryptographic libraries that are available ? ( cryptlib & OpenSSL & ... )
PS : I know softHSM but i want something that i completely know how it works and i can configure it + good documentation which i didn't find about softHSM.
Thanks
Some vendors provide an emulated/simulated HSM environment, at least:
Gemalto ProtectServer HSM
Utimaco CryptoServer HSM
But to be honest I do not understand your SoftHSM dislike as basically all you need to know is the PKCS#11 API (moreover you can see the source code -- you couldn't ask for more insight).
Good luck!
EDIT>
[Given your comment]: The publicly available security policies of existing devices might be an interesting read to get some insight into HSM internals.
We can share an HSM simulator which is based on the HSM's firmware and provides full PKCS#11 support. Would that be an option?
Related
We have a web application that occasionally receives web request that we detect as attempts to inject SQL code, from Google virtual servers (Compute Engine).
I was asked to find a way to identify who is responsible for said machines, so that we can take the corresponding legal actions on our part, or at least, confirm that Google shut down those servers.
What I need is to find a way to communicate with Google, by email or chat, but I haven't found information about it.
EDIT 1:
I have tried to communicate with Google to indicate the information I am looking for, but the only contact available in my case is with the billing department, which could not confirm that they will give me that information if I buy a technical assistance package. On the other hand, I understand that this package is to review requirements of the applications that you own, but in my case I am looking for legal information.
What was recommended to me was to enter the corresponding application in
https://support.google.com/code/contact/cloud_platform_report?hl=en
but I have not received a response for weeks.
I am disappointed in Google, especially because of the importance of computer security.
I will keep searching information.
You can find all information concerning Tech support, phone support and Chat support in your Google Cloud console. Also, this doc shows different supports based on your support role or package.
We are using Dynatrace to monitoring all our infrastructure and we want to monitor some specific files in our servers (I.Ex. /etc/passwd) , but there is no specific monitoring for that. The Dynatrace agent is running inside all our servers.
Does anyone know how to achieve this or has implemented some solution for this?
Thanks.
As per my understanding the answer would be a no. Dynatrace supports custom plugin in python and I have written few custom plugins but that are executed per min to send the metrics.
But I don't think so writing a custom plugin for this would be good use case.
For the triggers perspective you can go to the Settings "Anomaly Detection" and check if there is any option but quite sure there is no such option for this configuration.
You can raise an RFE for this -- this is actually a good requirement not from /etc/passwd perspective but from other stuff can be monitored.
I would to develop an IoT mobility project project using fi-ware.
My intention is to deploy a lot of sensor on the taxi/bus
in the city to control air quality.
I want to use IDAS GEi, but i have some questions:
I must use a linino board as gateway for my sensors.
How can i send observations or receive commands from
linino to IDAS and viceversa? I have found on the web this
tool: figway. I have read figway is used as communication
gateway between raspberryPI and IDAS.
So i have thought to adapt figway for linino. Is it the correct way
to reach my goal? Are there better ways to do that?
Furthermore, i should provide discovery mechanisms and a transparent
interface to control the sensors. For example, i should provide to the user
the possibility to find the sensors, that provide a data measure, in a certain place.
I would to use SWE for that. Is IDAS swe compliant? I have read in the documentation
IDAS uses swe data model, sensorML, O&M but i have not found anything about
SOS/SAS/SPS/WNS services.
Has IDAS discovery mechanisms? Maybe i must use other GE to do that (Configuration Manager?)
Figway is just a python example of how you can make the queries to the Ultralight 2.0 IoT-Agent.
You may port Figway to your new platform if it supports python or, alternatively you can check the HTTP POST requests to code at any other platform/language.
It is really easy, have a look at: http://www.slideshare.net/FI-WARE/fiware-iotidasintroul20v2
Additionally, do not forget that Ultralight2.0/HTTP is one of the technology options that we support for IoT. If your devices are to use other standard such as MQTT/TCP or LWM2M/CoAP/UDP you can check other IoT-Agents (that connect as well to the same Orion contextbroker):
UL2.0 and MQTT are here: https://github.com/telefonicaid/fiware-IoTAgent-Cplusplus
LWM2M is here: https://github.com/telefonicaid/lightweightm2m-iotagent
Also, if you want to use any other standard (or even your own propietary protocol) you may build up your own IoT Agent using the skeleton provided here:
https://github.com/telefonicaid/iotagent-node-lib
Thanks for using IDAS!
Cheers,
I'm planning to build an application that runs on WEB(AngularJS), Android(Native), IOS(Native).
I have experience with MongoDB, but I found CouchBase which sounds really good for me.
I read documentation and I found out I need to use sync_gatway to sync my mobile databases with main database server and reverse, until now everything is fine.
I also need to use "channels" to share records with multiple users.
The problem comes when I need to implement this for web application.
In their documentation on "Working with web applications" they explain how "bucket shadowing" is working, but they also say:
Bucket shadowing is meant to enable sync for existing Couchbase Server
apps. If you are creating a new app with both mobile and web clients,
we recommend starting with the Sync Gateway REST APIs, and connecting
backend services using the Changes Worker Pattern.
After reading Sync Gateway REST API I found out I'm limited to facebook and persona authentication. So I can't use my own authentication mechanism?
Also, there is nothing specified in REST API about channels?
Is there any example project or more documentation about this? I couldn't find anything :(
If someone has experience with this, please explain how this works.
Thanks
There is also Custom (Indirect) Authentication available on Sync Gateway, which you can use for any type of auth you need.
But you have to hide Sync Gateway's Admin API under your backend layer.
As for the channels: it is responsibility of Sync Function to route different documents to necessary channels based on Document data.
Here is a good video that describes how to build production architecture around Couchbase Lite.
I'm probably late for the party - but as of today I'd recommend taking a look in the PouchDB project for the WEB AngularJS side - they match pretty well and will sync with Couchbase.
Regarding authentication, I just released an article on that topic, find it here. Hope this helps somebody
Google has open-sourced the auto update mechanism used in Google Chrome as Omaha.
It seems quite complicated and difficult to configure for anybody who isn't Google. What is the experience using Omaha in projects? Can it be recommended?
We use Omaha for our products. Initially there was quite a bit of work to change hardcoded URLs and strings. We also had to implement the server ourselves, because there was not yet an open source implementation. Today, I would use omaha-server.
There are no regrets with ditching our old client update solution and going with Omaha.
Perhaps, you can leverage the courgette algorithm, which is the update mechanism that is used in Google Chrome. It is really easy to use and apply to your infrastructure. Currently, it just works for Windows operating systems. Windows users of Chrome receive updates in small chunks, unlike Mac and Linux users who still receive the chunks in total size.
You can find the source code here in the Chromium SVN repository. It is a compression algorithm to apply small updates to Google Chrome instead of sending the whole distribution all the time. Rather than push the whole 10 MB to the user, you can push just the diff of the changes.
More information on how Courgette works can be found here and the official blog post about it here.
It works like this:
server:
hint = make_hint(original, update)
guess = make_guess(original, hint)
diff = bsdiff(concat(original, guess), update)
transmit hint, diff
client
receive hint, diff
guess = make_guess(original, hint)
update = bspatch(concat(original, guess), diff)
When you check out the source, you can compile it as an executable (right click compile in Visual Studio) and you can use the application in that form for testing:
Usage:
courgette -dis <executable_file> <binary_assembly_file>
courgette -asm <binary_assembly_file> <executable_file>
courgette -disadj <executable_file> <reference> <binary_assembly_file>
courgette -gen <v1> <v2> <patch>
courgette -apply <v1> <patch> <v2>
Or, you can include that within your application and do the updates from there. You can imitate the Omaha auto update environment by creating your own service that you periodically check and run Courgette.
I've been using Omaha in various projects since 2016. The projects had between a handful and millions of update clients. Target operating systems were mostly Windows, but also some Linux devices and (via Sparkle) macOS.
Omaha is difficult to set up because it requires you to edit Google's C++ implementation. You also need a corresponding server. The standard implementation is omaha-server and does not come from Google. However, in return it also supports Sparkle for automatic updates on Mac (hence why I mentioned Sparkle above).
While setting up the above components is difficult, once they are configured they are work extremely well. This is perhaps not surprising given that Google use Omaha to update millions (billions?) of devices.
To help others get started with Omaha, I wrote a tutorial that gives a quick overview of how it works.
UPDATE
Customizing google omaha isn't that easy espacialy if you have no knowledge about c++, python or com.
Updates aren't published that frequently
crystalnix/omaha is managed by the community and they try to merge the main repo into their's; additional features are implemented and basic things are fixed
google/omaha is more active and changes from google are added but not frequently
To implement manual updates in any language you can use the com classes
Resume
google omaha is still alive but in a lazy way
bugs are fixed but do not expect hotfixes
google omaha fits for windows client apps supported from windows vista and upwards
the server side I'm using supports also sparkle for crossplatform support
feedbacks and crashes are also supported on the server
feedbacks are sent with the google protocol buffers
crash handling is done with breakpad
I personaly would go for google omaha instead of implementing my own solution. However we will discuss this internal.
In the .NET world you might want to take a look at ClickOnce deployment.
An auto-update mechanism is something I'd personally code myself, and always have in the past. Unless you have a multi-gigabyte application and want to upload bits and pieces only, just rely on your own code/installer. That said, I've not looked at Google's open source library at all.. and didn't even know it existed. I can't imagine it offering anything superior to what you could code yourself, and with your own code you aren't bound by any licensing restrictions.