|
Jonasfj.dk/Blog
A blog by Jonas Finnemann Jensen
January 14, 2008 HSH – A simple hash algorithm + embedded webserver
Lately I’ve been building a webserver, in school as a light and curtain controller, on top of an AtMEGA168 and ENC28J60, I’ve based it off an article I found at TuxGraphics.org. Which by the way is a fine place to order components for personal usage – They’re cheap and they shipped to Denmark in 2-3 days…
Anyway, the webserver software I found sends a plaintext password over HTTP for authentication. This is of course not desirable since anybody with access to the same network link can see the password. This is very bad security, especially if it’s a wireless link. And who would want a light and curtain controller if the neighbor kid suddenly hacked it.
Therefore I decided that I needed a secure authentication method. Asymmetric cryptographic algorithms are already out of the question since I’m working on a microprocessor with 16kbytes program memory. I tried to find a conventional md5 or sha1 implementation, however they were very easily too big in program size and inefficient. So I looked around and found HSH 11/13 by Herbert Glarner.
HSH 11/13 looked to be efficient, small and easy implement. Later I discovered that with my lack of experience with bit manipulation in C ladder was not true. However, I did manage to get an implementation working, it’s written in C and I’ve tested it with GCC and AVR-GCC against glibc and AVR-libc respectively. You may download it here:
Now having a webserver with a serverside hash algorithm doesn’t solve the issue. The client needs to have the hash algorithm as well. Therefore I wrote a compatible implementation of HSH 11/13 in Javascript. This may seam rather weird, and it’s sure not efficient anymore. I’ve only tested the script in Firefox 2.0, however I’d imagine that it works in other browsers as well. You may download the Javascript implementation here:
Like I said before this may seam rather weird, as the webserver isn’t capable of serving pages as big as the Javascript implementation. However the solution is to let the main page of the embedded webserver be:
< script src = 'http://mywebhost.com/myjsfile.js' > < / script>
Where “http://mywebhost.com/myjsfile.js” is a file located on a remote ordinary webserver, e.g. not served from the embedded webserver. The included Javascript file then writes an entire web 2.0 application using “document.write”. Once the web 2.0 application have been loaded it can use AJAX requests and the HSH 11/13 implementation to communicate with the embedded webserver.Apart from the main page, a simple AJAX API is all the embedded webserver needs to host. Authentication against the webserver may then be done using a HSH hashsum of a timestamp + password + data, referred to as token. Where timestamp, data and token, are send everytime an API request is made. The embedded webserver then knows the password and generates the token from the given timestamp and data, one can then authenticate the request by comparing the generate token with the received token. Note, it may not be desirable to keep track of time on a embedded webserver, so it’s easier to just check if received timestamp is bigger than the latest received timestamp, and then save the timestamp for later use.
December 29, 2007 SimpleECDSA, a simple implementation of ECDSA in C
2 weeks ago I did a school project on ECDSA (Elliptic Curve Digital Signature Algorithm). At HTX we have to do a project that goes beyond the curriculum, we must combine two subjects and do an individual project about something we find interesting. I decided to combine mathematics and programming in a project about ECDSA. Personally I think it was great fun, but perhaps I have a twisted sense of humor 🙂
Anyway, I’ve publish my report here, it’s in Danish though. But I did also write an implementation of ECDSA in C. The implementation is called SimpleECDSA, though I must admit it not very Simple anymore. It uses GMP as integer library, and uses the standardized curves cryptographic operations.
The comments in my source is in English, though I did translate them to Danish, before delivering my paper. Anyway, I still have the source with English comments, so I thought I’d post the source here.
As I had a little spare time this holiday I’ve configured the source with the GNU build system. It my first tarball created with Autotools, and it’s mostly hacked together of snippets from the automake and autoconf manual. But it works and the package compiles, and “./configure” complains if GMP isn’t present. I did also manage to get “make check” to run my internal tests, so I think it’s pretty good, considering the fact that is my first package build with autotools.
If you’ve any comments, bug-reports or questions to my packaging or SimpleECDSA, feel free to leave a comment. SimpleECDSA is ofcourse released under GNU GPLv3, and can be downloaded here:
December 18, 2007 ECDSA: Elliptic Curve Digital Signature Algorithm
I den sidste uges tid har jeg skrevet studieretningsprojekt, og som overskriften afslører har jeg skrevet om Elliptic Curve Digital Signature Algorithm (ECDSA). Jeg har i projektet arbejdet med de matematiske aspekter af ECDSA, og har faktisk gennemgået alle de nødvendige algoritmer. Derudover har jeg selvfølgelig implementeret dem i C. Faktisk gik implementeringen hen og blev en hel implementering af ECDSA. Implementeringen hedder SimpleECDSA, og er skrevet oven på GMP, den er selvfølgelig også frigivet under GNU GPLv3.
Jeg synes selv projektet har været meget sjovt. Der er ikke ofte man får lov til at dykke så dybt ned i et emne. Nu har matematik niveauet i det jeg har arbejdet med så også været så højt at det til tider var direkte underholdende. Okay, måske jeg har en mærkelig form for humor. Men jeg synes nu alligevel det har været sjovt at lege med abstrakt algebra og algoritmer. Og efter dette projekt er jeg bestemt mere sikker på at jeg gerne vil studere datalogi næste år.
Hvis nogen skulle have lyst til at lære ECDSA eller implementere ECDSA, vil jeg mene at min rapport burde kunne danne grundlag for en praktisk implementering af ECDSA. Hvis ikke er der i hvert fald kildehenvisninger nok. Min rapport er skrevet på dansk i LaTeX og frigivet under CreativeCommons Attribution-Noncommercial-Share Alike 2.5. Både rapport og kildekode er selvfølgelig tilgængelig her:
Mod alt sandsynlighed er alle kommentarerne i min kildekode faktisk på dansk. Funktions navne og variabler er dog på engelsk. Først skrev jeg faktisk også alle kommentarerne på engelsk, men da det var et projekt på dansk valgte jeg alligevel at oversætte dem alle sammen, og der er faktisk rigtig mange. Mon ikke også jeg skriver en engelsk post om projektet og poster kildekoden med engelsk kommentarer der. Min viden om C er godt nok begrænset, men man er velkommen til at skrive en mail eller kommentar, hvis man har problemer med programmet, eller mod alt sandsynlighed skulle finde ud af at bruge den til noget fornuftigt.
May 26, 2007 CMS3 – Mit afsluttende projekt i Programming C
Nu er jeg snart færdig med mit andet år på HTX, og afslutter dermed programmering C, altså som fag på HTX. Vi kunne skrive vores afsluttende projekt i enten php eller delphi, og da delphi i mine øjne er noget forældet Windows orienteret skidt, valgte jeg selvfølgelig at arbejde med php. Da jeg ikke lige stod med idéen til en genial web applikation bestemte jeg mig for at lave et simpelt CMS system.
Dette blev til CMS3 med en web 2.0 backend, hvor alle features skal installere som plugins. Plugins installeres fra pakker, som kan verificeres med digital signatur både før og efter installation (Til dette formål benyttede jeg GPG). CMS3 er overordnet set færdigt, der er nogle små ting som kunne virke bedre og laves mere fornuftigt, f.eks. er der ingen forhindringer mod SQL injections. Oprindeligt var det meningen af systemet også skulle have en web 3.0 frontend. Men dette blev for komplekst og havde ikke ret meget med programmering i php at gøre, så jeg valgte at nøjes med en XML/XSL template, ved siden af HTML templaten.
Det har været et rimeligt omfattende projekt, som dog er blevet nogenlunde veldokumenteret og har fået en fin rapport. Selvom rapporten formentlig består af en masse ævl, stave fejl og dårlige formuleringer. Men da jeg ikke rigtigt har noget at bruge systemet til, kan jeg jo ligeså godt frigive det, under GNU GPL. Hvilket jeg hermed vil gøre: download kildekode, dokumentation og rapport. Så ved jeg ikke om der findes nogen som kan bruge det til noget. Hvis du vil vide mere, kan du finde en lidt grundigere synopsis i docs biblioteket på den tarball, du kan downloade. Det skal lige siges at systemet ikke er under udvikling mere, så denne release er kun for folk som vil lege lidt. Alt leg med systemet er på eget ansvar, men man er selvfølgelig velkommen til at sende mig en mail hvis man får problemer, det kan ske jeg kan hjælpe…
March 22, 2007 2 bugfixes, closer to stable…
It’s been a while since release 1.0.0, well short while at least. About a weeks ago we released a bugfix version 1.0.1 (Mac version 0.2), this was a rather big bugfix. Before 1.0.1 there was a lot of theading issues, that made the program practically broken on dual core Windows systems. We’ve fixed most of these issues, and now both the Windows and Linux versions have become more stable. The issues fixed in version 1.0.1 was those listed on our known issues pages.
Well, today we’ve released a Linux version 1.0.2 and a Mac version 0.2.1, those are not very critical. Well the Mac release might be, since I discovered that the Mac version 0.2 didn’t start when the application was launched. It seams there was a typo in the packaging process, I fixed the typo and we’ve released Mac version 0.2.1. Which should be running now, requiring X11 and Mono. The problem with the Linux version was that the menu entry for playlist generation was dead, we’ve fixed, and the Linux version should now be capable of generating playlists. That’s the story behind the latest bugfixes, the Windows version 1.0.1 is still good.
March 10, 2007 Zurück aus Berlin
Den sidste uges tid har jeg været i Berlin, med skolen på studietur. Jeg ellers regnet med at jeg var færdig med tysk efter 10’ende klasse. Men nej, selvfølge skal studieturen gå til Berlin; det skal vist lige siges at vi ikke selv valgte. Når men bort set fra at tyskerne stadig snakker tysk, så var det faktisk en god tur. Selvom det var min tredje tur til Berlin, jeg har tidligere været der med både forældre og med efterskolen i 10’ende klasse.
Vi var selvfølgelig rundt og se nogle af de obligatoriske ting, som f.eks. Rigsdagen, Sachsenhausen osv. Dem havde jeg vist nok set et par gange før, selvom det selvfølgelig aldrig er det samme, kan det godt være en anelse kedeligt. Men vi havde en 3 timer tur med guide i bus, hvilket faktisk var meget godt. Fordi man hørte en masse man normalt ikke ville kende til.
February 17, 2007 TheLastRipper release 1.0.0 RC
The last week I’ve been working a lot on TheLastRipper, an audo stream ripper for Last.fm. first I got the project hosted at google code. Later I ported the code to Windows using Windows.Forms. And as of yesterday the code was finally stable enough to be released. There’s still some inexplainable issues, which I’ll post later on the known issues page of each platform. The releases can be found at the project page: http://code.google.com/p/thelastripper
I’m still not done with the OS X client, hopefully I’ll manage to get an .app ready. Either using Windows.Forms or Cocoa#. I’ve had some success using Windows.Forms under X11, but the macpack utils won’t pack it correctly. Porting to Cocoa is kind of on hold currently, since none of the cocoa samples found can be compiled and no documentation of the C# bindings is available.
Personally I’m pretty proved of the artwork, not because I want to take all the credit for it. The rest of TheLastRipper developer team, have done a lot here. They are also the guys I’m doing the school project with, they’re not much into programming, but they do know a thing or two about artwork. Well all the artwork was done in Inkscape 0.45, the new blur effect is just a little too nice. Some clipart has been “stolen” from public domain ressources at Wikipedia or OpenClipArt.org.
February 7, 2007 Delphi BlogReader
Så er jeg blevet færdigt med endnu et programmerings projekt, denne gang i delphi. Ikke fordi jeg bryder mig om delphi, faktisk synes jeg det er et forfærdeligt sprog. Syntaksen i delphi er værre en VB(.Net), at nogle mennesker overhovedet kan overskue en sådan kode går over min forstand. Desuden ligger det langt fra min tankegang et benytte et ikke standardiseret sprog, med kun en leverandør som oven i købet ikke frigiver kildekode. Den “nye” genoplivning af delphi (explorer edition), som vi har benyttet i skolen er da slet heller ikke noget at råbe hurra for.
Men nok om delphi’s elendigheder, jeg kunne jo komme til at fornærme nogle borland fans. Som projekt i delphi har jeg udviklet en BlogReader til at læse RSS feeds med. I modsætningen til nogle af de andre programmerings projekter jeg har lavet i programmering C, vil jeg mene at dette projekt er fuldstændig uden potentiale. Ikke mindst fordi det er skrevet i delphi, men også fordi det ikke er skyggen af innovation i projektet. Alligevel vil jeg da for traditions skyld frigive kildekoden, projekt filer og rapport. Hvis det da skulle være til nogens interesse. Du kan finde de distribuerede filer her.
February 4, 2007 TheLastRipper-0.1.2
The last few weeks I’ve been working on a project called TheLastRipper, an audio stream ripper for Last.fm. It’s not all done yet, but it’s getting close. It’s written in C# and I’m planing to port it to both Windows and OS X using both MS .Net Framework and Mono. Currently there’s only a Mono/Linux client, it should be possible to port it to gtk#/Mono/Windows pretty fast, but I think I’m going to create a native Windows.Forms interface instead.
Anyway, I’m here by making the first alpha version available for testing. Now I’ve never packaged anything before, so there’s no guaranties on the package. But it’s probably better than the tarball, since the tarball only installs two .Net assemblies, and no mono wrapper script in /usr/bin/ or menu entries.
If you know anything about debian/ubuntu packaging please give me some feedback on the packaging:
By the way, the project is part of a school project I’m doing in technology about copyright, music and luxury. This is relevant because in Danish copyright law, it’s legal to rip unencrypted audio streams, like Last.fm, but please don’t take my word for it, I’m not done with the project and I’ll look more into the Danish copyright laws later. The Danish Ministry of culture has a piece on copyright and audio stream ripping.
December 1, 2006 Implementating a WebDAV server in PHP
As programming project in my Programming C lessons me and one of my mates (Ismail) have been developing a WebDAV server in PHP. The project was called MySQL2WebDAV, the idea was to write a WebDAV server using MySQL as data storage. As some sort of virtual file system abstraction of a MySQL database. We started of with HTTP_WebDAV_Server, an abstract base class that handles most of the WebDAV specific features.
The WebDAV server was probably one of the most difficult things I’ve ever debugged. If you ever plan to write a WebDAV server remember to check out Litmus, a WebDAV server protocol compliance test suite. Very useful stuff if you want to debug a remote WebDAV server.
Anyway, almost all platforms are shipping with WebDAV browsers, it’s definitively an interesting protocol. Just imagine a WebDAV representation of the post in your blog or content management system.
I don’t think my source can be of much use, if you want to play with WebDAV implementations in PHP. My source is both buggy, very ogly and half done, anyway I’ve it made available here (Some comments and documentation in Danish, sorry).
« Newer Posts — Older Posts »
|
|