An attack on a cryptographic system that exploits the
fact that different cryptographic operations take slightly different amounts of
time to process. The attacker exploits these slight time differences by
carefully measuring the amount of time required to perform private key
operations. Taking these measurements from a vulnerable system can reveal the
entire secret key. Cryptographic tokens, network-based cryptosystems, and other
applications where attackers can make reasonably accurate timing measurements
are potentially at risk from this form of attack.
What is macro assembler?
An assembler that can perform macro substitution and
expansion. The programmer can define a macro that consists of several statements
and then use the macro name later in the program, thus avoiding having to
rewrite the statements. For example, a macro called swap
exchanges the values of two variables: After defining swap, the programmer can
then insert an instruction such as “swap a, b” in the assembly language program.
While assembling, the assembler replaces the instruction with the statements
within the macro that swap the values of the variables a
and b.
E-Mail Security
When an e-mail message is sent between two distant sites, it will generally
transit dozens of machines on the way. Any of these can read and record the
message for future use. In practice, privacy is nonexistent, despite what many
people think. Nevertheless, many people would like to be able to send e-mail
that can be read by the intended recipient and no one else: not their boss and
not even their government. This desire has stimulated several people and groups
to apply the cryptographic principles we studied earlier to e-mail to produce
secure e-mail. In the following sections we will study a widely-used secure
e-mail system, PGP, and then briefly mention two others, PEM and S/MIME. For
additional information about secure e-mail.
PGP supports four RSA key lengths. It is up to the user to
select the one that is most appropriate. The lengths are
-
Casual (384 bits): can be broken easily today.
-
Commercial (512 bits): breakable by three-letter organizations.
-
Military (1024 bits): Not breakable by anyone on earth.
-
Alien (2048 bits): Not breakable by anyone on other planets, either.
Since RSA is only used for two small computations, everyone
should use alien strength keys all the time.
Key management has received a large amount of attention in PGP
as it is the Achilles heel of all security systems. Key management works as
follows. Each user maintains two data structures locally: a private key ring and
a public key ring. The private key ring
contains one or more personal private-public key pairs. The reason for
supporting multiple pairs per user is to permit users to change their public
keys periodically or when one is thought to have been compromised, without
invalidating messages currently in preparation or in transit. Each pair has an
identifier associated with it so that a message sender can tell the recipient
which public key was used to encrypt it. Message identifiers consist of the
low-order 64 bits of the public key. Users are responsible for avoiding
conflicts in their public key identifiers. The private keys on disk are
encrypted using a special arbitrarily long password to protect them against
sneak attacks.
The public key ring contains
public keys of the user's correspondents. These are needed to encrypt the
message keys associated with each message. Each entry on the public key ring
contains not only the public key, but also its 64-bit identifier and an
indication of how strongly the user trusts the key.
Digital Signatures
The authenticity of many legal, financial, and other documents
is determined by the presence or absence of an authorized handwritten signature.
And photocopies do not count. For computerized message systems to replace the
physical transport of paper and ink documents, a method must be found to allow
documents to be signed in an unforgeable way.
The problem of devising a replacement for handwritten
signatures is a difficult one. Basically, what is needed is a system by which
one party can send a signed message to another party in such a way that the
following conditions hold:
-
The receiver can verify the claimed identity of the sender.
-
The sender cannot later repudiate the contents of the message.
-
The receiver cannot possibly have concocted the message himself.
The first requirement is needed, for example, in financial
systems. When a customer's computer orders a bank's computer to buy a ton of
gold, the bank's computer needs to be able to make sure that the computer giving
the order really belongs to the company whose account is to be debited. In other
words, the bank has to authenticate the customer (and the customer has to
authenticate the bank).
The second requirement is needed to protect the bank against
fraud. Suppose that the bank buys the ton of gold, and immediately thereafter
the price of gold drops sharply. A dishonest customer might sue the bank,
claiming that he never issued any order to buy gold. When the bank produces the
message in court, the customer denies having sent it. The property that no party
to a contract can later deny having signed it is called nonrepudiation. The digital signature schemes that we
will now study help provide it.
The third requirement is needed to protect the customer in the
event that the price of gold shoots up and the bank tries to construct a signed
message in which the customer asked for one bar of gold instead of one ton. In
this fraud scenario, the bank just keeps the rest of the gold for itself.
Symmetric-Key Signatures
One approach to digital signatures is to have a central
authority that knows everything and whom everyone trusts, say Big Brother (BB). Each user then
chooses a secret key and carries it by hand to BB's office. Thus, only Alice and BB know Alice's secret key, KA, and so
on.
When Alice wants to send a signed plaintext message, P, to her banker, Bob, she generates KA(B, RA, t, P), where B is Bob's
identity, RA is a random number chosen by Alice, t is a timestamp to ensure freshness, and KA(B, RA, t, P) is the message encrypted with her key, KA. BB sees that the message is from Alice, decrypts it,
and sends a message to Bob as shown. The message to Bob contains the plaintext
of Alice's message and also the signed message KBB (A, t, P). Bob now carries out Alice's request.
Public-Key Signatures
A structural problem with using symmetric-key cryptography for
digital signatures is that everyone has to agree to trust Big Brother.
Furthermore, Big Brother gets to read all signed messages. The most logical
candidates for running the Big Brother server are the government, the banks, the
accountants, and the lawyers. Unfortunately, none of these organizations inspire
total confidence in all citizens. Hence, it would be nice if signing documents
did not require a trusted authority.
Fortunately, public-key cryptography can make an important
contribution in this area. Let us assume that the public-key encryption and
decryption algorithms have the property that E(D(P)) = P in addition, of
course, to the usual property that D(E(P)) = P. (RSA has this property, so the assumption is not
unreasonable.) Assuming that this is the case, Alice can send a signed plaintext
message, P, to Bob by transmitting EB(DA(P)). Note carefully that
Alice knows her own (private) key, DA, as well as Bob's public key, EB, so
constructing this message is something Alice can do.
Network Security
Security is a broad topic and covers a multitude of sins. In
its simplest form, it is concerned with making sure that nosy people cannot
read, or worse yet, secretly modify messages intended for other recipients. It
is concerned with people trying to access remote services that they are not
authorized to use. It also deals with ways to tell whether that message
purportedly from the IRS saying: Pay by Friday or else is really from the IRS
and not from the Mafia. Security also deals with the problems of legitimate
messages being captured and replayed, and with people trying to deny that they
sent certain messages.
Network security problems can be divided roughly into four closely intertwined
areas: secrecy, authentication, nonrepudiation, and integrity control. Secrecy,
also called confidentiality, has to do with keeping information out of the hands
of unauthorized users. This is what usually comes to mind when people think
about network security. Authentication deals with determining whom you are
talking to before revealing sensitive information or entering into a business
deal. Nonrepudiation deals with signatures: How do you prove that your customer
really placed an electronic order for ten million left-handed doohickeys at 89
cents each when he later claims the price was 69 cents? Or maybe he claims he
never placed any order. Finally, how can you be sure that a message you received
was really the one sent and not something that a malicious adversary modified in
transit or concocted?
All these issues (secrecy, authentication, nonrepudiation, and
integrity control) occur in traditional systems, too, but with some significant
differences. Integrity and secrecy are achieved by using registered mail and
locking documents up. Robbing the mail train is harder now than it was in Jesse
James' day.
Also, people can usually tell the difference between an
original paper document and a photocopy, and it often matters to them. As a
test, make a photocopy of a valid check. Try cashing the original check at your
bank on Monday. Now try cashing the photocopy of the check on Tuesday. Observe
the difference in the bank's behavior. With electronic checks, the original and
the copy are indistinguishable. It may take a while for banks to learn how to
handle this.
PHP Networking Functions
PHP Networking Functions
People authenticate other people by recognizing their faces,
voices, and handwriting. Proof of signing is handled by signatures on letterhead
paper, raised seals, and so on. Tampering can usually be detected by
handwriting, ink, and paper experts. None of these options are available
electronically. Clearly, other solutions are needed.
Before getting into the solutions themselves, it is worth
spending a few moments considering where in the protocol stack network security
belongs. There is probably no one single place. Every layer has something to
contribute. In the physical layer, wiretapping can be foiled by enclosing
transmission lines in sealed tubes containing gas at high pressure. Any attempt
to drill into a tube will release some gas, reducing the pressure and triggering
an alarm. Some military systems use this technique.
Introduction to Cryptography
Historically, four groups of people have used and contributed
to the art of cryptography: the military, the diplomatic corps, diarists, and
lovers. Of these, the military has had the most important role and has shaped
the field over the centuries. Within military organizations, the messages to be
encrypted have traditionally been given to poorly-paid, low-level code clerks
for encryption and transmission. The sheer volume of messages prevented this
work from being done by a few elite specialists.
Until the advent of computers, one of the main constraints on
cryptography had been the ability of the code clerk to perform the necessary
transformations, often on a battlefield with little equipment. An additional
constraint has been the difficulty in switching over quickly from one
cryptographic method to another one, since this entails retraining a large
number of people. However, the danger of a code clerk being captured by the
enemy has made it essential to be able to change the cryptographic method
instantly if need be.
The messages to be encrypted, known as the plaintext, are transformed by a function that is
parameterized by a key. The output of the
encryption process, known as the ciphertext, is
then transmitted, often by messenger or radio. We assume that the enemy, or
intruder, hears and accurately copies down the
complete ciphertext. However, unlike the intended recipient, he does not know
what the decryption key is and so cannot decrypt the ciphertext easily.
Sometimes the intruder can not only listen to the communication channel (passive
intruder) but can also record messages and play them back later, inject his own
messages, or modify legitimate messages before they get to the receiver (active
intruder). The art of breaking ciphers, called cryptanalysis, and the art devising them
(cryptography) is collectively known as cryptology.
The nonsecrecy of the algorithm cannot be emphasized enough.
Trying to keep the algorithm secret, known in the trade as security by obscurity, never works. Also, by
publicizing the algorithm, the cryptographer gets free consulting from a large
number of academic cryptologists eager to break the system so they can publish
papers demonstrating how smart they are. If many experts have tried to break the
algorithm for 5 years after its publication and no one has succeeded, it is
probably pretty solid.
Since the real secrecy is in the key, its length is a major
design issue. Consider a simple combination lock. The general principle is that
you enter digits in sequence. Everyone knows this, but the key is secret. A key
length of two digits means that there are 100 possibilities. A key length of
three digits means 1000 possibilities, and a key length of six digits means a
million. The longer the key, the higher the work
factor the cryptanalyst has to deal with. The work factor for breaking
the system by exhaustive search of the key space is exponential in the key
length. Secrecy comes from having a strong (but public) algorithm and a long
key. To prevent your kid brother from reading your e-mail, 64-bit keys will do.
For routine commercial use, at least 128 bits should be used. To keep major
governments at bay, keys of at least 256 bits, preferably more, are needed.
From the cryptanalyst's point of view, the cryptanalysis
problem has three principal variations. When he has a quantity of ciphertext and
no plaintext, he is confronted with the ciphertext-only problem. The cryptograms that appear
in the puzzle section of newspapers pose this kind of problem. When the
cryptanalyst has some matched ciphertext and plaintext, the problem is called
the known plaintext problem.
The next improvement is to have each of the symbols in the
plaintext, say, the 26 letters for simplicity, map onto some other letter. For
example,
plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y zciphertext: Q W E R T Y U I O P A S D F G H J K L Z X C V B N M
The general system of symbol-for-symbol substitution is called
a monoalphabetic substitution, with the key
being the 26-letter string corresponding to the full alphabet. For the key
above, the plaintext attack would be transformed
into the ciphertext QZZQEA.
Program Yahoo! with PHP 5
Take advantage of some of the latest
features in PHP to quickly add Yahoo! data to PHP-powered pages.
The recursively named PHP Hypertext Processor language is a
popular choice for building dynamic web applications. In fact, Yahoo! itself has
made PHP its development platform of choice across the company.
The PHP platform
is continually evolving, and the latest version Version 5 includes a handy XML
parser called SimpleXML. As the name implies,
it's easy to work with. And as long as the XML that SimpleXML is parsing is
fairly simple, it's the perfect tool for getting XML data into objects PHP can
easily manipulate.
Yahoo! Search Web Services responses
definitely qualify as simple XML, and this hack shows how easy it is to request
and parse this data with PHP. You'll need PHP 5 for
this hack, but you won't need any external modules.
<?php
// yahoo_search.php
// Accepts a search term and shows the top results.
// Usage: yahoo_search.php?p=<Query>
//
// You can create an AppID, and read the full documentation
// for Yahoo! Web Services at http://developer.yahoo.net/
// Set your unique Yahoo! Application ID
$appID = "insert your app ID";
// Grab the incoming search query, and encode for a URL
$query = $_GET['p'];
$query = urlencode($query);
if ($query == "") {
print "usage: yahoo_search.php?p=<Query>"; die;
}
// Construct a Yahoo! Search Query with only required options
$language = "en";
$req_url = "http://api.search.yahoo.com/";
$req_url .= "WebSearchService/V1/webSearch?";
$req_url .= "appid=$appID";
$req_url .= "&query=$query";
$req_url .= "&language=$language";
// Make the request
$yahoo_response = file_get_contents($req_url);
// Parse the XML
$xml = simplexml_load_string($yahoo_response);
// Initialize results counter
$i = 0;
?>
<html>
<body>
<h2>Yahoo! Search Results</h2>
<ol>
<?php
// Loop through the items returned, printing them out
foreach ($xml->Result as $result) {
$i++;
$title = $result->Title;
$summary = $result->Summary;
$summary = preg_replace("/</i","<",$summary);
$clickurl = $result->ClickUrl;
$url = $result->Url;
print "<li><div style=\"margin-bottom:15px;\">";
print "<a href=\"$clickurl\">$title</a><br />";
print "$summary<br />";
print "<cite>$url</cite></div></li>\n";
}
?>
</ol>
-- Results Powered by Yahoo!
</body>
</html>
This script uses the value of the querystring variable
p to build a Yahoo! Web Search request URL and fetches the XML with the
file_get_contents() function. Once the script has the XML in the
$yahoo_response string, it calls the SimpleXML function simplexml_load_string( ),
which parses the XML and makes the data available to PHP as an object. Finally,
the script loops through the objects, using print to send the data to
the browser.
To run the script, point your web browser to the location of
the script on your server and add the querystring variable p:
http://example.com/yahoo_search.php?p=insert word
You can add multiple words by encoding spaces for URLs. For
example, here's the search string for "PHP encoding":
http://example.com/yahoo_search.php?p=PHP%20encoding
As the results indicate, you can read the official documentation for PHP's SimpleXML function at http://www.php.net/simplexml. With this function, working with Yahoo! Search Web Services data is much more intuitive than with earlier versions of PHP.
Add a Yahoo! Bookmark with One Click
Speed up the process of adding sites to
your Yahoo! Bookmarks with a browser bookmark and a
bit of JavaScript.
Yahoo! Bookmarks are an easy way to
share a list of web sites across several computers. If you have a set of sites
you like to visit from home, the office, a friend's house, or any other place
you might find yourself in front of a computer, they'll always be just a few
clicks away at your Yahoo! account, instead of trapped inside your browser at
home.
Unfortunately, setting up this list of sites for the first time
can be time-consuming. After logging into My Yahoo!, you must find your
bookmarks (usually in the upper-right corner); click Add; copy and paste the
site URL, name, and any comments into the form; and click the Save button. This
might not sound too labor intensive, but it amounts to quite a few steps if
you're adding more than a few sites.
If you've installed the Yahoo! Toolbar, you might have already
experienced the joy of one-click Yahoo! Bookmarks. On
any web page, you can click the Add Bookmark button to add a site. From then on,
the site will be available at your Yahoo! Bookmarks. If you don't want to
install the Yahoo! Toolbar (to save browser real estate) but still want the
convenience of adding bookmarks, you can build your
own JavaScript bookmarklet and add it to your browser's bookmarks toolbar to get
the same one-click effect.
A bookmarklet is a bit of
JavaScript code stored in a web browser bookmark. Bookmarklets give you a way to
run code that can interact with the current page in the browser. For example,
bookmarklets can change the size and colors of fonts on a page, open new browser
windows, or extract information about the current page. With bookmarklets,
you're in control of the script, because it runs when you click the
bookmark.
In order to implement this hack, the only thing you'll need is
a browser that has bookmarks and understands JavaScript. Don't worry, that
covers just about every web browser!
the functioning bookmarklet code will be formatted without linebreaks or spaces.
// Dissected JavaScript bookmarklet for one-click Yahoo! Bookmarks // Set d to the document object as a shortcut var d = document; // Set t to the currently selected text, if available var t = d.selection?d.selection.createRange( ).text:d.getSelection( ); // Build the URL that will add a bookmark to Yahoo! Bookmarks var url = 'http://e.my.yahoo.com/config/edit_bookmark?'; url += '.src=bookmarks&'; url += '.done=http%253a%2F%2Fe.my.yahoo.com/config/set_bookmark&'; url += '.folder=1&'; url += '.action=ab&'; url += '.display=1&'; url += '.protocol=http%3A%2F%2F&'; // include the URL of the current page url += '.url='+escape(d.location.href)+'&'; // include the title of the current page url += '.name='+escape(d.title)+'&'; // include any selected text of the current page as a comment url += '.comment='+escape(t)+'&'; url += '.save=+Save+'; // open a new window to add the bookmark and show the results window.open(url, '_blank', 'width=640,height=440,status=yes,resizable=yes,scrollbars=yes');
Take a look at the bold querystring variables in the code.
These are the primary elements of the Yahoo! URL we're concerned with. Here's a
quick look at what each variable represents:
- .done
- The URL to display after the action is completed.
.folder
- The ID of the folder in which you'd like the bookmark to be included. If you don't have multiple folders, use 1, which is the default.
.url
.name
- The name of the site you're adding as a bookmark.
.comment
- Some arbitrary text that is associated with the bookmark.
Samsung Galaxy K zoom
As it turns out the retail price for Germany will be higher, though. Samsung has just issued a press release for Germany, where it says the official price for the Galaxy K zoom is €519. The availability stays the same - mid-May. This is quite interesting. Germany is the only EU country (so far), where the Sony Xperia Z2 costs less - €679 instead of €699.
Samsung galaxy note-3
Nokia HERE apps for Android and iOS
The position will be based in Berlin / Frankfurt and will report to the Tem Lead Development team Mobile SKDs for Business, HERE Platform for Business." There's also a second job posting that calls for a specific Android mobile developer: "We are now looking for a Mobile App Developer (Android) to join our team. In this role, you will be responsible for: •Working directly with developers, product management and UX Design to conceptualize, build, test and deliver mobile products •Deliver across the entire app life cycle -concept, design, build, deploy, test, release to app stores and support •Build prototypes at tech scoping stage of projects •Working along the web developers to create and maintain a robust framework to support the apps •Working with the front end developers to build the interface with focus on usability features •Keep up to date on the latest industry trends in the mobile technologies •Explain technologies and solutions to technical and non-technical stakeholders" From the two job descriptions, it seems that Nokia plans on bringing the entire HERE experience to both Android and iOS, and not just their navigation and maps software. This is a smart move on Nokia's part, as the more users they're able to get invested in their services,
Samsung Galaxy Note 3
