I am trying to do External authentication on SMART CARD, using SCP03. The value of P1 is the security level that we are using for the authentication.
May I know the possible values of the security levels and the data I need to pass for them?
If i understand your question correctly, there are three security level for command apdu:
none: nothing is secure
mac: command is clear but mac of command is calculated and added to the command
enc: command is encrypted and mac of command added to thecommand
there are another two option for response security:
rmac: like mac for response apdu
renc: like enc for response apdu
I suggest you to study Globalplatform specification:
https://www.globalplatform.org/specificationscard.asp
Related
I tried posting this on ask.openstack but it has been stuck in the moderator for 5 days now. I thought I'd try here.
I was trying to debug a Nova issue and wanted to decode the SSL / TLS packets being exchanged using Wireshark. Part of the changes I was making was setting Nova up to use SSL / TLS and I wanted to be sure that part of it I had set correctly. I eventually figure out my issues from the various log files but I'm somewhat assuming that being able to watch the network traffic may help in some very difficult cases.
The exchange uses TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 at one point. According to this security stackexchannge question, there is a "pre-master secret" or various other terms. I've wrestled with this before in a previous life doing IPSec. Usually you can set debug in the application and it will spew out the secret into the log file. I tried "debug = true" under Default in nova.conf and got lots of debug but no secret. There was two items that looked interesting that were reported as **** in the log: keystone_authtoken.memcache_secret_key and neutron.metadata_proxy_shared_secret. I wasn't sure if those were the secrets I was looking for or not. In this case, I'm looking at the nova-api traffic going to port 8774.
Also, since all of openstack is Python and uses the same "request" and "certifi" packages, it may be possible to generalize this to all of the openstack components.
nova --version report 9.1.1
We're struggling to get IBM MQ to work across SSL.
We've been provided with the certificate chain for the remote host and installed into the Windows Certificate Store (Local Machine). These all look valid.
We're using the following connection properties:
connectionProperties.Add(MQC.SSL_PEER_NAME_PROPERTY, "other-server.com");
connectionProperties.Add(MQC.SSL_CIPHER_SUITE_PROPERTY, "TLS_RSA_WITH_AES_256_CBC_SHA256"); connectionProperties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_256_CBC_SHA256");
connectionProperties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
connectionProperties.Add("CertificateLabel", "ibmwebspheremqmywindowsusernamewithoutdomain");
MQEnvironment.SSLCertRevocationCheck = true;
We've established that the "CertificateLabel" is the "Friendly name" in Windows parlance.
We've proven unencrypted communication and network-level configuration.
We're using 8.0.0.7 client.
These are the issues we've come across:
All secure communications fail with a 2538 error. (MQRC_HOST_NOT_AVAILABLE, https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.tro.doc/q045380_.htm)
No success setting the Friendly Name to ibmwebspheremq and ibmwebspheremqmywindowsusername#domain and ibmwebspheremqmywindowsusernamewithoutdomain
General questions:
Are we correct in assuming that we can install generated certificates exclusively in the Windows Certificate Store?
Is the 2538 error even related to SSL communications? It feels like a network error, though there is that final point in the referenced error documentation.
Is there anywhere we can look for more informative error information? eg. relating to the SSL trust chain to see if there is an issue there?
The issue was the following line:
connectionProperties.Add(MQC.SSL_PEER_NAME_PROPERTY, "otherserver.com");
Turns out that:
It needs it in a canonical format, so DN=, etc.
You don't even need that line
Though we did learn a few things along the way:
The line:
connectionProperties.Add("CertificateLabel", "ibmwebspheremqmyusername");
Is the string ibmwebspheremq plus your Windows username (without your domain) and the label should be set on the Friendly name of your client machine's outgoing certificate NOT including the username.
The various folders inside your Windows certificate store are significant. The intermediate CAs should be correctly filed.
Just simple question:
I have created a new Service bus, Event hub and some shared access tokens with all rights, but registering a new device with iothub-explorer fails to 'unauthorized' message in Azure.
[tuomas#raspberry ~]$ iothub-explorer login "HostName=mynew-iot.servicebus.windows.net;SharedAccessKeyName=mynewdevice-1;SharedAccessKey=NptRRzI9mhiXO2QKuhZq47iY24A7cbtxRpUDSQO5aSI=" --connection-string
Session started, expires Tue Apr 12 2016 20:02:13 GMT+0300 (EEST)
[tuomas#raspberry ~]$ iothub-explorer "HostName=mynew-iot.servicebus.windows.net;SharedAccessKeyName=device-1;SharedAccessKey=NptRRzI9mhiXO2QKuhZq47iY24A7cbtxRpUDSQO5aSI=" create dummydev
Error Unauthorized
Any toughts?
With Thanks,
~T
I don't know if it's on purpose or not but the connection string in the second command doesn't match the one in the first one: the SharedAccessKeyName is different. Maybe it's just that.
If it's not just that, due to the way it's named I'm under the impression that you are using a device connection string when you should be using the service connection string (with a policy name in the SharedAccessKeyName field, such as the iothubowner). Whatever the policy is it should have the permissions to read and write to the registry. Unless you named such a policy "mynewdevice-1" ? One simple way to debug this is to use the iothubowner policy and associated key since it has full permissions.
Last thing, if you're using the "login" command, you don't need to specify the connectionstring again in subsequent commands (except to receive messages sent by devices, since this is done on the event hubs endpoint).
Thanks, I have really messed these old and new portals.
After creating a new Service bus and event hub in new portal I can register my devices. The rest .... new question perhaps...
With thanks.
I see on the page Settings Encryption a section about the MSBuild.SonarQube.Runner configuration file.
But the documented portion has a format which doesn't match the example SonarQube.Analysis.xml file.
However, I have tried putting these properties in the SonarQube.Analysis.xml file, in a format corresponding to the current one. Long story made short, the msbuild.sonarqube.runner puts the {aes}encrypted password in the Basic authorization field of the HttpRequest sent to SonarQube.
I guess that the client should unencrypt the password before putting it in the Authentication header. Otherwise, the sonarQube server won't allow the user to query the properties Uri (something like /api/properties?resource=projectKey)
You're right, I've fixed the documentation to reflect the effective format of the SonarQube Scanner for MSBuild.
Regarding the encryption of the sonar.password property, this is currently not supported by the MSBuild Scanner: It does not (yet?) know about the encryption logic, and therefore sees the raw encrypted value only. However, some other properties can be encrypted: the ones that are read during the end step of the SonarQube Scanner for MSBuild, which is under the hood launching the sonar-runner.
I've created the following ticket to keep track of this limitation: https://jira.sonarsource.com/browse/SONARMSBRU-192
I am trying to do a xdmp:http-post to a third party URL using the Marklogic (v7.0) query console. The URL is a https:// url and I was able to install the necessary certificate from the admin console. When I run the post, I am receiving the following error:
[1.0-ml] SVC-SOCCONN: xdmp:http-post("https://xxxxx.............", ()) -- Socket connect error: SSL_connect XXX.XXX.XXX.XX:60855-XX.XX.X.XX:443: key size too small (0x0506706e); DH lib (0x14098005)
Can you please assist me here as to what I might be doing wrong? Do I need to follow any additional steps apart from installing the certificate?
Please let me know if I need to supply additional information.
The server's certificate is using a key size that is too small, and therefore considered to be insecure. Since the host name suggests it's a dev machine, the best thing would be to have them use a longer key if you can.
If that's not possible, you can disable FIPS mode on your MarkLogic server. That can be done through the Admin UI by navigating to http://your.host.name:8001/cluster-admin.xqy?section=cluster&local-cluster=true and setting "ssl fips enabled" to false. Be aware that if you do this, the server will allow you to use ciphers and key lengths that are considered weak.