How-to build secure systems – Part 2

How-to build secure systems – Part 2

kb
How-to build secure systems - Part 2 This is part 2 of How to build secure systems. For part 1 click here You have secured client - server communication with SSL. Well in today's world that is just not enough. Enable two factor authentication. By using two-factor authentication you gurantee that even if the PC of the user is compromised, his data won't be.You can use a two-factor service  like google, or implement  it yourself. It is easier than it looks. First you generate a secret code according to TOTP. Store it next to the user account. Generate a QR code based on the TOTP. Scan the QR code. Use a free app to seed the OTP generator. Provide a 30 second OTP from the authenticator to the login screen.…
Read More
How-to build secure systems – Part 1

How-to build secure systems – Part 1

kb
Building Secure Systems - Part 1 The inspiration for this article are the recent disclosures from WikiLeaks of the CIA operations. Building secure systems is not an easy task. It is a complex problem, that requires, from software developers to think as hackers and look at the system as a whole, not just review their own code and call it a day. Here are some of the lessons we have learned during building our Password Manager - Keepassa .   I will try to keep this blog post platform antagonistic, as much as possible. Guidelines to build secure systems. Use encryption - encrypt sensitive data with industry-leading algorithms. You can use AES, Serpent ot Two-Fish.  Its best to combine two algorithums, to be sure that recent progress in quantitive computing,…
Read More

Linux, Java,SSL and Randomness

kb
Late night deployment and randomness During deployment of Keepassa , our password manager,  last night I had an interesting issue. The server process (embedded Jetty), hanged on startup, just before building the SSL Context Factory. As we have migrated from OpenBSD, to CentOS on our staging and production servers, I first thought that it was a CentOS issue as the code was running fine on my Ubuntu workstation. As CentOS uses an old version of OpenSSL, and that was the only difference in the stack, I upgraded the OpenSSL library on the staging server. AFAIK, nothing changed. then I tried changing the Linux kernel options (sysctl.conf), but still nothing happened. The Bootstrap process was just hanging on startup. jstack to the rescue. After some head scratching I fired jstack, to trace…
Read More