TylerBurton.ca

Canada still imposes restrictions on encryption. Who knew?

Today I happen to read something that Michael Geist had written about Canada’s state of encryption laws and I was floored. In it he referenced this article which discussed the Government of Canada’s new public consultation on encryption laws. From the article:

Encryption controls have been a challenge for many Canadian software and hardware vendors. Category 5 — Part 2 of Canada’s Export Control List identifies information security items that require a permit in order to be exported from Canada to destinations other than the United States. Because the threshold for control is very low — key lengths in excess of 64 bits (in the case of symmetric algorithms) — many vendors have been surprised to learn that the export or transfer of their encryption goods and technology requires a permit before shipment to their foreign customers. Often, they first discover this when the Canada Border Services Agency detains these goods just prior to export. Failure to obtain a permit prior to exporting or transferring controlled goods or technology can attract significant penalties.

The reason I am so surprised by this is that today, in 2010, 64-bits is nothing. For a recent school project a few colleagues of mine and myself designed a distributed brute-force approach to cracking an RC4 key. Doing some internal algorithm speed tests we determined that a single machine could brute force approximately 402,000 different keys per second. At that rate it would take one machine 1,455,081 years to check all 2^64 keys. Seems pretty good so far huh? Well the problem with this number is that we are not professional cryptographers. RC4 has known weaknesses that allow you to break it faster than a brute force attack would otherwise allow. But assuming you still attempted to complete the brute force method, I highly doubt it would take that long. DES, the older, widely used, encryption standard, also had a key size of 64-bits but, thanks to specially designed hardware, is now able to be broken in less than a week. While it is true that not all algorithms are built equally (i.e. AES with a 128-bit key is more secure than RC4 with the same sized key) it is generally true that having a larger key size and a secure algorithm are good things. According to current Canadian encryption laws 64-bits is deemed to be the strongest security you can legally export without a permit. Clearly this current limitation is simply unacceptable.

When you visit a secure website, for example your bank’s, your browser usually uses a 128-bit or 256-bit secret key to ensure that absolutely no one can listen in. And yet this security, the very security that gives people piece of mind when they shop online, is essentially illegal to export or sell overseas with our current laws. I completely agree with the author of the article when he says that requiring Canadian businesses to secure a permit before they can ship their software puts them at a distinct disadvantage.

Additionally, the Canadian government has allowed themselves to fall behind the security curve in other ways. Recently a good friend of mine was hired for a research job at the Government. In order to move him through the hiring process they requested that he send sensitive materials like his SIN and birth certificate through unencrypted e-mail to them. And you wonder why identity theft is so bad…

We as citizens and workers have some real things to gain or lose depending on the outcome of this consultation. If the current law is allowed to stand we will be stuck at a competitive disadvantage and have to choose between either less security in exported software products or more paperwork.

So do your part and make sure Canada doesn’t get stuck behind the technology curve. Join the debate.

As some of you already know, I am a big fan of the KDE desktop environment (or KDE Workspaces or whatever they’re calling it these days). In my search to reach Linux KDE perfection I have tested out a number of different distributions. First there was Fedora, which I happily ran throughout the length of the experiment. Once that was finished I attempted to install and try both Kubuntu and openSUSE. Unfortunately I was unable to do so after openSUSE decided not to play nice. However my search did not stop there, and once the community edition was ready I jumped over to Linux Mint KDE CE. Finally I decided to once again try openSUSE, this time installing from a USB drive. This somehow resolved all of my installation issues.

Now that I have tried out quite a few of the most popular distributions I figured I would write a little bit to tell you fine people my thoughts on each, and why I will be sticking with openSUSE for the near future.

Fedora 11

• KDE Version: 4.2 – 4.3
• Pros: very secure, not too many modifications of the KDE source, cutting edge
• Cons: could have really used some more modifications of the base KDE packages in order to better integrate GTK+, Bluetooth problems, not always stable
• Thoughts:

  I have written at length about my experiences with Fedora during this experiment. Without re-writing everything again here let me simply say this: Fedora is primarily a GNOME distribution and I could never shake the feeling that KDE got the left-over treatment.

Kubuntu

• KDE Version: 4.3
• Pros: very easy to use, nice integration of GTK+ and GNOME notifications, access to Ubuntu support
• Cons: the hardware drivers application (jockey) simply did not work, very bad sound issues, Firefox could not handle opening file types
• Thoughts:

  When I first installed Kubuntu I was thrilled. Ah, this must be what it’s like to use a real KDE distribution, I thought. Everything seemed smoother and far more integrated then it did in Fedora. For example: OpenOffice.org had a KDE theme and it’s file browser actually used the native KDE one. Furthermore the notification system was awesome. Now instead of a GNOME application, like Pidgin, generating GNOME notifications, it instead integrated right into the standard KDE equivalent.

  Then the problems started to show up. Oh I’ll just download this torrent file and… hmm Firefox doesn’t seem to know what to do with it. Why can’t I set the file type options inside of Firefox for torrents? Why doesn’t it use the system defaults? Then the sound issues came. YouTube stopped putting out audio all together and all of my attempts to fix it were futile. Maybe it’s just my hardware but Kubuntu just could not handle multimedia at all.

  While Kubuntu is definitely one of the better KDE experiences it is by no means problem free.

Linux Mint KDE CE

• KDE Version: 4.3
• Pros: excellent package manager, easy to use
• Cons: sound issues, WiFi issues, is this actually a KDE desktop? there are so many GTK+ applications in it…
• Thoughts:

  After hearing much praise for Linux Mint I decided to give the newly released KDE community edition a go. I must say at first I was very impressed. The package manager was far superior to KPackageKit and even included things like user ratings and comments. It also came bundled with many tools and applications designed specifically for Linux Mint. Sadly very few of these were re-written in Qt and so I was forced to deal with GTK+ skinning almost everywhere.

  Sound issues similar to those in Kubuntu (maybe it’s something in the shared source?) started to crop up almost immediately. Again YouTube just did not work no matter how much I tried to fix it. Finally the WiFi connection was very poor, often disconnected on what seemed like a specific interval.

  While I think this distribution has a lot going for it I can only suggest the GNOME desktop for those who want to give it a try. The KDE version just does not seem polished enough to be recommended for someone looking for the ultimate KDE distribution.

openSUSE

• KDE Version: 4.3
• Pros: very responsive, a lot of streamlined tweaks, rock solid WiFi, excellent audio
• Cons: slower to boot, uses quite a bit of RAM, too much green
• Thoughts:

  Installing openSUSE seemed like an awful idea. After reading all of the complaints that both Phil and Dave had written over the course of the experiment I have to admit I was a little hesitant. However, I am very happy I decided to try it anyway; openSUSE is an excellent KDE distribution.

  Everything about it, from the desktop to the little helpful wizards, all seem to be designed with one purpose in mind: make openSUSE the easiest, or at the very least most straightforward, distribution possible. YaST, often a major source of hate from my fellow Guinea Pigs, does indeed have some quirks. However I honestly think that it is a very good tool, and something that streamlines many administrative tasks. Want SAMBA network sharing? Just open up YaST and click on the wizard. Want restricted codecs? Just hop on over to openSUSE-Community and download the ymp file (think of it like a Windows exe).

  My time with openSUSE so far has been wonderful. My network card seems to actually get better range then ever before, if that’s even possible. My battery life is good and my sound just plain works without any additional effort. If I had one complaint it would be with the amount of RAM the distribution uses. After a quick reboot it takes up a very small amount, around ~350MB or so. However after a couple of hours of general use the RAM often grows to about 1-1.5GB, which is far more than I have seen with the other distributions. Thankfully I have 4GB of RAM so I’m not too worried. I wonder if it has something to do with the fact that I am running the x64 version and not the x86 version. Perhaps it assumes I have at least 4GB of RAM for choosing the newer architecture.

  Whatever the case may be I think I have finally found what I consider to be the very best KDE Linux distribution. Obviously your results may vary but I look forward to hearing what you think.

This piece was cross-posted over at The Linux Experiment.

I have been meaning to write up a short post about this for a while, but thanks to the start of a new school term I have been a bit busy.

If you have seen the security news in the last month or so you will know that RSA-768, a 768bit or 232 decimal digit asymmetric key, has been broken (factored). This has important security repercussions for all of us because it is these public key algorithms like RSA, or ElGamal, that guard our online transactions, and e-mail conversations.

So just how much should we be worrying about this newest ‘break’?

When it comes to public key cryptography it is important to remember that their security is essentially in our inability to factor them quickly. The only real way that public key cryptography could be considered broken is if we find a way to drastically increase our ability to factor massive prime numbers. Thankfully that time is still far away. In fact after digging into the news articles a little more it quickly became obvious that the feat of factoring a 768bit key, while incredibly difficult, was inevitable.

So what now?

Nothing. Currently the most popular asymmetric key size in use is 1024bit, which represents a work load increase of over 1000 times when compared to RSA-768. Still afraid? Check out the list of RSA challenges that have been issued over the years and just how few have actually be ‘broken’.

In choosing my current PGP/GPG public key I decided to go with a 2048bit one, which, according to all accounts, will be safe for years to come. As always, I recommend checking out this site for the most up to date key length recommendations from the world’s foremost cryptography experts.

There you have it

With the knowledge that you’re online transactions are still perfectly safe you have nothing to worry about.

For reference, the currently recommended key lengths for asymmetric encryption algorithms, like RSA, are 1976bit (BSI recommendation for use after 2016), 2048bit (NSA recommendation for current and future use), and 2432 (ECRYPT II recommendation for protection until at least 2030).

I honestly don’t remember how I came across this awesome project but I am certainly glad I did! XMLVM is a software toolchain which is designed to take cross-compilation to a whole new level. Rather than just offer OS portability, XMLVM is able to actually offer OS, hardware and programming language portability.

Here’s how it works: you write a program in a programming language of your choice, say .NET. Once compiled you send it through the first step of XMLVM which analyzes the produced CIL and creates an XML document out of it. It would end up looking like something similar to this:

<clr:ldc type=”int” value=”2″/>
<clr:rem/>

Next this XML document is fed through what XMLVM calls the data-flow analysis (DFA). Basically you can think of DFA as a pseudo-language that simply describes the operations that the program is trying to perform. Once in this form the code is considered portable. XMLVM then lets you pick a target, for example the Java JVM, and automates the conversion of the DFA to an XML representation of the java byte code. From there it’s an easy conversion back to true java byte code.

Now think about this in practical terms for a second. That means that you can write a program in a .NET language (C#), and have it automatically ported and compiled to Java. Expand on this a bit and consider that you can write the same program in any language and have it converted to any other language. Currently the XMLVM offers a lot of other cool options as well and has actually been designed a lot with mobile devices in mind. Now you can write a program once and have it automatically converted to Objective-C, to run on the iPhone, and to Java to run on Android.

I really hope that this project continues to improve and I will certainly be watching it closely. It is still very early in development but from what I have seen it is simply brilliant.

Well, at least for now. Check out the site to see what everyone thought about the experiment as a whole.

Check it out here: The Linux Experiment

Well GPG to be more accurate

As my existing key was set to expire at the end of this year I have issued myself a brand new one! After much though I finally decided that creating a new key from scratch was the best idea, rather than simply adding a new subkey, because I wanted to move away from DSA/ElGamal toward RSA primarily because of the weakening of SHA1. If this all sounds like gibberish to you then don’t worry, the details aren’t nearly as important as the security provided by my new key.

If you’d like to make use of my new key please head over to the About Me section where you will find it!

That’s right an update to your favourite hash verification program!

This update includes a few new features that some of you might find useful. It also includes help documentation which walks you through how to use it!

New Features

• Menu strip for even easier use
• Export features allows you to automatically write all of the hashes to a single file
• About dialog that provides information about the program
• Help documentation

Requirements:

• All platforms: .NET 2.0+ / Mono, a graphical display
• *nix platforms: WinForms (identified as System.Windows.Forms)

As always the binary only package contains just the executable, whereas the all package contains the source code as well.

As someone who has recently begun to experiment with the Linux operating system I have also been introduced to .NET’s Linux’s cousin Mono. This has made me question what the best cross-platform program language to use is. I am familiar with both Java and various .NET languages (Visual Basic & C#) so I decided to run a few tests to see what the resource usage on my Linux laptop is like between these two competing platforms.

Hardware

CPU Information

• Processor (CPU): Intel Core2Duo CPU P8600 @ 2.40GHz

Memory Information

• Total Memory (RAM): 4GiB
• Swap Partition Size: ~6GiB

OS Information

• OS: Linux 2.6.30.9-102.fc11.x86_64
• System: Fedora  11
• Desktop Environment: KDE 4.3.3

Display Info

• Model: ATI Mobility Radeon HD 4670
• Driver: 2.1.9026 FireGL

Hard Drive Info

• Memory: 320GiB 7,200 RPM SATA

Software

I am using Java version 1.6.0 and Mono version 2.4.2.3 for these tests.

Test Setup

For the following tests I have provided source code for both the Java and the C# implementations. I then ran the programs and checked their CPU and memory usage.

Test I

Simple write/read test to the console. CPU usage was recorded before the read.

Java code:

import java.io.IOException;

public class TestI {

     public static void main(String[] args) {

          System.out.println(“Hello World”);

          try {
               System.in.read();
          } catch (IOException e) {
               e.printStackTrace();
          }
     }

}

C# code:

using System;

namespace TestI
{
     class MainClass
     {
          public static void Main(string[] args)
          {
               Console.WriteLine(“Hello World!”);

               try {
                    Console.Read();
               }catch(Exception e){
                    Console.Write(e.StackTrace);
               }

          }
     }
}

Results:

Test II

Simple primitive variable usage. CPU usage was recorded before the read.

Java code:

import java.io.IOException;

public class TestII {

     public static void main(String[] args) {

          byte b = 0;
          short s = 0;
          int i = 0;
          long l = 0;
          float f = 0;
          double d = 0;
          boolean bo = true;
          char c = ‘a’;

          //set them all to something
          b = 1;
          s = 1;
          i = 1;
          l = 1;
          f = 1;
          d = 1;
          bo = false;
          c = ‘b’;

          try {
               System.in.read();
          } catch (IOException e) {
               e.printStackTrace();
          }

     }

}

C# code:

using System;

namespace TestII
{
     class MainClass
     {
          public static void Main(string[] args)
          {
               byte b = 0;
               short s = 0;
               int i = 0;
               long l = 0;
               float f = 0;
               double d = 0;
               bool bo = true;
               char c = ‘a’;

               //set them all to something
               b = 1;
               s = 1;
               i = 1;
               l = 1;
               f = 1;
               d = 1;
               bo = false;
               c = ‘b’;

               try {
                    Console.Read();
               }catch(Exception e){
                    Console.Write(e.StackTrace);
               }
          }
     }
}

Results:

Test III

Simple primitive variable usage, this time with arrays. Same as above but with arrays of 10,000 for each primitive. The arrays were set using loops similar in structure to the following:

for(int x=0; x<10000; x++)
{
     b[x] = 1;
}

Results:

Test IV

Simple object usage. CPU usage was recorded before the read.

Java code:

import java.io.IOException;

public class TestIV {

     public static void main(String[] args) {

          SimpleClass sc = new SimpleClass();

          sc.setID(5);
          sc.setName(“Hello World”);

          System.out.println(sc.getString());

          try {
               System.in.read();
          } catch (IOException e) {
               e.printStackTrace();
          }
     }

}

public class SimpleClass {

     private int _ID;
     private String _name;

     public SimpleClass()
     {
          //default constructor
     }

     public SimpleClass(int ID, String name)
     {
          _ID = ID;
          _name = name;
     }

     public int getID()
     {
          return _ID;
     }

     public void setID(int ID)
     {
          _ID = ID;
     }

     public String getString()
     {
          return _name;
     }

     public void setName(String name)
     {
          _name = name;
     }
}

C# code:

using System;

namespace TestIV
{
     class MainClass
     {
          public static void Main(string[] args)
          {
               SimpleClass sc = new SimpleClass();

               sc.setID(5);
               sc.setName(“Hello World”);

               Console.WriteLine(sc.getString());

               try {
                    Console.Read();
               }catch(Exception e){
                    Console.Write(e.StackTrace);
               }
          }
     }
}

using System;

namespace TestIV
{

     public class SimpleClass
     {

          private int _ID;
          private String _name;

          public SimpleClass()
          {
               //default constructor
          }

          public SimpleClass(int ID, String name)
          {
               _ID = ID;
               _name = name;
          }

          public int getID()
          {
               return _ID;
          }

          public void setID(int ID)
          {
               _ID = ID;
          }

          public String getString()
          {
               return _name;
          }

          public void setName(String name)
          {
               _name = name;
          }

     }
}

Results:

Test V

Simple object usage, this time with arrays. Same as above but with arrays of 10,000 for each object. The arrays were set using loops similar in structure to test III:

Java code:

import java.io.IOException;

public class TestV {

     public static void main(String[] args) {

          SimpleClass[] sc = new SimpleClass[10000];

          for(int x=0; x<10000; x++)
          {
               sc[x] = new SimpleClass();
               sc[x].setID(5);
               sc[x].setName("Hello World");

               System.out.println(sc[x].getString());
          }

          try {
               System.in.read();
          } catch (IOException e) {
               e.printStackTrace();
          }
     }

}

C# code:

using System;

namespace TestV
{
     class MainClass
     {
          public static void Main(string[] args)
          {
               SimpleClass[] sc = new SimpleClass[10000];

               for(int x=0; x<10000; x++)
               {
                    sc[x] = new SimpleClass();
                    sc[x].setID(5);
                    sc[x].setName("Hello World");

                    Console.WriteLine(sc[x].getString());
               }

               try {
                    Console.Read();
               }catch(Exception e){
                    Console.Write(e.StackTrace);
               }
          }
     }
}

Results:

Test VI

Everyone’s favourite bubble sort with 10,000 integers.

Java code:

import java.io.IOException;

public class TestVI {

     public static void main(String[] args) {

          int[] array = new int[10000];

          //fill array
          for(int i=0;i           {
               array[i] = 10000-i;
          }

          boolean swapped;

          do
          {
               swapped = false;

               for(int i=0;i                {
                    if(array[i] > array[i+1])
                    {
                         int temp = array[i+1];
                         array[i+1] = array[i];
                         array[i] = temp;

                         swapped = true;
                    }
               }
          }while(swapped);

          System.out.println(“Sorted”);

          try {
               System.in.read();
          } catch (IOException e) {
               e.printStackTrace();
          }
     }

}

C# code:

using System;

namespace TestVI
{
     class MainClass
     {
          public static void Main(string[] args)
          {
               int[] arr = new int[10000];

               //fill array
               for(int i=0;i                {
                    arr[i] = 10000-i;
               }

               bool swapped;

               do
               {
                    swapped = false;

                    for(int i=0;i                     {
                         if(arr[i] > arr[i+1])
                         {
                              int temp = arr[i+1];
                              arr[i+1] = arr[i];
                              arr[i] = temp;

                              swapped = true;
                         }
                    }
               }while(swapped);

               Console.WriteLine(“Sorted”);

               try {
                    Console.Read();
               }catch(Exception e){
                    Console.Write(e.StackTrace);
               }
          }
     }
}

Results:

All Results

Conclusions

Well there you have it. It seems that at this point in time Mono is not only mature enough to compete against a seasoned veteran programming language like Java, but in some cases good enough to even supersede it. This is wonderful news for people looking for alternative cross-platform high level languages.

Well its almost time for me to create a new PGP key. My current key for tyler at tylerburton dot ca is set to expire at the end of the year and I am trying to determine what the best way to migrate to a new key is. Some people suggest simply adding a new encryption sub key and then changing the original signing key’s expiry date so that individuals wishing to verify your signatures can continue to do so uninterrupted. Unfortunately my current key is an ElGamal/DSS based one and, after the recent increased attacks on SHA1, I would really prefer to move to an RSA based key.

Alas I think I’m going to have to just create a new key and sign it with the current one. If anyone has any better alternatives please let me know!

Some of you may remember an old Windows program of mine called Hash Verifier. It was a graphical utility that allowed people to generate hashes of their files, and then compare those to known hashes, ensuring that their files had not been corrupted. Well in recent months my foray into the world of Linux has finally taken me into the realm of programming on that platform. Being primarily a .NET developer on Windows I have found the Mono project on Linux to be an absolute breath of fresh air.

“Monkey” project

The Mono project is an open source implementation of Microsoft’s .NET common language runtime and a C# compiler. On Linux the easiest way to program in a Mono language is within the project’s own integrated development environment called MonoDevelop.

C is a sharp language

C# is a very powerful programming language that falls somewhere between C and Java in terms of syntax. While my experience with C# has been limited in the past, I was easily able to pick it up quickly thanks to my background in both C and Java, as well as fellow .NET language Visual Basic.

The challenge

Digging up an old .NET project of mine, Hash Verifier, I decided to challenge myself to port the application to Mono. In order to do this I needed to accomplish the following:

• The original application ran on Microsoft’s .NET on the Windows platform. The new application must run on both .NET on Windows and Mono on supported platforms.
• The original application was written in Visual Basic. The new application must be written in C#.
• The original application has a GUI powered by the native Windows.Forms. The new application needs to have a GUI that works in a similar way on all platforms.
• The new application must be able to fully re-create all of the old application’s features and functions.

Porting = easy

I must say that porting this old application to C#/Mono was a relatively straightforward task. Although I had plenty of GUI toolkits to choose from I ended up sticking with the existing Windows.Forms. Once I had decided on using Windows.Forms as the basis for my GUI (WinForms is a free and open source implementation for non-Windows users!) I set out to create my new application. I was literally able to open the old Visual Basic GUI designer file, copy the code into my Mono workspace, change the syntax to C# and voila it worked!

In fact the only tricky part was trying to figure out a compatibility issue that .NET/Mono 2.0 seem to have with the new Windows Presentation Foundation (WPF). I’ll save you the gory details but basically drag and drop functionality would not work. I eventually rectified this issue by including a compiler flag telling .NET/Mono to execute the form in single thread apartments mode. You can see where I did this in my code by looking right above my static main function:

[STAThreadAttribute]
public static void Main()
{
…
}

Final result

With the application complete I must say I am impressed. Crafting and running applications for Mono is extraordinarily simple to do, seems very powerful, and the application itself only takes up a couple of MiB to run. In the future I definitely plan on doing more of this type of development now that I am using different operating systems every day.

Hash Verifier

If you are still using the old version of Hash Verifier, or if you would just like to try it out you can download the new Hash Verifier in two different ways. The package marked binary only contains just the program itself and the relevant documentation. The package marked all contains both the program, documentation as well as the source code.

Requirements:

• All platforms: .NET 2.0+ / Mono, a graphical display
• *nix platforms: WinForms (identified as System.Windows.Forms)