Session tickets in TLS and possible security flaws

Here is an interesting post about session tickets in TLS 1.2 and possible security flaws. The author describes how session resumption works in TLS 1.2, and then discuss three possible flaws in this mechanism. He also mentions how the issues are going to be addressed in TLS 1.3

Enjoy!

WE NEED TO TALK ABOUT SESSION TICKETS

Diffie-Hellman key exchange in Java

Diffie-Hellman key exchange is a method allows two parties that have no prior knowledge of each other to exchange a shared secret over a public (insecure) channel. This shared secret can then be used to derive a key for a symmetric cipher like AES (from high-level prospective, that's what happens when establishing a TLS connection).

Java supports Diffie-Hellman scheme via KeyAgreement class. Here is an example how Diffie-Hellman key exchange can be implemented with Java.

How to parse command line arguments in Java

Sometimes we need a simple parser of command line options. Here is a simple example how such a parser can be implemented in Java:

Starting TLS 1.3 server with OpenSSL

At the moment TLSv13 specification is still a draft. But OpenSSL already supports TLSv13. According to this blog post, OpenSSL git master branch contains our development TLS 1.3 code which can be used for testing purposes.

Here are steps how to build OpenSSL with TLS 1.3, and run a local server for testing.

Getting a caller's class and method names in Java

Sometimes a method needs to know which class and method called this method. For example, it can be helpful in a logger. A logger can print information about caller like this:

[SomeClass, main]: main() started
[AnotherClass, method]: hello
[SomeClass, main]: main() finished

There is a couple of ways how we can get information about caller in Java. First of all, Java has an internal `sun.reflect.Reflection.getCallerClass(int)` method, but it might not be good to use classes in `sun` package because they can be changed/removed/updated in any new Java release. Another thing is that you'll need a permission to access `sun` package if you run your application with a security manager (is anybody doing this?). Let's try to use public API.

MicroPython on ESP8266: sending data to ThingSpeak

Here is a tutorial about using MicroPython on ESP8266. The post describes how to use MicroPython to measure temperature and humidity, and send data to ThingSpeak.

MicroPython on ESP8266: sending data to ThingSpeak

Problems with running MicroPython on ESP8266 with 512K

The post below describes a couple of problems you may run into if you use MicroPython on ESP8266 boards which have less than 512K of flash.

Problems with running MicroPython on ESP8266 with 512K

How to list files in a directory with Java 8

Here is how it can be done with older Java versions:

File folder = new File("path/to/dir");
File[] files = folder.listFiles();
for (int i = 0; i < files.length; i++) {
    if (files[i].getName().endsWith("txt")) {
        System.out.println("File found: " 
                + files[i].getName());
    }
}

You might also use for-each loop which would make it nicer. Now we have streams in Java 8:

Files.list(Paths.get("path/to/dir"))
    .filter(file -> file.toString().endsWith("txt"))
    .forEach(file -> {
        System.out.println("File found: " + file);
    });

It doesn't look shorter (although you can write it in one line, and still be able to read it), but no loops and ifs.

There is one disadvantage in the approach with streams (or, at least one). If something throws a checked exception in forEach(), then you'll need to catch it there. You can't add a "throws" statement to the method which contains this code - the Java compiler will complain about that.

Enjoy.

Getting started with ESP8266 and MicroPython

Here is a tutorial about running MicroPython on ESP8266 board. The article contains step-by-step instructions about flashing ESP-07 with MicroPython, and running the standard "Hello World" project for microcontrollers - driving an LED.

Getting started with ESP8266 and MicroPython

Fuzzing GUI applications: AbiWord

It's relatively easy to run fuzzing for a headless application. A headless application doesn't have any GUI, and can be simply run in a terminal. You can use your favorite fuzzer, and feed fuzzed data to the application. Normally, a headless application just processes data, and then quits or crashes right away. But it may be a little different if you are trying to run fuzzing for an application with GUI. This blog post explains how to run fuzzing for AbiWord - an open source text editor.

Read more about Fuzzing GUI applications

Quick fuzzing of MessagePack

MessagePack is a serialization protocol. It has an implementation on C/C++. Let's check if it has any memory corruption issues. We'll use American Fuzzy Lop and AddressSanitizer for it.

More about MessagePack fuzzing