Screen with bytes of info

RSS Feed
Technology Bytes Archive




Apache Include Directive

     For the websites that I run (Technology Bytes, Paasch Family Website, and Public Keyring), I use Apache HTTP Server.  It is one of the most used web servers around and it's open-source.

     I have been modifying and adding to it's configuration different directives for how I want my websites to display and how I want Apache to function.  Recently, I've noticed that my config file was getting very large and part of that is because I duplicate directives that I want to apply to several parts of the file.  There had been times when I would apply some directive or two to a part and then later forget to apply it to another area which resulted in unexpected results.  I started to think that there must be a better way to manage this so that I would only have to specify a directive in a common place and it would be applied to all the places that I wanted.

     I remembered that when I first set up SSL/TLS on my website, I included the httpd-ssl.conf file that comes with Apache in the "extra" directory.  So I decided to look up what the Include directive does and if it can be used to split apart the config file into manageable pieces.

     After looking up the directive on the Apache website and doing some testing, I found that the config file can be split up and that the Include directive can be used to import the pieces.  This allows the common directives to be specified in a separate config file and then whenever they are needed, an Include can be specified with the location of that common config file.

JSignPdf Logo

     There are many times I create a PDF (Portable Document Format) file.  I do so when I want to send or give someone a document that is portable and that can reproduce the desired output upon print.  I find that it's also a good way to preserve a document.  But I realized that even though I may share a PDF file with others, that doesn't prevent it from being modified or replaced.  This was more of a concern at my work as we save certain e-mails as PDFs to retain information relating to a project.

     I desired to be able to sign my PDFs like an e-mail so that it can be clearly noted that it hadn't changed.  Or if it did, it wouldn't have my key signature.  So I started looking around to see if it was possible.  I knew I had heard of code signing but I wasn't sure if it was possible to sign PDFs with a private key.

     After searching, I did find that PDFs could be signed but there were programs that could be bought to do it.  I was hoping to find something free and after a little patience, I came across JSignPdf.  I found that it is a open-source project that runs on Java.  It takes a private key in the PKCS12 format (among other formats and from the computer's store) and uses it create a new PDF that is signed.

     After trying it out a bit, I found another important feature that it sported: the ability to timestamp from a timestamp server.  There are servers dedicated to keeping a clock and a signature so that when a document is signed, it can be timestamp with a time from a trusted server that tells what time the document was signed.  One timestamp URL that I have used and that is trusted from Adobe's point of view is from GlobalSign:
http://adobe-timestamp.globalsign.com/tsa/aohfewat2389535fnasgnlg5m23

     Though I was unable to get a free PDF signing certificate that naturally validates in Adobe Reader, I still sign my PDFs with my free e-mail public key.  It does show a warning, but at least it shows that it has been signed and timestamped.

The certificate's chain was not ordered correctly

     I recently purchased a new domain name and with each domain name, I create an administrative e-mail account that ends in that domain's name.  In this case, I wanted to go ahead a create a digital ID (S/MIME X.509) certificate and I like to create digital ID keys with a large key length.

     In the past, I had found that when creating a digital ID, most CAs (Certificate Authority) use the browser to generate the keys and that different browsers have different options for key length.  I found this by using Mozilla's sample KEYGEN form.  When using Firefox or Google Chrome, it only gives two choices for length: High Grade (which is 2048 bits) and Medium Grade (which is 1024 bits).  Internet Explorer 8 doesn't support the tag and I couldn't get Safari to run properly on Windows.  Finally, I was able to test Opera and found that it supports thirteen different key lengths starting at 1024 all the way to 4096.  So I decided to use Opera to generate my digital ID with a key length of 4096.

     My favorite CA is StartCom's StartSSL.com.  To log in, it is required to have the account digital ID imported into the browser and it uses that to authenticate the session instead of a username and password.  Since I didn't have my digital ID for my account imported into Opera, I attempted to do so and this is where I ran into problems.

     I opened Opera, clicked on the Opera button at the top left, moved my mouse to Settings, and then clicked Preferences.  I clicked the Advanced tab, clicked the option Security, and then clicked the Manage Certificates button which brought up the Certificate Manager window.  I then made sure I was on the Personal tab and chose the import button to import my identity.  When I selected the file, it gave me the error,  The certificate's chain was not ordered correctly.  I tried it a couple of times and still kept getting the error.

     I started using Google to look up what other people have said about it.  I found that some people converted the file to a different format, rearranged the certificate data in the file, and then re-converted it back to the PKCS12 (p12/pfx extension) that Opera can read.  I tried rearranging the certificate data several different ways but still kept running into the error.  Finally, I actually complete removed the root CA certificate key from the file and left the intermediate CA certificate key, my public key, and my private key (encrypted) in the file, converted it back and Opera took it!  So for me, removing the Root CA Certificate Key was required to get Opera to recognize it.

     The way I converted the file was using the following process with OpenSSL (original.p12 is the original file that contained my digital identity):
I converted my original identity to ASCII PEM:
openssl pkcs12 -in original.p12 -out temp.pem

I then took the temp.pem file I created and opened it up with a text editor.  I figured which one was the Root Certificate and removed it and saved the file.
I then converted the file back to PKCS12 so Opera could read it:
openssl pkcs12 -export -aes256 -in temp.pem -out new.p12

Once this was done, I then imported the new.p12 file into Opera.

PHP Script

     I have been recently working on a project to get a script to run when my server receives an e-mail that is addressed to a particular address.  The idea is to parse out the e-mail that is received and do some operation based on the contents of the e-mail.  I have worked so much in PHP that I thought it would be good to use to handle the work I would like to be done.

     I have done this thing before using Postfix to handle the incoming mail and direct it to a script defined in the alias file.  Inside alias, it runs the PHP executable with the PHP script passed in as a parameter.  This is just fine and works well, but I noticed when doing some other research that it is possible to run a PHP script directly without calling the executable file.

     All that is required to run a PHP script (at least on *nix systems) is to place the #! and the location of the executable on the first line of the script:
#!/usr/local/bin/php
Then just start the script as you would any other PHP script with the PHP tags and you're good to go!  Oh, don't forget to make the file executable by running chmod +x on the file.

@ with padlock

     I was working on getting some website SSL\TLS certificates when I came across a website that gave me a digital ID to use as part of authenticating myself with my account on their website.  I was told I could also use it to sign e-mails and to receive encrypted e-mails.  So I decided to do some investigation and decided to share what I've learned.

What is a signed e-mail?
     A digitally signed e-mail (using a digital ID) is an e-mail with basically an additional piece of information.  That information is used to prove or disprove that the message (or data) in the e-mail hasn't been altered since it has been signed.  The signature is generated by taking the message and creating a hash value and then encrypting that hash value with a private key.

     Below is an illustration of how signing works.  Data is the e-mail message.
Signing illustration

     For the recipient to determine if the e-mail has or has not been altered and if it really came from the sender, the signed information is used to verify the message as seen in the following illustration.
Verification illustration

What is an encrypted e-mail?
     An encrypted e-mail is a message that has been altered to prevent anyone from reading it except the intended recipient.  This is accomplished by using two types of encryption: asymmetric and symmetric encryption.  First the message is encrypted with a secret key (symmetric) and then the secret key is encrypted by the recipient's public key (asymmetric).  The message (or data) is not decipherable except for the recipient who has the private key that goes with the public key, uses it to decrypt the secret key, and then uses the secret key to decrypt the message.

     The following illustration demonstrates how a message (Clear text) gets encrypted sent through the internet and then decrypted by the recipient.
Message encryption illustration

What are public and private keys?
     There are two types of cryptography: symmetric and asymmetric.

Symmetric Key Cryptography
     Symmetric key cryptography uses a single key to encrypt and decrypt information.  Anyone who has the key can do either operation.  Most people are used to symmetric as we can relate this to a car door lock; you use the same key to lock or unlock the door.  If you lose the key and someone finds it, they could lock or unlock the car door.

Asymmetric Key Cryptography
     Asymmetric key cryptography uses two keys.  What one encrypts (locks) the other can decrypt (unlock) and vice-versa.  However, if one encrypts data, the same key CANNOT be used to decrypt it.  This is why it's called asymmetric.  One of the keys is called the public key because it is usually distributed to anyone freely while the other one is called the private key because the owner of the keys keeps this one private from anyone else.

     Here is an illustration for asymmetric key cryptography:
Asymmetric encryption illustration

Why would I want my e-mails signed?
     The purpose of signed e-mails is to verify the person sending it and verifying that the contents in the message haven't been changed since it was sent by the sender.  It's not often that someone gets an e-mail from someone that has been altered by someone to say something else but a signed e-mail just ensures that nothing has happened in transit.  This is similar to the wax seals used in the 10th century.

     NOTE:  You can send signed e-mails to anyone without requiring anything from them.  Sending signed e-mails also sends your public key so its a way to distribute your public key to others so they can encrypt messages to you.
A wax seal on an envelope

Why would I want to encrypt my e-mails?
     E-mails go through several routers and servers and are cached (copies are saved/stored) along the way.  Sending an e-mail unencrypted allows anyone along it's path to grab a copy of it and store it for later reading or possible distribution.  Information that you put in such an e-mail without encryption should be considered public readable.  However, if there is information such as a password, financial information, or other sensitive data (credit card numbers), it would be wise to have it encrypted to ensure that only the person receiving the message can decrypt it.

     NOTE: You can only encrypt an e-mail if you have the recipient's public key which means the recipient has to have obtained a digital ID and to have given you the public key (possibly by signing an e-mail to you).

How do I know that some hacker isn't forging a signed e-mail after altering it?
     Someone could intercept your message, remove your signature, put their signature on it, and then send it on.  For this reason, there is what is called a Certificate Authority (CA).  CAs are companies that issue digital certificates.  When a person wants a digital ID, they usually don't generate one themselves, they go to a CA to get one.  You can relate it to getting a drivers license.  You go to the CA (drivers license office) to get an ID.  People don't accept an ID that you create yourself.  CAs go through a process to be "trusted" by web browsers and e-mail clients.  When a CA issues an ID, it is signed by their own certificate saying it was issued by them.  So when a signed e-mail is sent, the recipient can see if the signature certificate (public key) was signed by a trusted CA.  Most e-mail clients check this automatically and generate a warning if it wasn't issued by a trusted CA.  A hacker cannot generate a "trusted" signature so your e-mail would generate a warning if they tried to forge the signature.

How do I know that some hacker isn't able to decrypt my encrypted message and read it?
     First, remember that only the private key can decrypt what the public key has encrypted.  If a hacker has the private key, then he is able to decrypt it.  But as long as you keep the private key safe and not publicly available, they cannot use the private key.  So, then the other method is to try to generate or guess the private key to decrypt the message.  Theoretically, it is possible with time and computing power to figure out what the private key is.  However, depending upon the bit size of the key, it is practically impossible due to the amount of time and power required.  For example, according to digicert.com, it would take 1.5 million years on a 2.2 Ghz AMD Opteron processor with 2GB RAM to break a 1,024 bit certificate and, using the same computer, it would take a little over 6.4 quadrillion years to break a 2,048 bit certificate.  Most certificates use either 1,024 or 2,048 bits.

If I send an encrypted message to someone, how will I be able to read it?
     It is true that if you encrypt a message to someone else, you will be using their public key and thus would not be able to decrypt it since you don't have their private key.  But in truth, that's not all that happens.  Recall that the message is encrypted with a symmetric secret key and that the secret key is then encrypted by the recipient's public key.  When you encrypt a message, the e-mail client should automatically encrypt the secret key with your public key (if you have one) as well.  This way only you and the recipient can actually decrypt the message.

Do I have to send an encrypted message one at a time or can I send it to multiple recipients?
     Just like I mentioned above that the e-mail client should automatically encrypt the secret key with both the recipient's public key and your public key (if you have one), if you try to send an encrypted message to multiple recipients, it will separately encrypt the secret key with each public key.  This way each recipient can use their own private key to decrypt the secret key and then be able to read the message.  Just note that you must have a public key for each recipient.

How do I get a digital ID (public and private keys)?
     To get a digital ID, you must request one from a Certificate Authority (CA).  Digital IDs are tied to an e-mail address (usually) and you can have multiple IDs if you have multiple e-mail addresses.  You fill out a form with the CA which includes your e-mail address and they will more than likely send you a code to your e-mail address which you have to copy and paste into a given webpage to verify to them that you own the e-mail address.  After that, they will generate and install the digital ID into the web browser you are using.  You will have to export it from your browser and import it into all e-mail clients that you use with your e-mail address.

How do I get a digital ID for FREE?
     Most CAs charge for digital IDs but I have found one that will give as many as you need for free.  The company is called, StartCom and their website is https://www.startssl.com

     When you sign up for them, you must use a compatible browser.  Internet Explorer, FireFox, Apple Safari are some that are compatible.  I strongly suggest to NOT use a mobile device such as a phone to register as it is difficult to export your digital ID from your phone.  You can always transfer the certificate to your phone afterward, but I recommend not using your phone for initial setup.

     StartCom issues you a digital ID as part of the sign up process to use as a way to sign in to your account with their website.  Whenever signing up, they will send an e-mail to verify.  Use the same browser window you used to sign up to verify.

     If you are using an iPhone and want to sign and decrypt e-mails with it, you must import your certificate.  I strongly suggest to NOT e-mail the certificate to yourself as that would make the certificate freely available.  I suggest setting up a small web server or some file transfer app that would allow you to retrieve the certificate using a secure means rather than using the internet.