HTTP Server on SIM Card & Certification - security

I was wondering how to read certificates put in a SIM Card, (http://stackoverflow.com/questions/12705603/read-write-certificates-on-a-sim-card-ios), but the fact was it depended every time on the phone considered, what was a bit unconvenient.
Then I bumped into this report, saying that you could implement secure HTTP Servers on SIM cards.
My question : does someone know how to configure/use this technology? For instance, check certificates via http ? (Any Documentation would be welcomed ! )
Thanks,

Related

Client authentication in p2p network without middle server

I am thinking about a complicated chat application where two clients can connect to each other directly like in a p2p network. My idea complexity is both about network and the security (authentication).
NETWORK PART
As far as I have read on internet, p2p connection can be achieved by TCP HOLE PUNCHING. In most examples of Hole Punching, I have seen a middle server that helps clients pass their address to each other. Imagine that server goes down. I still want my clients to be able to find each other. A very crazy idea is for them (for example my application users as human not the code) to use any other communication channels to tell each other a code (which is generated from a data). I want this data to contain client {local ip, local port, public ip and public port} (which in all examples of TCP hole punching that I have seen, they were used).
Can this data be found by client itself? and is it enough? (Consider help of extra HTTP REQUESTS from client to find about his PUBLIC IP ADDRESS)
Also, are there any better ideas than using TCP Hole Punching? My clients are mostly behind NATS
AUTHENTICATION AND SECURITY PART
I am trying my best to rely less and less on a middle server for helps. My client applications can perform Diffie Hellman key exchange and encryption after their connection established. But as I want real users to use this application, I need some ways that clients can authenticate each other. I am not looking for this app to be used by wide range of users. So maybe they can actually see each other sometimes (in the real world) and transfer some sort of files with their bluetooth (or other file sharing systems in application layer) that can be their token or authentication token. This token may later be used to authenticate each other later when they want to establish connection in network. Well this is my only idea:
The problem here would be if Jack and Rose meet and they transfer their personal tokens, later Jack has Rose authentication token and can use it to pretend to be Rose when he is talking to Jim.
Unless this token is generated with same value for both of them and somehow means its token for only {Jack and Rose} communication, and token for {Jim and Rose} is different. (I mean its unique token for any conversation or pair of users)
Would there still be any risks? Can any sort of networking attacks or other tricks, break this?
You can refer to WhatsApp end-to-end encryption white paper
https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf

Our own web Services vs IoT`s APIs to have highest security

I have two scenarios for implementing IoT devices and I want to know which one has most security? Because I am a programmer and I have bit knowledge on network issues
Main Goal is to implement IoT devices and have modification and configuration from outside of local network. Assume we have IoT device in smart house and I want to change its configuration from outside of house by changing some parameters.
NOW:
First Scenario:
On the below picture indicates with red color on the left.
Writing our own web services and make it accessible by setting up "static ip" and and using "Port Forwarding" + SSH in order to have high secure connection.
In this story, user write static ip on address bar from outside of smart house and connect to web services and can have modification
now my question is if this way can harmful for our firewall and network?
If this way open firewall port permanantly?
If all users can send request so do we have attackers that can attack other devices or not?
We can have our authentication to have more safty.
Second Scenario:
On the below picture indicates with blue color on the right.
In this scenario we are using APIs from IoT company instead of writing our own services and user send request to IoT Company and on the our smart house we have gateway from IoT company which send request for instance per 1 second to check if ther is any on IoT company server or not and if there is any so make a modification.
Because in this scenario Iot Company might to use DHCP IP instead of static ip , is it possible to have some hurt to fire wall?
Because I am not sure but I think firewall will be opened whenever ther is any request so is it possible that this way is more secure?
If possible, I would suggest not opening any port on the IoT device. This does create a lot of worries as the question suggests.
Instead, would it make sense in your case to have the IoT device poll a web service for instructions? You could use web sockets or long-polling if it's important for the devices to be highly responsive to incoming requests.
Mahsa's description is not detailed enough, so i decided to add some more information... otherwise it would be a "what tastes better: a pear or an apple?" discussion.
More precise scenarios
The first scenario (S1) uses port forwarding. This port can be used by everybody in the internet. Security is based on the software and implementation of that webservice. Which has to be maintained good and updated regulary.
The Second scenario (S2) does a polling from a internet-server, maintained by the manufacturer (Philips). The local IoT-gateway initiates a TCP/HTTP-rest-request to the philips-hue server in the internet. The firewall/NAT does not need to be changed at all. "Open Port whenever we need" is not 100% correct, it's a NAT-firewall which accepts only packets from request destination of Philips-server (SPI)
Please read about how networks, firewall and NAT works in most environments before making assumptions:
Network: OSI Layers 3,4,7 (and at the moment we talk about IPv4 ;-)
Firewall/SPI: Stateful Package Inspection
NAT: Port-restricted cone or symmetric
Questions of safety
What is "safety" in your case? You have to define what you want to protect. In this case it's the local network,so that no intrusion is possible. The detailed questions "what is more safe?" are:
A1) port-forwarding or A2) port-restricted/symmetric NAT and SPI?
B1) pattern user ⇒ firewall ⇒ own webservice ⇒ gateway or B2) pattern user ⇒ Philips-server ⇐ firewall ⇐ gateway
C1) security is based on higher layer 5-7 or C2) based on lower layers 3+4
Side aspects
The picture should tell that the "own web service" can NOT directly talk to the IoT-device. It has to talk over the gateway/bridge with the IoT-device.
This means you have to setup a local webserver parallel to the IoT-gateway.
D) Costs, effort and the maintennance of such local webservice... is it really needed to have a secure scenario?
Please send your answers A-D
and some arguments would be nice. Perhaps you find also some other security issues E,F,G,H... let us know. Thanks Frank

Simple VOIP programming concept

When install some VOIP software such as Kphone or vock (with nodejs), it always specify server-side and client-side installation. If both VOIP chat users already know his target IP client address to each other, why we still need to install software on server-side ? OR since the phone or website VOIP users' IP is dynamic IP that is not static , we need to place the VOIP user's information such as his dynamic IP for talk communcation for both two VOIP client on server-side. Is it corect in concept ?
For developer, they can just write client-side VOIP software if both client IP and port used that are fixed or static , no need to server-side assist, Is it correct. Server-side is just bridge purpose between two client if thier IP are dynamic , right ?
Please advise
You answered your question mostly correctly.
One of the main purpose of a VoIP server (among routing/billing/ivr/voicemail/others) is the registrar functionality. This means that softphones can register to the server, and then any peer can easily contact the softphone via the server since this solves all dynamic/private IP issues. However in SIP you can always make calls directly between two endpoints by specifying the exact location, so:
-If your softphone s registered to a server, then you call the peer by its username, like: abc
-If your softphone is not connected to a server, then you call still call other phones by exact SIP URI, like: abc#ipaddress:port
The SIP bible can be found here: RFC3261

PCI - Card Data Transmission

I understand that PCI compliance affects not just storage of card details but does it also affect transmission. E.g. if I simply want to collect a card number and transmit it over https does this require PCI compliance steps to be taken?
PCI does require protection for card data at rest and in transit, so yes, this will require you to take steps to comply.
This is covered in great detail on Security Stack Exchange using the PCI-DSS tag.
Yes, if you transfer card data somewhere (no matter - between user browser and your server, between your scripts, between script, database and back, between your server and PayPal / Authorize.net / whatever) - you must make all this channels secure.
Say, with SSL layer. Do everything using HTTP*S*, not just simple HTTP and make sure your server's SSL certificate is correct, and up to date.

Is it possible to register a public server, and protect the orgin of the actual processing server?

Tough question. It has to do mainly with security, but also computers. Probably not been done yet.
I was wondering, is it possible to host for example a web application, yet be able to hide *where* the actual server is, and, or who is the originator, making it very very hard ( practically impossible ) for some one to track the origin of the server, and who is behind it?
I was thinking that this might be possible through a third party server, preferably with an owner unrelated to the proxy sites. But the question then also becomes an issue of reliability *of* the third party.
Does the TOR network have support for registering for recieving incoming requests rather than outgoing ones? How secure would that be? Might it be possible that the TOR network has been infiltrated by for example a big goverment ( read USA ) ( dont get angry, please enlighten me as I do not know much of how the TOR network is hosted ).
How can one possibly create such a secure third party server, that preferably does not even know who the final recipient of the request is? Third party companies might be subjected *to* pressure from goverments, either directly from powerful *nations* such as USA, or by the USA applying pressure on the goverments of the country where the server is, applying pressure on the company behind it, and force you to enable a backdoor. ( Just my wild fantasy, think worst case scenario is my motto :) ).
I just came with the idea, that being that this is probably *impossible*, the best way would be to have a bunch of distributed servers, across several nations, make it as hard as possible to go through each and one of them to find the next bouncing server. This would have to be in a linked list, with one public server being registered on a DNS. If compromised, the public server needs to be replaced with another one.
request from user0 -> server1 -> server2 -> server3 -> final processing server -> response to user0 or through the incoming server chain.
When sending a response to someone, could it be done using UDP rather than TCP and hide who the sender was ( also in a web application ) ? So that a middle man listening on user0 computer incoming responses ( and outgoing requests ) do not figure *out who the final* processing server is, if we decide to respond directly to user0 from the final processing server?
The IP of server1 will be public and known to anyone, server1 will send the message to server2 and it is possibly to figure out by listening directly behind server1 traffic node, but perhaps it could hide its own origin if not being listened to directly, so that if big goverments have filters on big traffic nodes or routers, they wouldn't be able to track who it came from, and therefore what the message to server2 is intended for. It would blend in with all other requests.
Anyhow, if you have followed my thoughts this far I think you should know by now what I am thinking about.
Could this be possibly through a P2P network, with a central server behind it, and have the P2P network deliver it to the final server respond in some pattern? The idea is to have one processing server, and then have "minor", "cheaper" servers that acts as proxys?
Why I keep saying central server, is that I am thinking web. But any thoughts on the matter is interesting.
For those that wonders, why... I am looking into creating as secure as possible, and that could withstand goverment pressure ( read BlackBerry, Skype and others ).
This is also a theoretical question.
PS.
I would also be interested in knowing how one have a distributed SECURE database ( for keeping usernames, friendlists and passwords for example ) but this time, it is not neccessery for it to be on the web. A P2P software with a distributed secure database.
Thanks!
Yes, you're reinventing Tor. You should research Tor more fully before going further. In particular, see Hidden Service Protocol. Tor is not perfect, but you should understand it before you try to reinvent it.
If you want to find an ant's nest, follow the ants. If you want to find the original server, follow the ip packets. If you meet a proxy server not willing to provide their path, call the server administrator and have your men in black put a gun on his head. If he does not comply, eliminate the administrator and the server. Carry on following the ants in their new path. Repeat the operation until server is reached or server can't communicate anymore.
So no, you can't protect the origin and keep your server up and running when your men in black can reach any physical entity.

Resources