Create an ECDSA signature with C# that can be verified using OpenSSL

 .net framework includes a handy library that can be used for generating digital signatures. However, the default output format is not DER and it cannot be verified using OpenSSL. There are many solutions in the Internet but they are super complex. The real solution is really simple, literaly half line of additional code. So here is some C# code that outputs DER encoded ECDSA signature that can be verified using OpenSSL:

  //assume data is a byte array that includes the data to be signed
  var ecdsa = ECDsa.Create(); // generates asymmetric key pair
  byte[] signature = ecdsa.SignData(data, HashAlgorithmName.SHA256, 
				DSASignatureFormat.Rfc3279DerSequence);

The last parameted of SignData does all the job :) You can find the official documentation of this method overload here. 

Authenticate users in python scripts using their Google account

Google offers user authentication through OpenID Connect. Although usually, this feature is used by web sites, it can also be used with desktop applications. In this repository you can find a Python3 script that authenticates users based on their Google account. 

What this script does is, it opens a web browser that redirects user to Google's authorization page and at the same time it begins a web server that "listens" for the access code. Upon receiving the access code it "exchanges" for an id token that includes user information.

Since the client secret of a desktop application can be easily protected, this script leverages Proof Key for Code Exchange by OAuth Public Clients, a technology defined in RFC 7636 and supported by Google. With PKCE, the script generates a random code verifier and transmits its SHA-256 hash when requesting the access code. Then, it transmits the actual code verifier when requesting the id token. 

A simple role-based access control system for .NET

In many cases, I need a simple solution for adding authentication and authorization in my .NET project, so as to easily develop the rest of the system. I need something simple, e.g., hardcode some user information in the configuration file. ASP.NET Identity is for most of the times an overkill. So I decided to create my own solution. You can find the source code of my solution in this GitHub repository. 

The most important part is in the appsettings.Development.json file where users, their passwords, and their roles are defined. For example:

  "AuthorizedUsers": {
    "administrator": {
      "Password": "admin!",
      "Roles": [ "Administrator" ]
    },
    "user1": {
      "Password": "user1!",
      "Roles": [ "User" ]
    }
  }

Then, in the Program.cs file the following code must be added:

builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.LoginPath = "/Account/Login";

    });

builder.Services.AddAuthorization(options =>
{
    options.FallbackPolicy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();
});
...
app.UseAuthentication();
app.UseAuthorization();

User authentication is handled by the Account controller. By default all pages are accessed only by authenticated users. If you want to restrict a page to particular role a decorator can be added to the corresponding controller method, e.g.:

[Authorize(Roles = "Administrator")]
public IActionResult Admin()
{
   return View();
}

I hope you can find this code useful

Make fun things with your home IoT devices, securely over the internet.

I am planning to start a series of posts discussing how to put your IoT devices in the internet and do fun stuff with them. I will provide them as GitHub Wiki pages and I will also provide code and scripts when this is possible. This page will act as a placeholder.

Interact using Alexa with your IoT devices

In this first post I am using the excellent, free, Cloudflare Tunnel and I make my Raspberry Pi accessible over the internet using a custom domain and HTTPS. Only with a few clicks and no cost (apart from the cost of the domain name).

Then I provide an Amazon Alexa Skill that can be used for interacting with your Raspberry Pi using your Alexa device! In this simple example, I am implementing a simple REST API which is invoked using voice commands.

Have fun!

Deploying smart contracts to ganache using python and web3

Ganache is a useful tool that emulates Ethereum blockchain in your local machine and it is very practical for testing smart contracts. Most tutorials explain how to deploy a smart contract in ganache using truffle, which is a development framework by the same company. But this is not necessary. Here, I explain how to write and compile a contract using Remix, and deploy it using python and web3.py.

Write your smart contract in remix and compile it. Then press the "ABI" button on the bottom left (see picture) and paste the output in a file. This will be our ABI_file. Do the same with the "Bytecode" bottom. This will be the bin_file. Then you can use the python script from this github repository. Make sure you have installed the dependencies and that you have modified the ABI_file and bin_file variables of the script accordingly.

Create self-singed certificate with extentions

For testing reasons I wanted to create a self-signed certificate that includes the subject alternative name extension, using openssl. Most guides require the creation of an openssl configuration file. I found out that this can be done without any configuration file, using only two openssl commands and a file that contains the subject alternative name extension parameters.

The first command is the following:

openssl req -newkey rsa:1024 -keyout server.key -out server.csr -subj '/C=GR/ST=Attiki/L=Athens/O=Fotiou Corp/OU=Security Department/CN=localhost/emailAddress=my@email.address' -nodes

This command creates a new private key and a new certificate signing request. Let's see the command parameters:

-newkey rsa:1024      It creates an RSA 1024 bits key
-keyout server.key  This is the file where the private key is stored
-out server.csr        This the file where the certificate signing request is stored
-subj ...                   This is the information included in the certificate
-nodes                          This command parameter instructs openssl to not encrypt the private key

Now create a file and insert the subject alternative name extension parameters. In this example, I have created a file named extentions.cnf which contains the following text:

subjectAltName=DNS:example.com, DNS:localhost

This line indicates that this certificate is valid for two DNS names, namely example.com and localhost. You may notice that the CN name included in the -subj command line parameter is also included here; the reason for that is because most browsers ignore the CN field when the subject alternative name extension is used. Finally the following command creates the desired certificate

openssl x509 -req -days 365 -signkey server.key -in server.csr -out server.crt -extfile extentions.cnf


Where:
-days 3650                          It is the number of days for which the certificate is valid
-signkey server.key         It is the private key generated previously and it used to sign the certificate
-in server.csr                   The certificate signing request we created with the previous command
-out server.crt                 The file in which the certificate will be stored
-extfile extentions.cnf The file we created with the subject alternative name extension parameters

The unfortunate cookies

Cookies sent over plain HTTP to Google websites can reveal information about a user

Disclaimer

The following has been reported to Google and is considered not an issue

Recently while visiting Google scholar I noticed that on the top right corner my Google username was displayed.

This appeared to me very strange, since I was not accessing this service using HTTPs. I fired up Wireshark and I revisited scholar once again. From the captured traffic it was obvious that my browser was sending a bunch of cookies over plain HTTP. I stored these cookies to a file, I imported them to a Firefox private browsing window and I visited Google scholar once again. To my surprise my username was still there. Moreover I was able to see my citations and my updates just like if I was signed in. By observing the cookies I noticed that most of them were for the domain *.google.gr, so as next step I visited http://www.google.gr/ig  in the same private session: all gadgets that do not require authentication (like weather) were there!

But the surprises continued. I edited the cookies file and I replaced the domain *.google.gr with *.youtube.com, I loaded the new file in a new Firefox private browsing window and I visited http://www.youtube.com. As it can be observed from the screenshot, my username, my subscriptions, as well as posts of my friends in google+, all were there!

It is astonishing how much information about a user can be gained simple by monitoring a mere HTTP session. 

Edit 1:

Even if the user logs out, the captured cookies continue to reveal the same information

A proxy re-encryption implementation

Proxy re-encryption is scheme that allows a proxy to re-encrypt a ciphertext, encrypted with the public key of a user A, into a ciphertext that can be decrypted with a private key of a user B, without having access to the private key of A or B, as well as to the plaintext.

Green and Ateniese describe an Identity-based proxy re-encryption scheme in their paper and prove its security. An implementation of their solution can be found in my github repository. This is a python implementation using the Charm Crypto tool