Here’s the gpshell script to install MuscleApplet on a ‘Gemalto TOP IM FIPS CY2′ (Cyberflex Access 64k v2) Smart Card:
mcardInstallFormat-CyberFlex64kV2c.txt

A truck parked next to my window and my coworker took a picture.

It looks a bit like I’m studying someone from a control room or a tiny floating space ship. :p

The Problem

In 1996, the fastest reasonable residential connection you could get was a 28.8kbit modem, and the fastest reasonable ISP network connection was 100MBit ethernet. It was overkill, but you could easily sustain about 3,472 customers simultaneously, as they all saturated their bandwidth completely.

Today, the fastest reasonable residential speed in North America is between 5mbit and 20mbit, and in Japan and Europe speeds easily approach 50mbit in some places, and the fastest reasonable ISP network connection nowadays is 1gbit ethernet. Now you can only service 200 customers saturating their download links at 5mbit (Just about the slowest high speed you can find) and if your customers run at 50 mbit then you’re down to 20 customers, and that’s all it takes to bring a gigabit uplink to its knees. 10gbit connections are becoming more and more reasonable, and there will be more so as time goes on, but it’s hardly keeping pace with the advances in residential internet speed, and the gap between residential and ISP interconnects keeps getting smaller and smaller.

In addition to that, the idea that 3,472 customers in the same area would all be simultaneously downloading at full speed in 1996 was a ludicrous hypothetical. Today, it’s getting closer and closer to reality. A solid percentage of customers are exactly the type who will turn their modems on full blast day and night, and if you’re reading my blog then you probably know at least one of them ;)

On top of that, your data doesn’t just make a direct line between your connection and the destination. It gets aggregated into a web of super fast connections like blood flowing from capillaries to veins and arteries, and back to capillaries again. These super links are called backbones, in which the many thousands of connections to your local area become many millions of connections (Some of which are business or university or military customers that use up gigabits just by themselves), and when you add it all up it’s not pretty. In my experience, there’s never been a time that the backbone providers didn’t charge the ISPs for bytes transferred.

So what’s an ISP to do? The answer, thusfar, seems to be a combination of limiting download speeds during peak hours, and charging overage fees for heavy consumers, because there simply isn’t enough speed to go around.

The Idea

My idea is deceptively simple. Right now, if a thousand people in the same area download the same youtube clip (as an example) then every one of those thousand downloads goes through the same links. In other words, one video is transmitted down the same path a thousand times, meaning ISPs need a thousand times more speed in their interconnects, and pay a thousand times more in backbone fees than is actually required to provide their customers with that video clip.

My solution is deceptively simple. Cache it. And cache it in such a way that any application, from web browsers to torrent clients, can all interact with the same cache. It could be as simple as a server that accepts a hash, and replies with the data.

Example Applications

A web user browser visits http://www.example.com/bigpicture.png The browser retreives http://www.example.com/CacheInfo?bigpicture.png and gets a hash description, then checks the cache server for it. If it’s not present, it downloads the image as normal, and then supplies a copy of it to the hash server. This can probably be done with a firefox plugin or some other simple implementation.

A torrent client (Which already has access to hashes in order to do its job) does a query for each piece of the file from the cache server when it first starts downloading, and retrieves those before it even bothers to access the peer-to-peer network. This just needs a proof of concept and then chances are most torrent clients will incorporate it.

Windows update, and other automatic downloads could be modified to take advantages of these servers, saving Microsoft, you, and your ISP.

Problems and Solutions

If you see any problems with this idea, you’re welcome to add a comment to this post. Here’s a few I’ve thought up myself:

Q: Wouldn’t this require some huge effort to get it standardized?
A: No. With browser plugins and open source torrent clients, it can be implemented now, and deployed on private networks such as offices and apartment buildings and hotels. Someone just needs to make the cache server and some proof of concept implementations such as special browser/torrent client plugins. Standardization would help it, and it will be a lot easier if there’s some implementations floating around out there first.

Q: You’ve explained why ISPs would want this, but why would end users want this?
A: Cacheing makes downloads faster. You want this, especially if you’re a prolific downloader, and you’ll be losing out if it’s offered to you and you pass. On top of that, ISPs could set up a system where they charge you for everything except cache downloads, so that you have to use it or else face possible overages.

Q: What if someone downloads kiddie porn? Wouldn’t the ISPs be liable if it’s found on their cache server? / I don’t want people knowing that I download unauthorized copies and porn, but I still want to benefit from cacheing.
A: It’s possible to obfuscate the data on the cache server in a way that the server operator has no idea what’s on it. Consider a protocol like this. You, as a cache contributor, know the hash, and the hash data. So you could encrypt the hash data with the hash using AES or something., and then send a hash-of-the-hash to the server. The server would have no way of finding out the hash, or the data. But as a cache consumer who knows the hash, you can provide the cache server with that same hash-of-the-hash, and get the encrypted data, and then decrypt it with the hash. Even if they sniff this interaction, they will still be unable to ever find out what’s in there. Hopefully, there’s enough sanity in the justice system that people won’t be sued successfully for serving up data that is totally unknown to them, based on what you get when you decrypt it.

Q: What about abusers of the cache service?
A: The cache server would expire unused hashes, so if you upload fluff then it’ll promptly disappear from the cache server anyway. If you maliciously upload corrupt data then the server can check and verify it, unless you’re using a privacy scheme like the one described above, in which case it will have to be policed the same way as e-mail. Complaints would be generated, and log files will become suspicious, and the credentials used to access the cache server by the malicious user would be revoked or turned read-only. Size caps can also be implemented, so there will have to be some sort of protocol for breaking up huge files into bite sized chunks, preferably implemented in the client.

Q: How will I know what cache to use?
A: A search progression could be used. For example, if it doesn’t find it in one, it can check the next. If this gets implemented on your local network, your LAN administrator will tell you which cache to use. If it gets implemented by your ISP, they’d have to set up a special address such as ucache.isp.com much like how they set up their e-mail servers, only it would have to be dynamic depending on who asks so it points at the cache server closest to you in their network.

Feel free to take a look, and leave a comment on the page.

Ever since I discovered public key cryptography can be used for authentication and e-mail privacy, I’ve been itching to use it, but one thing always held me back. I feared that the possibility existed for a hacker to secretly breech my personal computer, copy out the sensitive private key, and spy on my communications or emulate my authentication with impunity, while I remained blissfully ignorant. Passwords were no better, but I never thought setting myself up with private key authentication and privacy was going to be worth the hassle of carefully guarding my private key.

My prayers were answered when I discovered smart cards (And their USB equivalent, the ’security token’). These nifty little devices interface with your computer, but they keep your private key secret, and perform all the decryption and cryptographic signing themselves. At no point, even during a cryptographic operation will the private key become known to the computer. Perfect!

The problem is that the software needs to know how to cooperate with the token in order to make use of the well concealed private key, and I’ve been waiting a long time for Linux software utilizing this technology to mature to a usable point. After an experience with a brute force SSH attacker at work, I’ve decided that time had come. So, I set out to achieve the following goals:

• Part 1: Buy a few USB cryptographic tokens online, and configure them under Linux, and generate public keys, private keys, and SSL certificates.
• Part 2: Establish secure authentication for SSH
• Part 3: Use a token with PGP
• Part 4: Establish secure authentication for my web server
• Part 5: Establish secure authentication for my OpenVPN server

First, I decided upon OpenSC as the software I’d like to use to interact with my smart card. It’s supported by directly an SSH patch, and it implements the PKCS#11 standard library, which I’ve learned is considered the defacto standard for software to interact with smart cards and other cryptographic tokens. So I went to the site and looked for which USB token to get, and it appeared that the device which had the most testing and support from the OpenSC team was the Aladdin eToken PRO USB 32k. I found a supplier on eBay that offered them in lots of ten for a reasonable price.

Here’s how I got it going under Linux:

• I installed openct (The smart card reader/driver software), and install opensc to use it. I did this under my Gentoo install by adding ’smartcard’, ‘openct’, and ‘opensc’ to my USE flags and running:
  

  emerge opensc

• I was told by a site or two to ensure USB support, and hotplugging support were activated in my kernel, and the hotplug software has been installed, but this was already done.
• I popped in my token and ran:
  

  $ opensc-tool –list-readers
  Readers known about:
  Nr. Driver Name
  0 openct Aladdin eToken PRO
  1 openct OpenCT reader (detached)
  2 openct OpenCT reader (detached)
  3 openct OpenCT reader (detached)
  4 openct OpenCT reader (detached)

• Success! My USB token was recognized. Here are the steps I used to create the PKCS#15 structure and my private keys:
  

  $ pkcs15-init -EC
  New Security Officer PIN (Optional – press return for no PIN).
  Please enter Security Officer PIN:
  Please type again to verify:
  Unblock Code for New User PIN (Optional – press return for no PIN).
  Please enter User unblocking PIN (PUK):
  Please type again to verify:
  $ pkcs15-init –store-pin –auth-id 01 –label “Daniel Benoy”
  New User PIN.
  Please enter User PIN:
  Please type again to verify:
  Unblock Code for New User PIN (Optional – press return for no PIN).
  Please enter User unblocking PIN (PUK):
  Please type again to verify:
  Security officer PIN required.
  Please enter Security officer PIN:
  $ pkcs15-init –generate-key rsa/1024 –auth-id 01 –split-key -u sign,decrypt
  Security officer PIN required.
  Please enter Security officer PIN:
  User PIN required.
  Please enter User PIN:
  Security officer PIN required.
  Please enter Security officer PIN:

• Watch out. I learned the hard way that if you don’t set a PUK on your SO PIN and your User PIN then three wrong PIN entries in a row will render your token useless! Luckily I found a copy of the Windows drivers and was able to use those to do a low level format and recover the use of my device (With the keys gone of course) I imagine if you did this on any other smart cards you may not be as lucky. Also be sure to use ‘-u sign,decrypt’ if you want to use your eToken for PGP decryption as well as authentication. The –split-keys part is an artifact of the eToken hardware, and is not needed on other cards.
• Next, I reconfigured OpenSSL to use the smart card to generate and self-sign a certificate. I installed the engine_pkcs11 plugin for openssl and put the following at the top of my openssl.cnf file.
  

  openssl_conf = openssl_def

  [openssl_def]
  engines = engine_section
  [engine_section]
  pkcs11 = pkcs11_section

  [pkcs11_section]
  engine_id = pkcs11
  dynamic_path = /usr/lib/engines/engine_pkcs11.so
  MODULE_PATH = /usr/lib/opensc-pkcs11.so
  init = 0

  And ran:

  openssl req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509
  SmartCard PIN:
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter ‘.’, the field will be left blank.
  —–
  Country Name (2 letter code) [AU]:.CA
  State or Province Name (full name) [Some-State]:.Ontario
  Locality Name (eg, city) []:.
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:.Daniel Benoy
  Organizational Unit Name (eg, section) []:.
  Common Name (eg, YOUR name) []:Daniel Benoy
  Email Address []:

  Please enter the following ‘extra’ attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:

  Now the certificate has been generated so I put it on the card:

  $ pkcs15-init –store-certificate req.pem –auth-id 01 –id 45 –format pem
  Security officer PIN required.
  Please enter Security officer PIN:

And then I was set. Next, it was time to set up my card to authenticate me with SSH. Keep watching my blog for more!

Well, I’m back now with a fresh look and a fresh version of Wordpress, and I’ve learned a few things from my last time around. I’ve decided to limit my posts to things I’ve put more thought into, and taking my time between posts to get things right. Also, this site will serve as more than just a weblog. I’m going to use it as a point of contact to share information with my friends and family (For example, sharing photos, contact information, resumes). So I’ve renamed the site to “The Daniel Benoy Homepage” to better reflect its new purpose.

Welcome back, and thanks for visiting.

Your friend,
Daniel Benoy