Replacing Symantec VIP with a generic TOTP app

Occasionally, I need to log in to a system that requires the use of a Symantec VIP code.  For those that haven’t come across this before the app displays a 6 digit numeric code that changes every 30 seconds.  When logging in to the system, I have to run the app to get the 6 digit code and then type it in, along with a username and password.

This is an example of pseudo-two-factor authentication: I have my password, something I know, as the first factor; and something I have, the app that generates the code, as the second factor.  (Why pseudo-two-factor? Because the code is generated from a secret, it’s really just a fancy password.)

So, what’s the problem?  I resent having a “special” Symantec app on all my devices because, ultimately this is just a layer over the standard Time-based One Time Password (TOTP), as used by Google Microsoft, Facebook and countless others.

Symantec VIP is actually just a layer over TOTP and thanks to a clever bit of work by Dan Lesnki (in turn forked from Cyrozap’s project) it’s possible to do away with the Symantec VIP application and use a “standard” TOTP app, such as Google Authenticator or Authy.

The instructions provided by Dan are pretty straightforward, but I hit a missing dependency that was required to make it work on my RPi 2B.

What are we actually trying to do?

The 6 digit codes that get generated by authenticator apps are created based on 2 factors: the current time (obviously) and a credential.  To add a new credential to a TOTP app we therefore need a compatible credential.

When you initialise Symantec VIP, it generates a new random credential, but not one compatible with TOTP.  VIP credentials start with 4 letters and then 8 digits.  TOTP credentials are usually 32 letters, often represented as a QR code.  Creating a QR code is a “nice to have” (I only have to type in those 32 letters once, so I did without that).

Crozap’s and Dan’s software does the clever bit of creating the TOTP credential from the Symantec VIP credential.

As described above, I’m doing this on a Raspberry Pi 2B which was update to date as of 30th May 2019.

Steps

First, we need Python 3:

sudo -s # Being lazy, saves having to type sudo in front of everything

apt update # Ensure we’re going to get the latest version of packages

sudo apt install python3 # Install Python 3 if not already installed

sudo apt install python3-pip # Install pip (package manager)

pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip # Install latest version

Now we can download and install Dan’s python-vipaccess application.

pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip
 Collecting https://github.com/dlenski/python-vipaccess/archive/HEAD.zip
   Downloading https://github.com/dlenski/python-vipaccess/archive/HEAD.zip
      | 276kB 10.8MB/s
Collecting lxml==4.2.5 (from python-vipaccess==0.3.1)
   Using cached https://www.piwheels.org/simple/lxml/lxml-4.2.5-cp35-cp35m-linux_armv7l.whl
 Collecting oath>=1.4.1 (from python-vipaccess==0.3.1)
   Using cached https://files.pythonhosted.org/packages/73/e4/8eb7f9b6ba62d41857c54724fb3fde5a8952676e1719ea2099063c1fb253/oath-1.4.3-py2.py3-none-any.whl
 Collecting pycryptodome==3.6.6 (from python-vipaccess==0.3.1)
 Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from python-vipaccess==0.3.1)
 Installing collected packages: lxml, oath, pycryptodome, python-vipaccess
   Running setup.py install for python-vipaccess ... done
 Successfully installed lxml-4.2.5 oath-1.4.3 pycryptodome-3.6.6 python-vipaccess-0.3.1

When running the vipaccess command, I got the following error:

ImportError: libxslt.so.1: cannot open shared object file: No such file or directory

To resolve this, install the libxml2-dev and libxslt1-dev two libraries:

apt-get install libxml2-dev libxslt1-dev

Now you should be able to run vipaccess with no issues:

# vipaccess provision -t VSMT -p
 Generating request...
 Fetching provisioning response...
 Getting token from response...
 Decrypting token...
 Checking token...
 Credential created successfully:
         otpauth://totp/VIP%20Access:VSMT22195338?issuer=Symantec&algorithm=SHA1&secret=SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z&digits=6&period=30
 This credential expires on this date: 2022-05-30T14:13:21.891Z

You will need the ID to register this credential: VSMT22195338

You can use oathtool to generate the same OTP codes
 as would be produced by the official VIP Access apps:

    oathtool -d6 -b --totp    SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z  # 6-digit code
     oathtool -d6 -b --totp -v SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z  # ... with extra information

You’ll need to then provide your sysadmin or service desk with the generated credential ID, (VSMT22195338 in the example above), then add the credential (SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z in the example above) to your authenticator app and all should be good!

Posted in Hints and Tips, Security, Tools | Leave a comment

C Development on a Micro:bit

I wanted to have a fiddle writing code for the BBC Micro:bit in C, where I’d have access to the full potential of the device, most importantly the Bluetooth functionality.

Creating your own programs offline requires a non-trivial setup, regardless of your operating system.  Mostly for my own benefit, here are the URLs and simplified steps required to get up and running:

Yotta

I followed the instructions on https://lancaster-university.github.io/microbit-docs/offline-toolchains/.  What follows are my notes on what I had to do to make it work, over and above the instructions (adn what

Yotta is based on Python 2.  As I generally only code Python 3 this wasn’t a problem as there is a download of Yotta with all dependencies, available from http://yottadocs.mbed.com/#installing.

This will create some environment variables: YOTTA_INSTALL_LOCATION and YOTTA_PATH, the latter is added to the system path when you use the batch file run_yotta.bat, which is added to the desktop.

Grab SRecord from http://srecord.sourceforge.net/, this won’t get added to the path automatically, you have to do it manually.

Finally, you need GNU ARM Embedded Toolchain, from here: https://developer.arm.com/open-source/gnu-toolchain/gnu-rm/downloads.

Before you start running stuff though, you’ll need a user created on http://developer.mbed.org.  This is because when you run yotta for the first time, it’ll want you to authenticate with this site before downloading some dependencies.

Finally, you can run “Run Yotta” and follow the rest of the instructions on https://lancaster-university.github.io/microbit-docs/offline-toolchains/.

This means cloning the repo:

git clone https://github.com/lancaster-university/microbit-samples

cd microbit-samples

then run:

yt target bbc-microbit-classic-gcc

and

yt build

And finally, copy the compiled .hex file to the shared drive on the Micro:bit:

copy build\bbc-microbit-classic-gcc\source\microbit-samples-combined.hex e:

Posted in Uncategorized | Leave a comment

Understanding Forward Secrecy

Two weeks ago I delivered a presentation for Worldpay on the subject of Forward Secrecy.  I volunteered to give this around 10 weeks ago as it was a subject that I’d seen mentioned several times whilst reading security-related web sites, but I couldn’t quite get my head around.  By volunteering I was forcing myself in to a position where I had to learn it, and understand it well enough to explain to a room full of strangers.

I find difficulty in understanding very common when it comes to security-related subjects; I also find it unnecessary and frustrating.  There does seem to be a genuine lack of consumability when it comes to writing the specifications, guides and tutorials that attempt to explain, what turn out of be, straightforward subjects.  Materials seem to be purely aimed at the implementer rather than the consumer, and this applies to both terminology coined as well as the style of writing.

I’m neither a mathematician nor a cryptographer, but I do deeply care about security.  Initiatives like Let’s Encrypt show how easy the process should be (as close to “secure by default” as you can get), so I see no reason why similar initiatives.

So, this presentation of Forward Secrecy walks the reader through:

  • The problem statement and motivation for it
  • The theory of forward secrecy (with no mathematics in sight, it’s just not necessary)
  • How it is achieved in the TLS (formerly SSL) protocol.
  • Finally, some Java sample code is shown that shows how to use forward secrecy enabled cipher suites in Java applications using the Java Secure Sockets Extension (JSSE) API.

As the presentation was given to an external audience I’m able to publish it, along with code samples that show how forward secrecy, using TLS, can be used within a Java application.

All material is copyright of Worldpay.  The license for code is MIT.

Github Repository (containing all artifacts): https://github.com/andybrodie/fsdemoapp.

Presentation link: https://github.com/andybrodie/fsdemoapp/blob/master/docs/Forward%20Secrecy%20in%20Java.pptx?raw=true.

Posted in Java, Security, Worldpay | Leave a comment

Dell L521x Brightness Controls on Windows 10

I do love my Dell L521x, it’s worked really well for 2 years so far, but I hit my first problem with it after upgrading to Windows 10.

After the upgrade I found that I was unable to control the brightness of the LED screen in any way (either using the Fn+F4/F5 keys or via the controls within Windows). 

The most obvious cause is a dodgy driver (the brightness controls would be disabled in Windows 8.1 if the Intel driver was installed instead of the Dell provided one).  Therefore, I guessed that this must be the same issue.  However, neither installing the Dell-specific driver not letting Windows Update put the latest Intel driver on there had any effect.  Removing all drivers (reverting to the generic MS one) did enable brightness, but absolutely destroyed performance, so was unacceptable.

The solution was found on the Dell community support website, courtesy of a user named Drop76.  

Brace yourself.

As strange as it sounds, disabling the UEFI secure boot in the BIOS fixed the problem.  Everything worked perfectly after a reboot.

If anyone can explain why this should be the case then please let me know!

Posted in Hints and Tips | Leave a comment

The Right Live Writer on Windows 10

Having performed a clean install of Windows 10, I wanted to re-install Microsoft Live Writer.  I’ve never found anything within which it is easier and quicker to create and edit blog entries, and editing offline was an essential requirement for me.

Note that when you search for Windows Live Writer you’ll get 2 hits, the top hit may not be the one you want.  Make sure that you download Windows Essentials 2012.  The installer splash screen looks like this:

image

Do not try to download Windows Live Writer from the Download Center.  The installer will fail with an error: OnCatalogResult: 0x80190194. Confusingly, both downloads are named wl-setupweb.exe.

image

Posted in Hints and Tips, Tools | Leave a comment

Don’t confuse Service Oriented Architecture with writing services

Something I’ve witnessed many times in many different places, is a confusion between service oriented architecture and the use of services (usually web services).

Separating an amorphous block of code with an interface and JAX-RPC or WCF makes you no more service oriented than you were before.  If you can’t administer and evolve the services independently and have a requirement to do so, then it’s not service oriented architecture.  You’ve just wasted your time and made your existing situation worse by introducing more complexity, more code that will contain bugs, and made monitoring and diagnosis of problems in live more difficult.

And no, making it RESTful and using JSON doesn’t help either.

Service oriented architecture is difficult and it’s more of an enterprise architecture discipline (when it’s done properly, which is even rarer than proper service oriented architecture) than a developer discipline.  Remember, you’re trying to divide, or partition, your business in to autonomous, independent chunks, then realise some of those chunks using IT.  All the time remembering that the most important thing you have to remember is complexity kills.

Keep it autonomous.  Keep in aligned to the business.  Keep it simple; and remember: simple is hard and simple is expensive in the short term, but the benefits you reap in the ability to quickly and cheaply evolve and react to business changes will far exceed the initial investment.

Complicated and large are cheap and easy.

Posted in Architecture, Hints and Tips | Leave a comment

Public Key Cryptography Overview

Public Key Cryptography is a hugely important invention.  It underpins the security (specifically the confidentiality) of most online commerce transactions.  Whilst it’s a complex subject and the subject of highly intricate and complex research to make the Internet a secure place to do business, the fundamentals of public key cryptography aren’t that hard to grasp.

The presentation linked to from this entry was originally part of a separate presentation I did on Bitcoin a little while ago, however in the end it felt like two separate subjects so I split it out.

So, public key cryptography in 6 slides (well, 8 if you include the title and closing slide).  Hopefully you’ll find the information contained within informative, consumable and, of course, correct!

You can see the presentation on Slideshare.net here: http://www.slideshare.net/AndyBrodieLocima/public-key-cryptography-a-brief-overview.

Microsoft PowerPoint 2010+ and PDF versions are available here:

  1. Public Key Cryptography – A brief overview (PPTX)
  2. Public Key Cryptography – A brief overview (PDF)

License

Creative Commons Licence
Public Key Cryptography – An brief overview by Andy Brodie is licensed under a Creative Commons Attribution 4.0 International License.

Posted in Uncategorized | Leave a comment

Bitcoin Overview

Bitcoin is a hugely interesting technology.  The social aspects and impacts aside, and purely from a technology perspective, Bitcoin appears to be a neat, elegant solution to the major challenges of electronic currency – specifically trust, integrity and control.

To help me to understand the fundamentals of Bitcoin, having read various documents from around the Internet, I created a 13 slide presentation that gives an overview of the key features.

You can see the presentation on Slideshare.net here: http://www.slideshare.net/AndyBrodieLocima/bitcoin-46711067.

Microsoft PowerPoint 2010+ and PDF versions are available here:

  1. Bitcoin Overview (PPTX)
  2. Bitcoin Overview (PDF)

License

Creative Commons Licence
Bitcoin – An introduction to a decentralised and anonymous currency by Andy Brodie is licensed under a Creative Commons Attribution 4.0 International License.

Posted in Architecture, Security | Tagged , , , , , | Leave a comment

The Importance of Consumability

Consumability is a word that my blogging software hotly denies is a real word (with an angry red underline), but it is probably the most important word an architect needs to keep in the forefront of their minds and be mindful of when creating artifacts for consumption by a colleague or, more importantly, a client.

A great example of poor consumability is the first sentence of this blog.  I used 55 words to say: “Consumability is very important for architects” when I could have used 6.*

However, even this is not a good example of a consumable statement, because it doesn’t explain why it’s important.  People don’t remember things that aren’t important.  If I ask you to “Remember the number 37532”, then three days later you probably won’t be able to repeat that exact number.  However, if I say “I want to give you £10,000.  You need to remember the code for the locker it’s in though.  The number is 37532.”, then I’ll bet you’ll be able to recall that number next week, assuming you believe me, naturally.

That’s because this second sentence contains not only the information, but also explains its importance and relevance to you.  I.e. you care about this number.

Going back to the opening sentence of this entry, a more consumable message is:

You deliver no value as an architect if what you produce isn’t consumable.

I’ve worked with, worked for and managed architects, developers, testers and managers who, to their own frustration and detriment, just didn’t get this.  Enterprise architects who deliver a 600 page epic describing a business transformation; software architects who create full A3 page UML diagrams in 6pt font to fit it all in; or solution architects who proudly produce a 50 slide PowerPoint deck explaining solution options (borrowing the 6pt font idea from the software architect).

I’m guilty of it myself on a regular basis.  My worst offence was one of the first documents I ever wrote as a new graduate employee of IBM.  It was a magnificent 482 page test plan for the CICS Web and Document Interface.   It took a couple of months and is still 17 years later, the biggest single document that I’ve ever produced.

How many people actually read it?

None.

Not even me.

Despite my effort, meticulousness and pride, it was an entirely pointless document.  The only result it could have achieved was to fool a few people in to thinking: “Wow!  That’s a big document.  It must be good!” and sometimes, that’s enough to move forward.  However, this is a pretty poor reflection on the person who works like that – they’ve likely forgotten that the goal of a business isn’t to create big documents, it’s to create something of value.

Don’t think that this is easy.  Simple is hard.  Very hard.  When I’m working on a set of, say, 8 slides it can take around a week to get to the right artifact, and that’s with close collaboration with PMs and BAs!  Barely 1 slide a day on average.  But, but you will save far more in not having subsequent clarification meetings, or people going off in the wrong direction because they’re misunderstood you.

A simple way to start on making your stuff more consumable is, for every paragraph, every slide and every diagram just take 30 seconds to ask yourself:

  1. What information am I trying to impart?  (Describing this often helps you replace what you had with something shorter and clearer.)
  2. Who is the audience?
  3. Why do they care?
  4. Why should they believe me?
  5. Do they already know all the necessary context?

If you can’t answer these five questions, then you need to rework what you’re producing or remove it entirely.

* A confession: I’m ashamed that the first sentence above is virtually what I actually wrote in seriousness to start this entry.  I hit return to start the next paragraph, reading back what I’d just written… and hung my head in shame for a moment as I realised what I’d done.  But, on the upside, it gave me a good hook!

Posted in Architecture, Hints and Tips | Tagged | Leave a comment

Escaping values for CSV files

When serialising data to a Comma Separated Values (CSV) file, it’s important that field values that contain reserved characters are escaped correctly.  For example, if a value contains a unescaped comma, then this value will be incorrectly interpreted as two fields instead of one.

RFC4180 offers a specification and standard for CSV files, additionally I wanted to ensure that Microsoft Excel would be happy with any output generated by my converter.

The following method and unit tests demonstrate a way to do this conversion in Java.  I’ve tried to make the code as efficient during execution as possible, so you may find that static analysis tools such as CheckStyle flag cyclomatic complexity (11) and Boolean expression complexity (5), but I consider the code simple and readable in its current form.

Method code as follows:

/**
 * Serialises and escapes any value so that it can be added to a CSV file. If the value contains a double-quote, CR, LF, comma or semi-colon, then
 * the entire value is wrapped in double-quotes. Any instances of double quotes (") are replaced with two double-quotes.
 *
 * @param value Any value that can be converted to a String using a {@link Object#toString()}.
 * @return A string suitable to be embedded in to a CSV file that will be read by RFC4180 compliant application or Microsoft Excel. If null is
 *         passed, null is returned.
 */
public static String escapeForCsv(Object value) {
	// Handle either null inputs or toString() methods that return null.
	String inputString = value == null ? null : value.toString();
	if (inputString == null) {
		return null;
	}

	// Do we need to wrap the entire value in quotes?
	boolean quotesRequired = false;

	int inputLength = inputString.length();

	// Allocate a few extra bytes so we don't need to dynamically extend in the event of a quotes being required.
	final int extraCharsForQuoting = 3;
	StringBuffer retValue = new StringBuffer(inputLength + extraCharsForQuoting);

	for (int i = 0; i < inputLength; i++) {
		char ch = inputString.charAt(i);
		retValue.append(ch);
		if ((ch == 'n') || (ch == 'r') || (ch == ',') || (ch == ';') || (ch == '"')) {
			quotesRequired = true;
			if (ch == '"') {
				retValue.append(ch);
			}
		}
	}

	// Wrap the whole value in double quotes if we've found character that needed to be escaped.
	if (quotesRequired) {
		retValue.insert(0, """);
		retValue.append('"');
	}
		return retValue.toString();
}

This code is used in xml2csv, contained within StringUtil.java. Therefore the unit tests refer to the static method within this class:

@Test
public void testEscape() {
	assertNull(StringUtil.escapeForCsv(null));
	assertNull(StringUtil.escapeForCsv(new Object() {
		@Override
		public String toString() {
			return null;
		}
	}));
	assertEquals("", StringUtil.escapeForCsv(""));
	assertEquals("a", StringUtil.escapeForCsv("a"));
	assertEquals("abc", StringUtil.escapeForCsv("abc"));
	assertEquals("""""", StringUtil.escapeForCsv("""));
	assertEquals(""""a"", StringUtil.escapeForCsv(""a"));
	assertEquals(""a""b"", StringUtil.escapeForCsv("a"b"));
	assertEquals("","", StringUtil.escapeForCsv(","));
	assertEquals("",;,;"", StringUtil.escapeForCsv(",;,;"));
	assertEquals("";"", StringUtil.escapeForCsv(";"));
	assertEquals(""n"", StringUtil.escapeForCsv("n"));
	assertEquals(""nr"", StringUtil.escapeForCsv("nr"));
	assertEquals(""n""n"", StringUtil.escapeForCsv("n"n"));
}

Any comments or feedback welcome!

Posted in Uncategorized | Leave a comment