In most modern operating systems it is possible for an application to split into many “threads” that all execute concurrently. It might not be immediately obvious why this is useful, but there are numerous reasons why this is beneficial.

When a program is split into many threads, each thread acts like its own individual program, except that all the threads work in the same memory space, so all their memory is shared. This makes communication between threads fairly simple, but there are a few caveats that will be noted later.

So, what does multithreading do for us?

Well, for starters, multiple threads can run on multiple CPUs, providing a performance improvement. A multithreaded application works just as well on a single-CPU system, but without the added speed. As multi-core processors become commonplace, such as Dual-Core processors and Intel Pentium 4′s with HyperThreading, multithreading will be one of the simplest ways to boost performance.

Secondly, and often more importantly, it allows the programmer to divide each particular job of a program up into its own piece that operates independently of all the others. This becomes particularly important when many threads are doing blocking I/O operations.

A media player, for example, can have a thread for pre-buffering the incoming media, possibly from a harddrive, CD, DVD, or network socket, a thread to process user input, and a thread to play the actual media. A stall in any single thread won’t keep the others from doing their jobs.

For the operating system, switching between threads is normally cheaper than switching between processes. This is because the memory management information doesn’t change between threads, only the stack and register set do, which means less data to copy on context switches.

Multithreading — Basic Concepts

Multithreaded applications often require synchronization objects. These objects are used to protect memory from being modified by multiple threads at the same time, which might make the data incorrect.

The first, and simplest, is an object called a mutex. A mutex is like a lock. A thread can lock it, and then any subsequent attempt to lock it, by the same thread or any other, will cause the attempting thread to block until the mutex is unlocked. These are very handy for keeping data structures correct from all the threads’ points of view. For example, imagine a very large linked list. If one thread deletes a node at the same time that another thread is trying to walk the list, it is possible for the walking thread to fall off the list, so to speak, if the node is deleted or changed. Using a mutex to “lock” the list keeps this from happening.

Computer Scientist people will tell you that Mutex stands for Mutual Exclusion.
In Java, Mutex-like behaviour is accomplished using the synchronized keyword.

Technically speaking, only the thread that locks a mutex can unlock it, but sometimes operating systems will allow any thread to unlock it. Doing this is, of course, a Bad Idea. If you need this kind of functionality, read on about the semaphore in the next paragraph.

Similar to the mutex is the semaphore. A semaphore is like a mutex that counts instead of locks. If it reaches zero, the next attempt to access the semaphore will block until someone else increases it. This is useful for resource management when there is more than one resource, or if two separate threads are using the same resource in coordination. Common terminology for using semaphores is “uping” and “downing”, where upping increases the count and downing decreases and blocks on zero.
Java provides a Class called Semaphore which does the same thing, but uses acquire() and release() methods instead of uping and downing.

With a name as cool-sounding as semaphore, even Computer Scientists couldn’t think up what this is short for. (Yes, I know that a semaphore is a signal or flag

Unlike mutexes, semaphores are designed to allow multiple threads to up and down them all at once. If you create a semaphore with a count of 1, it will act just like a mutex, with the ability to allow other threads to unlock it.

The third and final structure is the thread itself. More specifically, thread identifiers. These are useful for getting certain threads to wait for other threads, or for getting threads to tell other threads interesting things.

Computer Scientists like to refer to the pieces of code protected by mutexes and semaphores as Critical Sections. In general, it’s a good idea to keep Critical Sections as short as possible to allow the application to be as parallel as possible. The larger the critical section, the more likely it is that multiple threads will hit it at the same time, causing stalls.

In POSIX, the types we’ll be dealing with are pthread_t for thread identifiers, pthread_mutex_t for mutexes, and sem_t for semaphores. We use the word “pthread” a lot because it stands for POSIX Threads

.

Mutexes and Semaphores

Mutexes are fairly easy to create. The function we use is pthread_mutex_init, which takes 2 parameters. The first is a pointer to a mutex_t that we’re creating. The second parameter is usually NULL, but can also be a pthread_mutexattr_t structure that specifies different attributes for it.

To lock and unlock a mutex, use pthread_mutex_lock and pthread_mutex_unlock. These both take 1 parameter: a pointer to the mutex being operated on. pthread_mutex_trylock is similar to pthread_mutex_lock, except that if it can’t lock the mutex, it returns a error instead of blocking.

When the mutex is no longer needed, it can be freed with pthread_mutex_destroy.

Semaphores follow a similar paradigm. They are initialized with sem_init, which takes 3 parameters. The first is a pointer to the semaphore being initialized. The second is always zero. This argument is used to denote semaphores shared between processes, but it isn’t always supported. The third argument specifies the initial value of the newly created semaphore.

To “Up” a semaphore, use sem_post. To “Down” a semaphore, use sem_wait. These kind of parallel pthread_mutex_lock and pthread_mutex_unlock.

sem_destroy is used to destroy a semaphore once it is no longer needed.

#include <pthread.h>
#include <stdio.h>

/* This is our thread function.  It is like main(), but for a thread*/
void *threadFunc(void *arg)
{
	char *str;
	int i = 0;

	str=(char*)arg;

	while(i < 110 )
	{
		usleep(1);
		printf("threadFunc says: %s\n",str);
		++i;
	}

	return NULL;
}

int main(void)
{
	pthread_t pth;	// this is our thread identifier
	int i = 0;

	pthread_create(&pth,NULL,threadFunc,"foo");

	while(i < 100)
	{
		usleep(1);
		printf("main is running...\n");
		++i;
	}

	printf("main waiting for thread to terminate...\n");
	pthread_join(pth,NULL); //this will make one thread stop and wait for another thread  to finish.

	return 0;
}

Google unveiled its first mobile phone on 5th January 2010. There were rumours of google working on iphone competitor since last quarter of 2009.

In this post, I will talk and provide links on few of the best reviews on “Nexus One”

This is the first phone to run google’s Android 2.1 mobile operating system. Here are couple of Nexus One images.

Nexus One review report from various websites

From Ubergizmo

I found information on this website to be quiet satisfying. It provides detailed info about the Phones functionalities. This website talks about Hardware specification, How phone dialling is easy, How web surfing is efficient, how security is unique, how picture and video clarity is good, how multitasking beats iPhone , how game playing is better, much more details about phone and last but not least how pricing beats iPhone .

Click here to read actual review from website.

Following are the Links to remaining Nexus one review websites

Click here to see video review from cnet.com

Click here to read review from engadget.com

Click here to read review from nexusoneblog.com

This drone is also integrated with the game play on iphone or ipod touch. I feel It takes the gaming experience to whole new level.

Following is the link to website of the company which invented this toy Parrot corp

quite an amazing toy guys.. do have look at the video…

in the beginning, there were mainframes. Every program and piece of data was stored in a single almighty machine. Users could access this centralized computer only by means of dumb terminals.

In the 1980s, the arrival of inexpensive network-connected PCs produced the popular two-tier client-server architecture. In this architecture, there is an application running in the client machine which interacts with the server—most commonly, a database management system . Typically, the client application, also known as a fat client, contained some or all of the presentation logic (user interface), the application navigation, the business rules and the database access. Every time the business rules were modified, the client application had to be changed, tested and redistributed, even when the user interface remained intact. In order to minimize the impact of business logic alteration within client applications, the presentation logic must be separated from the business rules. This separation becomes the fundamental principle in the three-tier architecture.

In 2-tier, the application logic is either buried inside the User Interface on the client or within the database on the server (or both). With two tier client/server architectures (see Two Tier Software Architectures), the user system interface is usually located in the user’s desktop environment and the database management services are usually in a server that is a more powerful machine that services many clients. Processing management is split between the user system interface environment and the database management server environment. The database management server provides stored procedures and triggers

In a three-tier architecture (also known as a multi-tier architecture), there are three or more interacting tiers, each with its own specific responsibilities

In 3-tier, the application logic (or) process lives in the middle-tier, it is separated from the data and the user interface. 3-tier systems are more scalable, robust and flexible. In addition, they can integrate data from multiple sources. In the three tier architecture, a middle tier was added between the user system interface client environment and the database management server environment. There are a variety of ways of implementing this middle tier, such as transaction processing monitors, message servers, or application servers. The middle tier can perform queuing, application execution, and database staging. For example, if the middle tier provides queuing, the client can deliver its request to the middle layer and disengage because the middle tier will access the data and return the answer to the client. In addition the middle layer adds scheduling and prioritization for work in progress. The three tier client/server architecture has been shown to improve performance for groups with a large number of users (in the thousands) and improves flexibility when compared to the two tier approach. Flexibility in partitioning can be a simple as “dragging and dropping” application code modules onto different computers in some three tier architectures. A limitation with three tier architectures is that the development environment is reportedly more difficult to use than the visually-oriented development of two tier applications. The most basic type of three tier architecture has a middle layer consisting of Transaction Processing (TP) monitor technology. The TP monitor technology is a type of message queuing, transaction scheduling, and prioritization service where the client connects to the TP monitor (middle tier) instead of the database server. The transaction is accepted by the monitor, which queues it and then takes responsibility for managing it to completion, thus freeing up the client.

*

Tier 1: the client contains the presentation logic, including simple control and user input validation. This application is also known as a thin client.
*

Tier 2: the middle tier is also known as the application server, which provides the business processes logic and the data access.
*

Tier 3: the data server provides the business data.

These are some of the advantages of a three-tier architecture:

*

It is easier to modify or replace any tier without affecting the other tiers.
*

Separating the application and database functionality means better load balancing.
*

Adequate security policies can be enforced within the server tiers without hindering the clients.

ure, all of the data storage and retrieval processes are logically and usually physically located on a single tier. A 4-tier architecture allows an unlimited number of programs to run simultaneously, send information to one another, use different protocols to communicate, and interact concurrently. This allows for a much more powerful application, providing many different services to many different clients. In this application we will have following 4-Tiers
1. Business Object [BO]
2. Business Access Layer [BAL]
3. Data Access Layer [DAL]
4. UI (4-Tier) folder [UI]

Here are the reasons why we should use the MVC design pattern.

1. They are resuable : When the problems recurs, there is
no need to invent a new solution, we just have to follow the
pattern and adapt it as necessary.
2. They are expressive: By using the MVC design pattern
our application becomes more expressive.

1). Model: The model object knows about all the data that
need to be displayed. It is model who is aware about all the
operations that can be applied to transform that object. It
only represents the data of an application. The model
represents enterprise data and the business rules that
govern access to and updates of this data. Model is not
aware about the presentation data and how that data will be
displayed to the browser.

2). View : The view represents the presentation of the
application. The view object refers to the model. It uses
the query methods of the model to obtain the contents and
renders it. The view is not dependent on the application
logic. It remains same if there is any modification in the
business logic. In other words, we can say that it is the
responsibility of the of the view’s to maintain the
consistency in its presentation when the model changes.

3). Controller: Whenever the user sends a request for
something then it always go through the controller. The
controller is responsible for intercepting the requests from
view and passes it to the model for the appropriate action.
After the action has been taken on the data, the controller
is responsible for directing the appropriate view to the
user. In GUIs, the views and the controllers often work
very closely together.

Lately I’ve been hard to reach
I’ve been too long on my own
Everyone has a private world
Where they can be alone
Are you calling me, are you trying to get through
Are you reaching out for me, and I’m reaching out for you

I’m just so fu-ckin’ depressed
I just can seem to get out this slump
If I could just get over this hump
But I need something to pull me out this dump
I took my bruises, took my lumps
Fell down and I got right back up
But I need that spark to get psyched back up
And the right thing for me to pick that mic back up
I don’t know how I pry away
And I ended up in this position I’m in
I starting to feel distant again
So I decided just to beat this pain
Up and tried to make an attempt to vent
But I just can’t admit
Or come to grips, with the fact that
I may be done with rap
I need a new outlet
I know some shits so hard to swallow
And I just can’t sit back and wallow
In my own sorrow
But I know one fact
I’ll be one tough act to follow
One tough act to follow
Copy
One tough act to follow
Here today, gone tomorrow
But you have to walk a thousand miles

Chorus
Walk my shoes, just to see
What it’s like, to be me
All be you, let’s trade shoes
Just to see what I’d be like to
Feel your pain, you feel mine
Go inside each other’s mind
Just to see what we find
Looking shit through each other’s eyes

But don’t let ‘em say you ain’t beautiful OoOo
They can all get fu-cked. Just stay true to you sOoOoo
Don’t let ‘em say you ain’t beautiful OoOo
They can all get fu-cked. Just stay true to you

I think I’m starting to lose my sense of humour
Everything is so tense and gloom
I almost feel like I gotta check the temperature in the room
Just as soon as I walk in
It’s like all eyes on me
So I try to avoid any eye contact
Cause if I do that then it opens a door to conversation
Like I want that…
I’m not looking for extra attention
I just want to be just like you
Blend in with the rest of the room
Maybe just point me to the closest restroom
I don’t need fu-cking man servin’
Tryin to follow me around, and wipe my ass
Laugh at every single joke I crack
And half of them ain’t even funny like that
Ahh Marshall, you’re so funny man, you should be a comedian, god damn
Unfortunately I am, but I just hide behind the tears of a clown
So why don’t you all sit down
Listen to the tale I’m about to tell
Hell, we don’t have to trade our shoes
And you don’t have to walk no thousand miles

Chorus
Walk my shoes, just to see
What it’s like, to be me
All be you, let’s trade shoes
Just to see what I’d be like to
Feel your pain, you feel mine
Go inside each other’s mind
Just to see what we find
Looking shit through each other’s eyes

But don’t let ‘em say you ain’t beautiful OoOo
They can all get fu-cked. Just stay true to you sOoOoo
Don’t let ‘em say you ain’t beautiful OoOo
They can all get fu-cked. Just stay true to you sOoOoo

Nobody asked for life to deal us
With these bullshit hands with doubt
We have to take these cards ourselves
And flip them, don’t expect no help
Now I could have either just
Sat on my ass and pissed and moaned
But take this situation in which I’m placed in
And get up and get my own
I was never the type of kid
To wait but I know to unpack his bags
Never sat on the porch and hoped and prayed
For a dad to show up who never did
I just wanted to fit in
Every single place
Every school I went
I dreamed of being that cool kid
Even if it meant acting stupid
Aunt Edna always told me
Keep making that face till it gets stuck like that
Meanwhile I’m just standing there
Holding my tongue up trying to talk like this
Till I stuck my tongue on the frozen stop sign poll at 8 years old
I learned my lesson and cause I wasn’t tryin to impress my friends no more
But I already told you my whole life story
Not just based on my description
Cause where you see it from where you’re sitting
Is probably 110% different
I guess we would have to walk a mile
In each other’s shoes, at least
What size you where?
I wear tens
Let’s see if you can fit your feet

Chorus
Walk my shoes, just to see
What it’s like, to be me
All be you, let’s trade shoes
Just to see what I’d be like to
Feel your pain, you feel mine
Go inside each other’s mind
Just to see what we find
Looking shit through each other’s eyes

But don’t let ‘em say you ain’t beautiful OoOo
They can all get fu-cked. Just stay true to you sOoOoo
Don’t let ‘em say you ain’t beautiful OoOo
They can all get fu-cked. Just stay true to you sOoOoo

Lately I’ve been hard to reach
I’ve been too long on my own
Everyone has a private world
Where they can be alone… sOoOoo
Are you calling me, are you trying to get through OoOo
Are you reaching out for me, and I’m reaching out for you sOoOoo Oo Oo

Yea… To my babies. Stay strong. Daddy will be soon
And to the rest of the world, god gave you the shoes
That fit you, so put em on and wear em
And be yourself man, be proud of who you are
Even if it sounds corny,
Don’t ever let no one tell you, you ain’t beautiful

It is said that as human mind matures over period of time, it evolves and acquires capacity to look at things unbiased.

But in today’s over worked-out life style do we tend to judge people/objects impartially ?? do we look at things the way we should ??

Friends I came across this nice article on How Appearances can be Deceiving.. Thought of sharing with everyone on our blog…

Click Here to read actual article

VPN’s can be divided into three common types depending on what components are accessing the VPN.

Access VPN:
An Access VPN is a secure means for remote workers to access the corporate network from home or any other remote location. Typically an access VPN comprises of software installed on the clients computer that ‘dials in’ to a VPN end point such as a PIX, authenticates the user and allows them to access parts of the network that have been defined in the VPN configuration. This type of VPN is commonly called a Remote Access VPN.

Extranet VPN:
An Extranet VPN is in essence an Intranet VPN in so much as no software is required to be installed on any remote hosts and the configuration is all done between the two end points. Typically an Extranet VPN is used for connectivity to customer networks and the network access is granted at both ends of the tunnel; usually restricted to certain hosts only.

Intranet VPN:
An Intranet VPN is used between two sites that belong to the same company and is commonly referred to as a site-to-site VPN. Usually it provides full and unrestricted access to the enterprise LAN and acts as seamless extension to the LAN – the end users may very well never know the VPN exists.

This topic will cover Extranet and Intranet VPN’s also known as LAN-To-LAN or Site-To-Site VPN.
Extranet and Intranet VPN’s are configured almost identically, with the only difference being is that an extranet VPN may restrict what hosts can be reached via the VPN. The actual secure channel is setup and configured the same way and uses IKE and IPSec.

Internet Protocol Security (IPSec)
IPSec is not in itself a protocol, it is more a combination of other protocols and algorithms bundled together to provide data security at the network layer to address the inherent weaknesses in Internet Protocol.

IPSec uses Internet Key Exchange (IKE) to create a secure channel between two end points, known as a Security Association, before establishing the IPSec part of the VPN tunnel.

The method of establishing the VPN is broke into two phases; IKE Phase one and IKE phase two.

Internet Key Exchange (IKE)
IKE is the abbreviated abbreviation (eh?) for Internet Security Association and Key Management Protocol with Oakley distribution commonly known as ISAKMP (pronounced ice-a-camp). ISAKMP and the Oakley and Skeme key exchange are two different protocols, but are collectively known as IKE.

ISAKMP is defined in RFC 2408 and dictates the format used for the management of IPSec connections, however it does not include any [cryptographic] key management functions , in-other-words it doesn’t say how the keys should be shared with the two peers or how often they should be changed. To address these two limitations we use IKE in conjunction with ISAKMP. For the sake of VPN management the terms IKE and ISAKMP generally refer to the same thing and either can be used, for the rest of this paper I will use the term IKE.

IKE operates over User Datagram Protocol (UDP) on port 500 and is used to negotiate a mutual key exchange to create a secure path between two peers (end points). This secure connection is established in two phases, the first phase is used to establish the IKE Security Association (SA) and the second phase establishes the IPSec SA.

IKE provides the following functions:

Provides anti-replay protection for IPSec communications
Provides a means to define an SA’s life-span
Supports Certification Authorities (CA’s)
Automatically negotiates the parameters for SA’s which reduces the manual configuration involved in setting it all up
Permits the encryption key to be changed dynamically without the need to tear down the IPSec session.
Provides a very flexible approach to setting up IPSec connections

It may seem a bit confusing at first but think of it like this:

Before you set up an IPSec connection with a remote node, we need to know that the remote node we are talking to is in fact the node we want to set up the VPN tunnel with. After we have verified the identity of the remote node we also need to share the cryptographic keys between the two nodes in a secure manner – this is the job of IKE Phase one. After this has been established we need to set up the IPSec part of the connection and the two nodes will use the secure IKE channel setup in phase one to establish the IPSec tunnel.

IKE Phase One
As mentioned IKE comes into play in phase one by setting up an SA between the two IKE peers. If IKE does not first establish an SA in phase one, then the IPSec SA in phase two will never take place.

**A Security Association (SA) is in plain terms a set of rules two end points agree to use and accept for the duration of that particular SA, such as encryption algorithms and hashing algorithms etc. **

During the IKE SA establishment he following must be mutually negotiated between the two end points:

1. Encryption Algorithm.
2. Hash Algorithm.
3. Authentication Method.
4. Diffe-hellmen group.

Once the two end points agree on what they are going to use for all of the above, a bidirectional SA is established which then allows the IPSec SA to take place.

Phase one can be established in one of two modes; Aggressive mode or Main Mode.

Main Mode
Main mode negotiation consist of six message exchanges that mirror each other between the two peers and is used if you are using certificates to authentic remote peers. The message exchange is as follows:

1 – Initiator; negotiates an exchange policy
2 – Responder; negotiates the exchange policy
3 – Initiator; exchanges Diffe-Hellmen public keys and a random value between 8 – 256 bits, called a nonce.
4 – Responder; exchanges Diffe-Hellmen public keys and a random value between 8 – 256 bits, called a nonce
5 – Initiator; authenticates the Diffe-Hellmen key exchange
6 – Responder; authenticates the Diffe-Hellmen key exchange

Aggressive Mode
Aggressive mode only has three exchanges and is used if you are using Pre-Shared Keys (PSK’s) for authentication. The first two exchanges negotiate the policy to use, exchanges public keys and authenticate the responder. The third message authenticates the initiating peer and is sent in encrypted text after the negotiation has finished.

**Diffe-Hellmen (DH) is a public cryptography protocol that two IPSec peers use to come up with a shared secret over an unsecured means such as the Internet, without actually having to send the key to each other. The mathematics behind it are ingenious; each peer will create a public and private key using a DH group, these peers then send their public keys to each other, next the peers run the public key they have just received and their own private key (which has never been shared with the other peer) through the DH algorithm and come up with a fixed length value that will be identical on both hosts. This shared key they will use to encrypt the subsequent key exchange for the SA to be established. **

During this phase one exchange, rather than negotiate each parameter individually, i.e. negotiate 3DES for the encryption standard and then negotiate SHA-1 for the Hash standard etc, the algorithms are grouped in to sets, called transform sets or IKE transform sets to be exact. These transform sets will delineate what standards can be used for encryption, authentication, key length and the mode to be used. Once a common transform set has been mutually agreed upon during the first message exchange the main Mode/Aggressive Modes exchange can continue. If a common transform set cannot be found the tunnel is closed down and the IKE SA will not occur.

For any peer to participate in an IPSec session it is essential for them to first authenticate each other via either main mode or aggressive mode as otherwise IKE phase two cannot start. Hence the need for IKE Phase One.

Which brings us on to the IPSec part of the setup process:

IKE Phase Two
Having successfully authenticated each peer and establishing a secure channel for further communications, IKE Phase One evolves in to Phase Two.

As mentioned phase two can only occur after the IKE SA negotiation has completed. Phase Two’s main purpose is to negotiate mutual policies for non ISAKMP SA’s such as the IPSec SA and to derive the keying material to be used.

Phase Two only has the one mode, called Quick Mode.

Once the secure tunnel has been setup by Phase One, Phase Two negotiates the IPSec parameters to be used such as the various algorithms, Shared Secret keying material etc. It is also used to re-negotiate the new SA once the predetermined life-span of the current IPSec SA has expired.

IPSec has two main protocols, ESP and AH.

Encapsulating Security Payload – ESP
ESP is an extensive protocol that provides anti-replay services, data confidentiality (encryption), data integrity (hashing) and data authentication and is primarily responsible for securely getting the data from the source to the destination in such a way that the destination host will know if the data has been tampered with hence ensuring that your session can not be effectively hijacked.
ESP is versatile enough to be able to encrypt either just the payload of the packet or the entire data packet and can also authenticate the sender of the data either in conjunction with Authentication Header or on its own.

IPv4 Packet Encrypted with ESP:
_________________________________________________________________________
|IP HEADER | ESP HEADER | TCP INFO | DATA | ESP TRAILER | ESP AUTHENTICATION |
“““““““““` ——— ENCRYPTED BY ESP ———- “““““““““““““
the ESP Header and all up to and including the ESP Trailer is Authenticated by ESP

Authentication Header– AH
Authentication Header pretty much does as it names suggests, it authenticates the information that is in the IP Header, or in other words it ensures that the data did originate from where it says it does in the header by means or origin authentication. By doing this is provides anti-replay services and prevents your session being hijacked. It may seem similar to ESP but the one glaring difference is that AH does not provide any data encryption, its only purpose is to authenticate the sender.

One major downfall with AH is that it is not compatible with Network Address Translation (NAT). Due to the address translation occurring before the IPSec SA being established, by altering the sending IP address you would cause the AH hash that confirms the sending source to fail.

IPv4 Packet with AH
__________________________________________________________
| IP HEADER | AUTHENTICATION HEADER (AH) | TCP | DATA |
“““““““““““““““““““““““““““““
As you can see no encryption takes place, unlike ESP which encrypts the payload of the packet.

ESP and AH can be configured to use different algorithms to encrypt and hash the data.

**An Encryption Algorithm is used to encrypt the data where as a Hash Algorithm is used to provide data integrity**

Following are the most used encryption algorithms:

Data Encryption Standard (DES):
DES is a 56 bit symmetric encryption algorithm. Although it is somewhat outdated now it is included with the PIX for legacy reasons and should not be used if there is another option available. Due to US technology export restrictions it is more commonly used outside the USA.

Triple Data Encryption Standard (3DES):
3DES as it name suggests it three time as strong as DES by way of a 168 bit symmetric cipher which is obtained by encrypting the data three consecutive times using DES. More specifically the data is first encrypted using a 56 bit DES key, then decrypted using another 56 bit DES key and then re-encrypted using yet another 56 bit DES key.

Advanced Encryption Standard (AES)
AES is a symmetric block cipher that encrypts and decrypts the data using cryptographic keys of 128, 192 or 256 bit lengths. The resulting encrypted data is then placed into 128 bit blocks which are combined into cipher block chains.

**Symmetric encryption uses only a single secret key by itself to encrypt and decrypt the data. Asymmetric encryption uses a key pair — both a public and a private one — for encryption and is commonly used for Certificates. The sending host uses the receiver’s public key to encrypt the data and the receiver uses their private key to decrypt it.**

Message Hashing
A hash algorithm simply talks the message, puts is through an algorithm and creates a fixed length Message Digest (MD) from it. This message digest is then put into another algorithm called a digital signature algorithm which in turn generates a signature (or hash) for the message from the message digest, rather than from the actual message, which reduces the processing time of the message. Should the data be altered even slightly it will massively throw out the message digest (which remember is derived from the original data) and as a knock on affect the signature (or hash) will be invalid.

For the hash to be created at the sending station and then understood at the receiving station both stations must be using the same algorithms.

Following are the most used hash algorithms:

Secure Hash Algorithm 1 (SHA -1)
SHA -1 produces 160 bit output and is considered more secure than MD5 for this reason

Message Digest 5 (MD5)
MD5 output is 128 bit. It is considered faster that SHA -1 but less secure.

IPSec Session
Once Phase One and Phase two are established, traffic deemed interesting for the IPSec session will flow through the tunnel in encrypted form. The tunnel is not an ‘always on’ means and will time out after either a predefined time limit is reached or a predefined amount of data has been sent through it.

One of the main weak points with any encrypted service is the amount of data sent in the encrypted form that had been encrypted using the same keysets. The more data that can be collected the easier it may be for the encryption algorithm to become compromised (you only have to look at WEP for a perfect example of this). For this reason the SA’s established will time out either after a predefined amount of time or a predefined amount of data has been sent through the IPSEC tunnel. When the SA times out IKE performs a whole new Phase Two negotiations and if needs be a new Phase One negotiation. This is done before the current SA times out to prevent any interruption in the data flow.

So let’s summarize:

IKE Phase One provides a low level set of security services via policies/standards that are first negotiated and then mutually agreed upon once common ground has been found. Once this secure channel has been established IPSec can use this secure channel to set up the IPSec Security Association (SA) in Phase Two.

**As mentioned earlier without Phase One there would be no way to verify that the end point in use when you set up the IPSec SA is actually the correct end point and that in fact you are not setting up your IPSec tunnel with an attacker of some kind**

IKE Phase Two is where IKE negotiates the IPSec SA’s parameters via the secure link setup in Phase One and sets up the IPSec ‘tunnel’ between the two peers. This established IPSec SA is what then protects all the resulting traffic that flows between the tunnel end points. IPSec uses IPSec transform sets in the same way IKE uses IKE transform sets. Again just like IKE, if no common transform set can be agreed upon the connection is torn down and the IPSec VPN fails.

Most VPN gateways/end-points support three methods of IPSec peer authentication:

RSA Signatures (Certificates) – This is considered the preferred method of authentication as it uses digital certificates that are authenticated by an RAS Signature.
Pre-shared Keys – As the name suggests these are manually configured case sensitive keys that must exactly match on both peers.
RSA Encrypted Nonce’s – Cisco appliances can use RSA (Rivest Shamir Adleman) encryption to encrypt a random number (a nonce) that is generated by the peer along with other pre configured values. The PIX does not support this type of authentication at this moment in time.

Certificates and Certification Authorities (CA)
Certificate authorities manage certificate requests, issue the requested certificates once approved and publish Certificate Revocation Lists (CRL’s). IKE understands X.509v3 certificates that require public keys.

A digital certificate has a public key, which is available publically, and is used for the automatic authentication of servers and/or users. The connecting node needs to trust the root CA that issued the certificate for it to accept it. By default the connecting node also needs access to the CRL to check if the certificate has been revoked by the root CA. Some third party CA’s are already trusted for web browsers etc but the PIX will only trust the following third party CA’s:

VeriSign
Microsoft Corporation
Baltimore Technologies
Entrust Corporation

Certificates replace the need for pre-shared keys as they already have a public and private keys as part of the frame work of the certificate.
For certificates to work on the PIX there are four steps to take:
Generate an RSA Key pair

Obtain the CA’s certificate which will have the public key
Using the generated key and the public key obtained by the CA the firewall will then request a signed certificate from the CA
The CA then verifies the request and offers the signed certificate to be published (depending on how the CA is configured this sometimes requires an administrator to manually approve the request)

Pre-Shared Keys
Pre-Shared Keys (PSK) are usually used if you only have a few firewalls to configure and you control all of the firewalls in the VPN configuration, as when you change a PSK on one firewall obviously you will need to change it on the other. PSK’s offer the quickest and easiest way to configure a VPN. A PSK can be up to 128 bytes long and uses alphanumeric characters ( A-Z and 0-9)

What’s New in the .NET Framework

As of the writing of this course, version 3.5 of the .NET Framework has been released. Version 3.5 includes features that encompass all facets of Windows, Web, and network development:

• Includes just under 10,000 classes, methods, and properties.
• Complies with the latest Web development standards.
• Introduces revolutionary technologies used in Windows Vista development, rich media and user experiences, workflow management, security and authorization, and complete distributed communication protocols.

The .NET Framework can also be fully extended by developers to create custom classes and types. The functionality of the .NET Framework spans the server, the workstation, and the Web. The four primary additions to the .NET Framework as of version 3.0 are:

1. Windows Presentation Foundation (WPF)
2. Windows Communication Foundation (WCF)
3. Windows Workflow Foundation (WF)
4. CardSpace

Windows Presentation Foundation (WPF)

WPF is used to develop elaborate user interfaces like those that adorn Windows Vista and managed advanced media streaming and integration. WPF is the a complete revamp of Windows Forms so that user interface, graphic, and media development is now designed around the .NET Framework.

Windows Communication Foundation (WCF)

WCF encompasses the ASP.NET Web Services and .NET remoting functionality that was contained in the .NET Framework 2.0 as well as new communication technologies.

Windows Workflow Foundation (WF)

WF is used to model complex workflow processes.

CardSpace

CardSpace is the embodiment of new security and user authorization functionality.

Silverlight Architecture

Unlike ASP.NET, the bulk of Silverlight processing occurs on the client machine thus decreasing server resource utilization and improving the Web experience on the client. The figure below shows the difference between ASP.NET processing and Silverlight processing:

When a client initially attempts to run a Silverlight application, if the Silverlight plug-in has not been installed on the client machine, it will be downloaded and installed. Upon subsequent requests to run the application, the application will instantiate on the client machine and make requests for resources from the server only when necessary. The Silverlight plug-in can be thought of as a scaled-down version of the full .NET Framework. It only contains those classes and functionality that are applicable to a Silverlight Web client and those were streamlined and optimized for use on the Web client machine.

Silverlight was designed using the same design paradigm as ASP.NET. Each page of a Silverlight application includes an associated code behind file that includes the code that handles events fired by the page. Silverlight resembles WPF in that it uses Extensible Application Markup Language (XAML) to construct the user interface (presentation layer). As Silverlight applications are composed of text-based files that include markup and code, they can be created using any text editor; however, more advanced tools and development environments such as Visual Studio or Expression Blend simplify the task significantly.

Silverlight Technologies

Version 1.0 of Silverlight used JavaScript and supported the industry-leading Windows Media Services enabling delivery of audio and video that includes 2D and vector graphics.

Version 2 includes all features of version 1.0 and:

• support for the .NET Framework.
• support for .NET-compliant programming languages such as C#, Visual Basic, Python, and Ruby.
• support for database operations and language-integrated query (LINQ).

The figure below illustrates the major differences between version 1.0 and version 2:

Supported Platforms

Silverlight can be installed on Windows and Macintosh machines. Silverlight applications run within the confines of a plug-in. There are many benefits to using a plug-in with the primary benefit being consistency across implementations. A plug-in application can provide a consistent result in every instance where it is supported. Other plug-in solutions, such as Adobe Flash, have become popular due to consistency across implementations. For instance, a plug-in application should deliver a consistent result regardless of whether it is displayed using Internet Explorer on Windows or Safari on a Macintosh.

Silverlight 2 is currently supported on the platforms discussed below.

Linux

Many developers are unaware that a version of the .NET Framework exists for the Linux operating system. Linux is an open source operating system that is supported heavily in the online community. The version of the .NET Framework that supports Linux is named the Mono project and was also developed by the open source community. The developers of the Mono project keep the project close to in sync with the .NET Framework when updates are released by Microsoft and created an initial, limited version of Silverlight (called “Moonlight”) that supports Linux in approximately 21 days! You can get up to date information on this project at http://www.mono-project.com/Moonlight.

Future Platforms

The Silverlight plug-in renders graphics and multimedia using a vector-based graphics engine. Vector graphics can easily be scaled from very small displays to very large displays of varying resolutions with virtually no loss of image quality. Silverlight on a Windows Mobile device will accommodate delivering live, streaming, high quality video to smart phones and similar devices. The goal is to enable developers to deliver rich interactive applications (RIA) to any type of device.

Microsoft has announced support for Silverlight on mobile devices with a limited initial support for Windows Mobile and the Nokia S60 models. You can learn more about this future support at http://www.microsoft.com/silverlight/overview/mobile.aspx.

I came across this very interesting article on Black Hat security conference. People talk on various security topics at this conference. In this particular news they have talked about security holes in mobile phones and they mentioned that even single sms can be used to hack a mobile phone.

Click here to read complete article Guys do read it. It is just a single page article.

Cheers! have good weekend