Set up SMS for Two-factor authentication with Twilio

Adding two-factor authentication (2FA) to your web application increases the security of your user’s data. Multi-factor authentication determines the identity of a user in two steps:

  • First we validate the user with an email and password
  • Second we validate the user using his or her mobile device, by sending a one-time verification code

Once our user enters the verification code, we know they have received the SMS, and indeed are who they say they are. This is a standard SMS implementation. Continue reading “Set up SMS for Two-factor authentication with Twilio”

Advertisements

Generating Signing Keys for Apple iPhone Phone Gap Builds

When you are building applications that should work across multiple platforms using Phone Gap, you will need to generate a set of signing Keys to work with the different platforms:
Keys

Generating a Key for Apple iOS from MacOS

To manually generate a Certificate, you need a Certificate Signing Request (CSR) file from your Mac. To create a CSR file, follow the instructions below to create one using Keychain Access.

Create a CSR file.

In the Applications folder on your Mac, open the Utilities folder and launch Keychain Access.

Within the Keychain Access drop down menu, select Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.

  • In the Certificate Information window, enter the following information:
    • In the User Email Address field, enter your email address.
    • In the Common Name field, create a name for your private key (e.g., John Doe Dev Key).
    • The CA Email Address field should be left empty.
    • In the “Request is” group, select the “Saved to disk” option.
  • Click Continue within Keychain Access to complete the CSR generating process.

Generating a Key for Apple iOS from Windows

I have a Windows computer and I found it very hard to generate a key. If you follow the steps below, you might find it easier:

  1. Install Visual C++ 2008 Redistributables
  2. Download Open SSL for Windows. http://slproweb.com/products/Win32OpenSSL.html and install it onto c:OpenSSL-Win32
  3. Make sure the bin folder is installed in c:OpenSSL-Win32bin
  4. Change your PATH variable to have this path:
    • Select Computer from the Start menu
    • Choose System Properties from the context menu
    • Click Advanced system settings > Advanced tab
    • Click on Environment Variables, under System Variables, find PATH, and click on it.
    • In the Edit windows, modify PATH by adding the location of the class to the value for PATH. If you do not have the item PATH, you may select to add a new variable and add PATH as the name and the location of the class as the value.
  5. The first thing you need to do is generate a private key. Go to the command line and navigate to whatever directory you want to store the generated files in. Then type in the following to generate the key:
    openssl genrsa -des3 -out ios.key 2048

    Keys2
    The result will be a new file called “ios.key” in this folder.

  6. Next you need to generate a Certificate Signing Request or CSR file. You can do this by running the following command, which uses the ios.key file generated earlier:
    openssl req -new -key ios.key -out ios.csr -subj "/emailAddress=contact@carra-lucia-ltd.co.uk, CN=CARRA-LUCIA-LTD, C=UK"

    Change the items in red to match your needs.
    Keys3

  7. Now you need to go to your Apple Developer iOS Provisioning Portal in order to generate an iOS Development Certificate, using the ios.csr file you’ve just generated. Click on “Certificates” in the left hand side, and then “Request”.
    iOSCertificatesAdd Ios Certificate

    You will be prompted to upload a .csr file, and then wait for the certificate to be issued, which it will quite quickly, refresh the browser if you need to.
    csr file

  8. Now download the development certificate that was issued and save it in the same directory where the other generated files are.
    app_distribution
  9. You now need to convert it to a PEM file which you can do with:
    openssl x509 -in ios_distribution.cer -inform DER -out ios_distribution.pem -outform PEM

    Where ios_development.cer is the name of the development certificate created on the Apple Provisioning Portal and ios_development.pem is the PEM file that we want to generate.

  10. Next file is the P12 file, which uses both our private key (ios.key) and the iOS distribution certificate (ios_distribution.pem):
    openssl pkcs12 -export -inkey ios.key -in ios_distribution.pem -out ios_distribution.p12

    You will be asked to enter the access phrase for the ios.key file (which you noted from earlier) and you will need to generate an export password for the P12 file and verify it. The ios_distribution.p12 file is then generated.
    keys4

  11. The last file you need to generate is the provisioning profile, which again requires you to return to the Apple Provisioning Portal.
    iOsProvisioning
  12. If you plan to use services such as Game Center, In-App Purchase, and Push Notifications, or want a Bundle ID unique to a single app, use an explicit App ID. If you want to create one provisioning profile for multiple apps or don’t need a specific Bundle ID, select a wildcard App ID. Wildcard App IDs use an asterisk (*) as the last digit in the Bundle ID field. Please note that iOS App IDs and Mac App IDs cannot be used interchangeably.
  13. Select the certificates you wish to include in this provisioning profile. To use this profile to install an app, the certificate the app was signed with must be included.
  14. Bear in mind that such certificates need to be tied to your iOS testing devices via their UDIDs, and again there is documentation on how to do this.
    provisioning profile
    Once the provisioning profile is generated, download it (e.g. iOS_Development.mobileprovision) and save it in the same place as the other files. This file will also need to be installed on each of your iOS testing devices.

You should now have everything that you need to generate an iOS signing key for PhoneGap Build:

  • P12 certificate file
  • provisioning profile
  • certificate password

These steps can also be used to generate a distribution key for the iTunes Store.

Internet Security Through Code Signing

code_signing1As you’re probably aware (and if you aren’t, you should be!), computer viruses, Trojan horses, and other assorted malicious code-nastiness pose a major security threat to networked systems. On a constantly changing and growing global network the size of the Internet, it’s simply impossible to keep viruses and their brethren at bay. The truth is, infected code of one form or another runs rampant in many systems, and code safety is a major concern for developers and for users of Internet applications (including ActiveX controls).

For example, it’s possible that a perfectly harmless-looking ActiveX control, executable file, or code from unknown sites or authors could wipe out a user’s entire system before he knew what hit him! Worse yet, perfectly harmless code created by one programmer could be tampered with and altered by some other, malicious programmer after its release, possibly wreaking havoc on the systems of users who download and execute the altered code!

Addressing Security Issues

There are two basic ways to address the Internet security issue:

  • Sandboxing. This term refers to restricting an application to a certain set of APIs, excluding those that would enable file I/O and other potentially dangerous function groups that could alter or destroy data on a user’s system. This security method assumes that you trust the application won’t do any harm, and that you trust the source of the application to not act maliciously.
  • Shrinkwrapping. This security method uses specially encrypted digital signatures. A shrinkwrapped product verifies signed code with a private-key/public-key verification scheme. Before any signed code is allowed to execute on a user’s machine, its digital signature is verified. This verification process ensures that the code hasn’t been tampered with since the code was signed, and it also ensures that the code is from a known, authenticated source.

Digital Code Signing

Digital code signatures are used to verify code authenticity and also to identify and provide details about the publisher of the code. Digital signatures are an industry standard supported by many Web browsers. Such browsers enable a user to choose whether to download and execute code of unknown or suspicious origin.

 

For the most up-to-date information about digital code signing, an industry standard, access the Web site for the World Wide Web Consortium (W3C) at this URL

http://www.w3.org/pub/WWW/

Signed Code and Code Certificates

As an independent software vendor (ISV) who wants to use the benefits of digital code signatures in your applications, you must get something called certificates from a certificate authority (CA), a third-party company known and trusted by the industry. After a CA verifies that you comply with W3C policies, the CA issues you a digital certificate file for use in code signing. The certificate file contains important information, including the name of the software publisher, your public encryption key, the name of the CA’s certificate, and more.

Public and Private Encryption Keys

Public and private keys are created by you for use in encrypting the digital signature block used to verify your code’s authenticity. Both keys are created by you, but the private key remains your little secret. The public key must be checked by the CA to ensure that it’s unique.

Signing Your Code

You need special tools to sign your code, and these are available in the ActiveX Development Kit, available from Microsoft on CD-ROM and online at the following URL:

http://microsoft.com/activex

Fully debugged, release-ready code is run through a hash function that produces a fixed-length code digest. You then encrypt this digest with your private key and combine it with your certificate file. The result is linked back into your executable file. Presto! Your digitally signed masterpiece is ready for distribution over the Internet. The tools used for code signing are listed in Table 16.1 and are available in the ActiveX SDK.

Filename Description
MAKECERT.EXE A tool that creates a fake certificate for development purposes.
CERT2SPC.EXE The tool used to build a signature block from your certificate.
SIGNCODE.EXE A tool that links the signature block into your executable.
CHKTRUST.EXE A tool that verifies that code has been successfully signed.

 

Considering the Cash Factor

As you’ve seen, code signing is a robust system for creating trustworthy code. Users can rest assured that signed code is safe to download and execute. The nagging question in your mind at this point is probably, “How much does a certificate cost?” Good question!

Microsoft estimates that commercial software publishers will pay around $400 U.S. dollars for the initial certificate and around $300 for an annual renewal. Certificates for individual software publishers will ring in at about $20.