I blog about anything heat-pump-related, in particular about our system. In addition, I am interested in thermodynamics, heat pumps and heating systems in general - and their integration with the smart grid and related security concerns. These are my postings about our 'ice-storage-/solar-' powered system specifically and postings on closely related subjects like the power grid, renewable energy and sustainable living.
My lecture slides on PKI and security are a bit dated already, I add them for completeness though.
Articles on my blog are targeted to a broader audience - perhaps they are too 'philosophical' for security experts. See the complete list of postings below, after the image.
- Between 2007 and 2010 I gave a lecture called Authentication, Authorization and PKIs in a master's degree programme at University of Applied Sciences FH Joanneum, then called Advanced Security Engineering (ASE).
- Public Key Infrastructures - Vision, Trends and Real-World Implementation - talk I gave in April 2007 at the opening event of that degree program.
- German lecture Verschlüsselungs- und Signaturtechnologien - von den theoretischen Grundlagen bis zur praktischen Umsetzung, given 2006 at ditact, on IT summer school for female students.
- German talk at .NET Conference in Vienna 2002 - PKI Implementierung. Effectively introducing new features of the Windows 2003 PKI.
This is my list of Links to white papers and the like that I have found useful (restarted 2014). It is not an attempt to create a balanced or educational list. I am adding what I need right now!
Comprehensive reviews of PKI issues
Analysis by Peter Gutmann who likes to throw rocks at PKI according to his bio:
- Everything you Never Wanted to Know about PKI but were Forced to Find Out
- Book Draft, see chapter on PKI: Engineering Security
- X.509 Certificates - part of the crypto tutorial.
- The legendary X.509 Style Guide
- PKI: Lemon Markets and Lemonade: Incl. many examples of certificates invalid in different respects but yet recognized by PKI applications.
Request for Comments:
- RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Including an algorithm for X.509 certification path validation.
- RFC 4158: Internet X.509 Public Key Infrastructure: Certification Path Building. In an alternate universe in which Richard Feynman had become a computer scientist, he would have written such RFCs instead of inventing his Feynman diagrams.
- Strict RFC compliance re validation of Certificate Policies OIDs enforced in Windows 2008 R2.
In Windows systems:
- Certificate Revocation Checking in Windows Vista and Windows Server 2008 - interesting: pre-fetching or CRLs and support for OCSP signing certificates signed by another CA.
- Troubleshooting Certificate Status and Revocation: explaining in detail how Windows clients build certificate chains, such as matching names based on a binary comparison or doing a name match only when AKI is not populated - which does not match my experience for Windows 2008 - I seen it agressively doing name matching despite non-matching AKI/SKI and this resulting in a alleged 'corrupt signatures'. But don't take my word on this - I might habe messed something up on testing. Anyway, this paper also demonstrates how awfully complicated it is to check certificate paths. Windows 2000 and XP did it differently (see at the middle of the document) - so this has probably changed again.
- Troubleshooting PKI Problems on Windows Vista
- How Certificate Revocation Works
- Windows XP: Certificate Status and Revocation Checking
Cross-certification and hierachies
- Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003: On cross-certificates and constraints.
- Microsoft's own showcase. They went from a 3-tier internal PKI to a simple 2-tier infrastructure.
Cross-certification of inhouse CAs by Verizon (former
Cybertrust), solution name formerly known as 'Omniroot'.
This case study still shows this name):
More case studies:
Links for Microsoft's autoenrollment are provided in more MS-related sections
- Simple Certificate Enrollment Protocol: The eternal draft (?) of a protocol originally developed by CISCO.
Weird, hacked, forged certificates
- Legendary X.509 certificate by Markku-Juhani Saarinen with: invalid dates, a public key exponent of 1, a huge RSA modulus whose BASE64 version includes a funny message (I found this gem quoted in Peter Gutmann's various PKI slides, e.g. these ones). Validated correctly on Windows systems in 2000 - just tested: as per 2014 it stil does.
- MD5 considered harmful today - Creating a rogue CA certificate: Epic and educational hack, based on a combination of the algorithm's weakness and out-of-the-box thinking / social engineering. A rogue CA cert., hash-colliding with a legitimate cert. issued by a SSL CA that was not very creative in creating serial numbers and validity dates.
- Null Prefix Attacks Against SSL/TLS Certificates by Moxie Marlinspike. How inserting NULL characters into the subject name and adding some domain you own after this character will result in great certificates for phishing purposes.
- Active Directory Certificate Services Step-by-Step Guide
- Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure: Old but still good.
- Securing Wireless LANs with Certificate Services: Again old but good. Comparing this to Securing Wireless LANs with PEAP and Passwords shows that PKI is by far the most time-consuming part of the infrastructure
- Active Directory Certificate Services Migration Guide: The CA is migrated by moving key, database, and conifguration over to a machine - which probably runs on a different operating system. The guide is for software-based key stores. With an HSM the migration is essentially the same once the HSM crypto provider has been configured and the HSM connected to the new machine.
- Windows CA Performance Numbers and Evaluating CA Capacity, Performance, and Scalability
Windows PKI: Features and management
After I started compiling my own list, I found this - I will keep picking some of the microsoft.com links and publish them to this page though:
- Windows PKI Documentation Reference and Library: Comprehensive overview of all MS resources related to the Windows CA ('Active Directory Certificate Services').
Some of the features required to run a Microsoft PKI in a larger, corporate environment:
- Windows Server 2012: Certificate Templates and Options - templates are classified in a new way, by the combination of the OSs of CA and certificate subscriber. The schema version is derived from these OS versions and the intended cryptographic providers.
- Note that version 3 templates are not available via the web enrollment (ASP) pages.
- Implementing and Administering Certificate Templates - for CAs <= 2008 R2
- Certificate Enrollment Web Services in Windows Server 2008 R2: This is to solve the issue with (not) allowing clients to use RPC/DCOM for certificate enrollment. These PKI roles allow for HTTPs-based enrollment via a 'proxy' instead. The HTML version of the paper. Starting with Windows 2012 key based renewal is supported - so non-domain joined machines only need to enroll for the intial certifiate manually.
- Active Directory Certificate Services PKI - Key Archival and Management: Storing private keys to the CA database, using split administration.
- Credential Roaming: Using Active Directory for roaming and backing up users's keys and certificates.
- Certificate Autoenrollment in Windows Server 2003: Especially the section on troubleshooting is interesting.
- Online Responder Installation, Configuration, and Troubleshooting Guide: Most interesting is how long response live: They are generated from CRLs and live as long this CRL or the OCSP signing certificate whatever is more short-lived. In addition, the cache time for responses served can be configured. How to make OCSP responders high-available.
- Network Device Enrollment Service - Microsoft's implementation of SCEP, Simple Enrollment Protocol. Starting with Windows Server 2012 R2 a custom policy module can be used with NDES.
- Failover Clustering and Active Directory Certificate Services: Clustering is supported if an HSM is used as a keystore. Then, actually, the HSM should be clustered as well.
- Evaluating CA Capacity, Performance, and Scalability: Performance of the Windows 2003 CA in terms of certificates issued per time and database size. Database performance in terms of creating views is not given.
Windows PKI 2008 R2 versus 2012 R2 and upgrade of hash algorithms
New features in 2012! Note I started added some the detailed articles about specific features - NDES, templates - also to other sections. This section is for overviews covering many new features or cryptograpy / algorithms in particular.
- What's New in Certificate Services in Windows Server 2012
- Windows Server 2012: Certificate Template Versions and Options - probably the change the PKI admin notices first.
New ways to leverage a TPM chip - key attestation by validation of an endorsement key. You could have used a TPM chip as a custom key store for the machine / SYSTEM in earlier versions of Windows (basically like a 'smartcard for machines) in case the vendor of the TPM chip or a vendor of crypto software provided a suitable CSP / CNG provider. Starting with Windows 8.1 as the end-entity's OS the CA (2012 R2) is able to check if the private key had really been stored to a TPM chip.
- Changing public key algorithm of a CA certificate - only the hash algorithm can be changed (for CNG providers), not the provider itself.
Upgrade Certification Authority to SHA256
- after the change of a registry key the CA signs anything with the new
algorithm, including CRLs and its own CA certificate when renewed (Step-by-step-instructions).
Attention - according to my experiences with 2008 R2 the registry value for hash values is case-sensitive. Good: The change of the hash algorithm can be reverted easily. Bad: This is a per-CA settings, so once the algorithm has been changed all certificates and CRLs issued by that CA are signed using the new algorithm.
Certificate and key stores
Windows client-side stores:
- Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP)
- Key Storage and Retrieval: CNG architecture and location of keys in the file system.
- Windows Data Protection: Private key files are encrypted using a master key generated from a user's or machine's SID and password. DPAPI security explains why users don't lose access to their EFS private keys if their passwords are reset by a domain admin.
- The key associated with a self-signed certificate in the computer store is used in the Microsoft implementation of DNSSEC.
- Advanced Certificate Enrollment and Management: White Paper incl. sample commands for the Windows tool certreq and a summary on BASE64 and ASN.1
- BASE64 explained
- The Absolute Minimum Every Software Developer Absolutely, Positively Must Know About Unicode and Character Sets (No Excuses!)
- dumpasn1.c: Peter Gutmann's tool for checking ASN.1 encoding of any file.
- DER Encoding of ASN.1 Types - introduction to ASN.1 by Microsoft.
- Syntax of Windows' tool certutil that can (among many other things) show ASN.1 or encode/decode/encode hex files.
Using certificates for authentication
Native Active Directory logon:
- How to use certificates to integrate with the Kerberos protocol: RFC 4556 - Public Key Cryptography for Initial Authentication in Kerberos (PKINIT).
- Certificate Processing Logic, Figure 21 in Windows Vista Smart Card Infrastructure. Essential: String-based mapping of UPN in SAN onto UPN in AD. Secure though because the issuing CA's certificate need to be present in the NTAuth object.
- IIS configuration details of Active Directory Certificate Mapping: Client Certificate Mapping Authentication.
- Security advice by Microsoft - use this feature with caution and don't allow 'PKI admins' to control both a CA and the details of requests: Because user input can be abused by persons with malicious intent, precautions should be taken to mitigate the risks associated with the use of user-defined SANs.
- Specification of the Remote Certificate Mapping Protocol. An example of how the protocol is used in the communication between domain controllers and web servers.
Webserver-based mapping (no directory)
Apple iDevices, SAP, and other non-MS clients
- In contrast to Windows'/AD's native logon via UPN string mapping
SAP uses a 1:1 mapping of binary certificates to users:
Single Sign-on mit SAP (part of a German book, assignment of the certificate is explained on pp.33)
- Apple iPhones, 802.1x authentication against Active Directory using Windows
RADIUS server (NPS)
(promoted to blog post, summary kept here for traceability).
- Properties of the certificate
Subject CN: host/machine.domain.com
Subject Alternative Name machine.domain.com
Certificate Template (Windows Enterprise PKI): Copy the default template Workstation Authentication, Subject Name: Name as submitted with the Request.
- Create the key, request and certificate on a dedicated enrollment machine and export key and certificates as PKCS#12 (PFX) file.
- Create a shadow account in Active Directory
- According to my tests, the creation of an additional name mapping (as recommended here) is not required - SAN-DNS gets mapped onto dnsHostName in AD.
- Properties of the certificate
Network authentication of devices
- Overview: Certificates for different services / protocols, like 802.1x or IPsec
Started in 2014-10. Usual suspects as SMIME, EFS, 802.1x to be added as needed over time. See also the list of Technet Postings and the PKI FAQ.
- DNSSEC: Secure DNS Deployment Guide, Step-by-Step: Demonstrate DNSSEC in a Test Lab.
- Remote Desktop Services: Certificate requirements for RDP.
- Domain Controllers: Certificate requirements when using a third-party CA. These are the same requirements as with an inhouse CA - an external CA chain needs to be manually imported in addition (Trusted Roots, NTAuth).
Useful commands (in the Windows world)
- Some interesting flags for locking down access to a Windows CA. See section on Config_CA_Interface in this Configuration List.
- Windows Certificate Services Tools and Settings: Describing the CA's registry keys.
Emergency processes, for Windows.
- Delete cached CRLs:
certutil -setreg chain\ChainCacheResyncFiletime @now
(Weitere Optionen siehe diesen MS-PKI-Team-Blogeintrag)
- Start a CA even if the revocation check on its own certificate has
failed - set this flag:
certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
- Key Recovery:
- Search for the archived keys of a specific user and create a batach
script (CA admin permissions required)
certutil –getkey domain\username >recovery-username.bat
This script also contains the password of the p12 key file that will be created.
- Run this batch file. This creates a single p12 file including all keys for this user. Pre-requisites: The user executing the script needs to have one Key Recovery Agent's certificates associated with each of the keys to be recovered in his/her store. In addition CA Admin permissions are required and this needs to be an admin cmd session.
- Search for the archived keys of a specific user and create a batach script (CA admin permissions required)
- The batch file does the following for every key found:
certutil -getkey [SerialNumber] [encrypted blob]
certutil -recoverykey [encrypted blob]
A temporary p12 file is created from every blob; then all p12 files are merged using certutil -mergepfx and all temporary files are deleted.
PKI and smart metering
Requirements for a smart meter PKI in Germany:
Sicherheitsinfrastruktur für „smarte“ Versorgungsnetze
An example: Smart Meter mit PKI Sicherheit
Here I maintain a list of physics books, documents, blogs, and lectures I read / watch or that I have put on the (virtual) bedside table.
The collection is not some carefully crafted, balanced list - I am not searching for resources to add them here but I add what is interesting to me as a professional or a dilettante science blogger. I apologize for the mixture of German and English resources, and the structure is always work in progress.
This list had been formerly curated on my blog, on a page called Physics Books on the Bedside Table. I decided to migrate these links over here as in 2014 I had started to curate all my tech / science links on radices.net.
Popular Science Books 'enthusiastic'
- The Particle at the End of the Universe by Sean Carroll
- Knocking On Heaven's Door: How Physics and Scientific Thinking Illuminate our Universe by Lisa Randall
- Warped Passages: Unraveling the Mysteries of the Universe's Hidden Dimensions by Lisa Randall
- The Universe in a Nutshell by Stephen Hawking
Popular Science Books 'critical' (Note: This is not 'Alternative science')
- The Trouble with Physics by Lee Smolin.
- Farewell to Reality: How Fairytale Physics Betrays the Search for Scientific Truth by Jim Baggott. See a review on wavewatching.net here.
History of Science and Biographies of Physicists
- The Strangest Man, a biography of Paul Dirac by Graham Farmelo. See also the review by Peter Coles.
- carnotcycle – the classical blog on thermodynamics, by Peter Mander.
- Physics on the Fringe by Margaret Wertheim. I blogged about his book here.
- Genius: The Life and Science of Richard Feynman by James Gleick.
- Isaac Newton by James Gleick
- Einstein: A Biography by Jürgen Neffe
- Inside The Centre: The Life of J. Robert Oppenheimer by Ray Monk
Quantum Physics, Quantum (Field) Theory
Oersted Medal Lecture 2002: Reforming the Mathematical Language of Physics, as recommended here. Actually, this is about all of physics and how more powerful, concise, and elegant Geometrical Algebra would do away with concepts that just appear tacked on – as there is an underlying hidden structure. It is useful in classical physics but especially to understand the seemingly weird world of the complex wave function.
- Lectures on Quantum Field Theory by David Tong. Videos of his lectures delivered at Perimeter Institute can be found here (different formats available). These lectures were my starting point for (re-)learning QFT having been exposed to mainly condensed-matter-related and non-relativistic quantum statistics and 'second quantization' 20 years ago.
- Quantum Field Theory in a Nutshell, a concise textbook by Anthony Zee. David Tong highly recommends this book, saying tongue-in-cheek: He lies to you all the time, but in a good way. It is not an easy read because the presentation of the material is quite condensed. You have to fill a lot of intermediate steps in derivations. On the other hand this makes it a great book for serious self-study. It shows that Zee is a gifted writer of popular science books as well as his conceptual overviews are spot-on and very helpful for tackling the hard stuff.
- I trust Graham Farmelo on this and put Stephen Weinberg's book on my To-read-list.
- Student Friendly Quantum Fielf Theory by Robert D. Klauber. Klauber describes and writes out details in derivations, avoids all references to so-called trivial, obvious and easy steps, and he refers to his own learning QFT often. The book seems to have been written from the learner's perspective – he often anticipates those typical baffled student's questions and answers them before you dared to ask it. More praise in this post of mine.
- A lecture on Quantum Field Theory in German, by Gerhard Soff. I like these lecture notes because topics are reviewed from different angles (such as: canonical quantization versus path integrals) and the derivations are done in detail for all the different options.
- The Fun is Real. Blog author Warren Huelsnitz definitely meets his goal: to sort through the myths and misconceptions, and the excessive and misleading hype, associated with quantum physics.
- An Island In Theoryspace – an awesome blog by Jaques Pienaar on physics (mainly of the quantum variety) and sometimes also on its interface with philosophy.
Quantum Computing and Quantum Cryptography
The first field that rekindled by excitement for physics in about 2003, having worked in IT already for some years.
- wavewatching.net. A blog written by a physicist and IT consultant who tries to separate fact from VC fiction and to predict what impact quantum computing will have on corporate IT.
- Lecture notes on General Relativity by Sean Carroll plus his No-nonsense summary on GRT.
- Special and General Relativity – a German textbook by N. Dragon that covers it all. Amazing what kind of material is available for free! Using an unsual way to present Special Relativity (German) – I learned from physicspages.com that this is called k calculus.
Thermodynamics and statistical mechanics
Fascinating water, water vapor, and ice
- Mpemba effect from a viewpoint of an experimental physical chemist, the winning paper in this contest.
- Lecture on the 2nd law and thermodynamics – a summary of what has happened since Boltzmann.
- A lecture on Thermodynamics and Statistical Mechanics in German, by Michael Potthoff. I searched for lecture slides rather than notes in order to use them as quick “refresher” on the subject. These slides are excellent because very concise but still complete.
Classics: Basics and fundamentals – books and blogs that cover all of physics
- The Feynman Lectures on Physics. Vol. 1 is available online since September 2013!
- The 6 volumes my former professor in Theoretical Physics has written: Wilhelm Macke, who was Heisenberg's PhD student: Ein Lehrbuch der Theoretischen Physik: Teilchen – Felder – Wellen – Quanten – Thermodynamik und statistische Mechanik – Quanten und Relativität (Basically: Mechanics – electrodynamics – fields – thermodynamics and QFT). I was more than happy to discover that so many second book shops are now selling used books over the internet – and that Prof. Macke's books are still available as they have been out of stock when I was a student.
- The German physics text books I used in high school (last 4 years) by Josef Schreiner. I am still in awe of the way Schreiner was capable of tailoring all of classical and modern physics to high school students – incl. quantum mechanics and relativity at a rather advanced, but still accessible level.
It is very interesting to compare Feynman's and Macke's books – they have been published at about the same time and might serve as good examples for both excellent, but different ways to describe physics from scratch – 'American' versus 'German'.
- A very detailed blog – physicspages.com – Physics Tutorials with lots of examples, introductions and the author's solutions to text book problems.
- Scientific Finger Food: Sebastian Templ achieves his goal – quote from his About page: “I give my best to break it down into simple language. In doing so, I hope that I can serve you some pieces of physics, which I like to think of as being clear to me, in 'delicious and manageable bites' “.
- motionmountain.net: Six volumes on physics, written by a physicist who works as an innovation manager. Probably the most professional hobby / moonlighting physics project I have come across.
Classical (point particle) mechanics
- The physics of rotation by Cleon Teunissen. Classical mechanics at its best, see for example: Gyroscope Physics.