Elliptic-curve cryptography (ECC)

Posted by Manish Panchmatia on Sunday, December 10, 2017 Labels: / Comments: (0)

Elliptic-curve cryptography (ECC)

 finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is infeasible: this is the "elliptic curve discrete logarithm problem" (ECDLP). 

Applicable for 
ECC Key length comparison with RSA Key length. 


RSAECC
512112
1024160
2048224
3072256
7680384
15360512
Elliptic Curve

Public Key Cryptography

Posted by Manish Panchmatia Labels: / Comments: (0)


PKI (Public Key Infrastructure) 
  • CA (Certificate Authority) binds public key with identity. = TTP Trusted Third Party. E.g. Symantec, Comodo, GoDaddy, digicert, GlobalSign
  • OSCP Responder
  • RA (Registration Authority) = subordinate CA in Microsoft PKI. 
  • VA (Validation Authority) 
  • Central Directory to store index keys
  • Certificate Management System
  • Certificate Policy
Method of certification

1. CA
2. Web of Trust. E.g. PGP (Pretty Good Privacy) and GnuPG
3. Simple Public Key Infrastructure (SPKI). Authorization loop : verifier = issuers 

Open Source implementation of CA
  • OpenSSL is the simplest CA and tool to build PKI enabled apps. C. Part of all major Linux distributions, 
  • EJBCA is a full featured, Enterprise grade, CA implementation. Java. 
  • OpenCA is a full featured CA implementation 
  • XCA is a graphical interface, and database. 
  • (Discontinued) TinyCA was a graphical interface for OpenSSL.
  • XiPKI CA and OCSP responder. With SHA3 support, OSGi-based Java.
  • IoT_pki is a simple PKI. Python cryptography library
  • DogTag
  • gnoMint
  • EasyRSA, OpenVPN's command line CA utilities using OpenSSL.
  • r509
  • Boulder is an automated server that uses the Automated Certificate Management Environment (ACME) protocol.
  • Windows Server : Active Directory Certificate Services.
Free digital certificate for public by CA
  • CAcert  https://en.wikipedia.org/wiki/CAcert
  • Let's Encrypt. https://en.wikipedia.org/wiki/Let%27s_Encrypt
Tools
Standards

Public Key Cryptography Standards : https://en.wikipedia.org/wiki/PKCS
Cryptographic Message Syntax :  https://en.wikipedia.org/wiki/Cryptographic_Message_Syntax and RFC 2315, RFC 2360, RFC 3369


Books

1. Introduction to cryptography and network security



2. Cryptography theory and practice

3. Field Arithmetic 

4. Problems in the Theory of Modular Forms

Kubernetes - practicals

Posted by Manish Panchmatia on Friday, December 8, 2017 Labels: , , , / Comments: (1)

To get more practical insight about internals of Kubernetes 

 1. Kubernetes - the hard way

 https://github.com/kelseyhightower/kubernetes-the-hard-way

 https://github.com/kinvolk/kubernetes-the-hard-way-vagrant

https://veerendra2.github.io/kubernetes-the-hard-way-1/
https://veerendra2.github.io/kubernetes-the-hard-way-2/
https://veerendra2.github.io/kubernetes-the-hard-way-3/

 2. Learn Kubernetes using Interactive Browser-Based Scenarios
https://www.katacoda.com/courses/kubernetes

 3. 
Hands-on with Minikube: single node kubernates cluster

 To install Minikube : 

Free course : “Kubernetes Hardway”
4.

 First install curl

 sudo apt-get install curl

 Install latest stable release of Kubectl

 curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl

 chmod +x kubectl

sudo mv kubectl /usr/local/bin/kubectl

 Install latest stable release of Minikube

 curl -Lo minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 

 chmod +x minikube

 sudo mv minikube /usr/local/bin

 If virtual box is already installed earlier using
sudo apt-get install -y virtualbox virtualbox-ext-pack

 Then execute command:

minikube start --memory 1536

 Else execute command 

 echo 'export CHANGE_MINIKUBE_NONE_USER=true' >> ~/.bashrc
source .bashrc
sudo -E minikube start --vm-driver=none

 Now play around with Minicube with kubectl

Overview of kubectl
https://kubernetes.io/docs/reference/kubectl/overview/

kubectl Cheat Sheet
https://kubernetes.io/docs/reference/kubectl/cheatsheet/

 5. K8S client

 https://github.com/kubernetes-client/

https://github.com/kubernetes-client/python

6. https://github.com/kubernetes-incubator

 7. Ansible modules

 https://docs.ansible.com/ansible/latest/modules/k8s_module.html
https://docs.ansible.com/ansible/latest/modules/k8s_facts_module.html
https://docs.ansible.com/ansible/latest/modules/k8s_scale_module.html.


 8. Oneline courses

https://kodekloud.com/

9. Play with k8s : https://labs.play-with-k8s.com/

 10. k8s live talks https://github.com/bbenetskyy/k8s-live-talks

 11. https://www.abhishek-tiwari.com/local-development-environment-for-kubernetes-using-minikube/
12. https://github.com/saiyam1814/challenges-kubernetes

13. Useful commands

Download 

 https://hub.docker.com/r/karthequian/helloworld/

 kubectl run hw --image=karthequian/helloworld --port=80

 Deployment name is : hw
kubectl get all
kubectl get pods
kubectl get pods --all-namespaces

the pod is only accessible by its internal IP address within the cluster. To make a container accessible from outside the Kubernetes virtual network, one has to expose the pod as a Kubernetes service using expose command

 kubectl expose deployment hello-minikube --type=NodePort
To get YAML file at deployment

 kubectl get deploy/hw -o yaml
kubectl get helloworld-service -o yaml

 Create

 kubectl create -f helloworld-deployment.yml
kubectl create -f helloworld-service.yml
minikube service helloworld

 Scale

 kubectl get rs //replica set
kubectl scale --replica=3 deply/helloworld-deployment

 With Labels

 kubectl get pods --show-labels
kubectl label pod/helloworld app=newName --overwrite // to overwrite
kubectl label pod/helloworld app- // to delete

 Labels can be used with deployments, services, replica sets etc. 

 With Selector

 To search

 kubectl get pods -l label1=value1,label2=value2

 kubectl get pods -l label1!=value1

kubectl get pods -l label1 in (value1, value2)

kubectl get pods -l label1 notin (value1, value2)

One can use --selector instead of -l

To delete we can use 

kubectl delete pods -l .....

Health check

One can add readinessProbe and livenessProbe in YAML file


Upgrade and roolback

kubectl create -f helloworld-black.yaml --record

--record is used to add it to roll out history

kubectl set image deployment/navbar-deployment helloworld=karthequian/helloworld:blue

kubectl rollout history deployment/navbar-deployment

kubectl rollout undo deployment/navbar-deployment

to rollback to a specific version. To do this, add a `--to-revision=version`

Debug

kubectl describe pod "pod name"
kubectl describe deployment "deployment name"
kubectl logs "pod name"
kubectl exec --it "pod name" /bin/bash
kubectl exec --it "pod name" -c "container name" /bin/bash

Dashboard

minikube addons list
minikube addons enable "name"
minikube dashboard

kubectl edit "pod name"


Configmaps

an example of "log_level", and pass the value "debug" to a pod via a configmap in this example.

To create a configmap for this literal type 
kubectl create configmap logger --from-literal=log_level=debug

To see all your configmaps: `kubectl get configmaps`

To read the value in the logger configmap: `kubectl get configmap/logger -o yaml`

To edit the value, we can run `kubectl edit configmap/logger`

Application Secretes

E.g database passwords, API tokens
They cannot be part of YML file. 

kubectl create secrete
kubectl get secrete

We have similar CLI commands for cronjobs, statefulsets and namespaces

kubectl create cronjobs
kubectl edit cronjobs/hellow

kubectl create -f "yaml file for statefulsets"
kubectl get statefulsets

namespace provides multi-tenancy to k8s instance. k8s provides multiple virtual cluster on same physical cluster. 

kubectl get namespaces
kubectl create namespaces "name"
kubectl delete namespaces "name"

Node IP Address

# Get ExternalIPs of all nodes
kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'

Events

# List Events sorted by timestamp
kubectl get events --sort-by=.metadata.creationTimestamp

Autoscale

kubectl autoscale deployment foo --min=2 --max=10                # Auto scale a deployment "foo"

Running Pods

kubectl logs my-pod                                 # dump pod logs (stdout)
kubectl port-forward my-pod 5000:6000               # Listen on port 5000 on the local machine and forward to port 6000 on my-pod
kubectl top pod POD_NAME --containers               # Show metrics for a given pod and its containers

Use Case : nginx server with load balancer 

kubectl run nginx --image = nginx: 1.10 --replicas = 5

kubectl get deployments
kubectl get pods

kubectl expose deployment nginx -type=LoadBalancer -port=80
kubectl get svc

Reference : 

istio

Posted by Manish Panchmatia on Tuesday, December 5, 2017 Labels: , , , / Comments: (4)

istio

 Micro-service mesh management framework

 It provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between microservices, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code.

 Benifit

 * A/B testing, 
* canary releases, 
* failure recovery, 
* metrics,

 Key Capability

 * Traffic Management 
- load balancing, 
- rate limiting, 
* Observability
- monitoring
* Policy Enforcement 
- access control,
- load balancing, 
* Service identity and security
- service-to-service authentication, 
- discovery of services, 
- end-to-end authentication.
* Platform Support
- Cloud, 
- on-premise, 
- Kubernetes, 
- Mesos
* Integration and Customization : integrate with existing solutions for 
- ACLs, 
- logging, 
- monitoring, 
- quotas, 
- auditing 
- etc.

 Istio pre-configured add-ons

 * Grafana : dashboard to visualize service mesh traffic data
* Prometheus : to query istio metrics 
* ServiceGraph :  generating and visualizing a graph of services within a mesh
* Zipkin : distributed tracing system

 Architecture

 1. Data plane : 
set of intelligent proxy (Envoy)

 2. Control plane :
manage and configure proxy 
- to route traffic
- to enforce policy runtime. 

1. Envoy : sidecar proxy in same pod with features : 
dynamic service discovery, 
load balancing, 
TLS termination, 
HTTP & gRPC proxying, 
circuit breakers, 
health checks, 
staged roll-outs with percentage-based traffic split, 
fault injection, 
rich metrics.
 rich L7 routing

 2. Mixer: 

 platform independent
flexible plugin model 
with a variety of host environments and infrastructure back end

 Tasks: 
- enforce access control
- enforce usage policies such as authorization, rate limits, quotas, authentication etc.
- collect telemetry data from envoy
  - request tracing

Mixer configuration for
- attribute extraction
- policy evaluation

  Adapter
  Go Package. 
  Guide to develop new adapter : https://github.com/istio/istio/wiki/Mixer-Compiled-In-Adapter-Dev-Guide  
  https://istio.io/blog/2017/adapter-model/

3. Pilot

 Tasks: 
- converts high level routing rules that control traffic behavior into Envoy-specific configurations
- propagates Envoy-specific configurations to the sidecars at runtime
- abstracts platform-specific service discovery mechanisms
- translate service discovery to Envoy data plane API

 Benefits
* service discovery
* traffic management
* intelligent routing
- A/B tests, 
- canary deployments
* resiliency 
- timeouts, 
- retries, 
- circuit breakers, 
- etc.
* multiple environments 
- Kubernetes, 
- Consul/Nomad

4. istio-Auth
Authentication using mutua TLS
Built-in identity + credentials management
enforce policy based on service identity

 5. Citadel
A centralized component responsible for certificate issuance and rotation.

 6. Node Agent
A per-node component responsible for certificate issuance and rotation.

 7. Galley
Central component for validating, ingesting, aggregating, transforming and distributing config within Istio.

 In nut-shell istio is all about just configuring Envoy proxy