Archive for the ‘Software’ Category

Password Based Encryption

Wednesday, December 18th, 2013

Password Based Encryption (PBE) is a mechanism for protecting sensitive data using a symmetric cryptographic key derived from a password or passphrase. The use of a passphrase allows the data owner to use a self-selected, easy to remember secret expression instead of 32 random bytes (in the case of a 256 bit key). If coded improperly, even with the use of strong passwords, password encrypted data is easily cracked. Therefore, the use of a proven cryptographic library is essential.

Here, we’ll look at a simple example of PBE to encode plaintext data using a password of arbitrary length. The example is in C# and uses the .Net version of the BouncyCastle cryptographic library. However, there is also a Java version of BouncyCastle which allows for a similar solution.


TCP/IP Parameter Tuning for Rapid Client Connections

Wednesday, February 17th, 2010

Applications that open and close a large number of client TCP/IP sockets run the risk of running out of available socket ports.  This can happen in a load and performance testing scenario using a tool like LISA Test from iTKO, or it could happen in a production environment if an active application simply needs to rapidly open and close a large number of outbound connections.

On the .NET platform, the exception raised reads “System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted <host>:<port>“. 

In Java, the exception is “ Address already in use: connect“. 

Both exceptions are misleading because they are generally associated with server socket conflicts – not outbound client socket connections.  However, a better understanding of the TCP state machine sheds some light on this behavior – and a solution.


The .NET Asynchronous I/O Design Pattern

Thursday, February 11th, 2010

Asynchronous operations allow a program to perform time consuming tasks on a background thread while the main application continues to execute.  For example, consider when a program makes a request to a remote system.  In a single-threaded scenario, the call is made and the CPU goes idle as the caller waits on the server’s processing time and the network latency.  If this waiting time can be delegated to a separate thread of execution, the program can complete other tasks until it receives notification the background work is complete.

However, managing multiple threads and cross-thread communication adds complexity to your code.  Fortunately, the .NET Framework has a useful design pattern applied to its I/O classes which easily enables asynchronous calls.  Let’s take a look at an example.


Understanding SSL – Part 1: Certificates and Keys

Wednesday, October 14th, 2009

The technology behind Secure Sockets Layer (SSL) network connections is often perceived as a bit of “black magic” – smoke and mirrors securing our Internet connections from snooping.  When banking and shopping online, even a novice user understands their browser sets up an HTTPS connection (which is simply HTTP over SSL) to protect the transaction.  It’s easy to simply surf to a secure URL and know that, somehow, SSL is magically keeping you safe.

Developing software that uses SSL is an entirely different matter.  The simplicity quickly fades, and the developer must confront the complexities of certificate management, trust stores, handshaking, and a host of other details that must be perfectly aligned to make the secure communication work.  In Part 1, we’ll cover a very high level of SSL concepts.  In subsequent posts, we’ll take a deeper dive into making these connections happen in both Java and C#.


Kill Spam With Real-Time DNS Blacklists

Wednesday, June 11th, 2008

A great Open Source project for gaining understanding about e-mail systems, including an in-depth look at SMTP and POP3, is the Java-based Apache JAMES Project.  Although JAMES has the unfortunate shortcoming of being built around the now defunct and unsupported Apache Avalon Framework, it’s still a fantastic learning tool for understanding email protocols, mail delivery, and spam filtering.  Not only that, it’s a fully functional, enterprise-ready mail server that can be up and running with minimal configuration.

One technology implemented by JAMES for spam filtering is real-time DNS blacklists.  DNSBLs identify the IP addresses of potential spam sources and machines known to be delivering spam (as determined by the sometimes controversial policies of the list owner).  Spam blacklists date back to 1996 with Paul Vixie’s Mail Abuse Prevention System, and are now used by ISPs and corporate mail systems around the world.  Countless organizations maintain blacklists, and Web sites like MX Toolbox permit ad hoc queries of IP addresses against dozens of published lists.


JUnit Factory Part 3: Improving Code Coverage

Sunday, February 10th, 2008

JUnit Factory is rather clever how it analyzes and executes your code to generate characterization tests. However, legacy Java code was generally not written with testability in mind. This sometimes makes it difficult for JUnit Factory to attain complete coverage of your code due to the need for objects to exist in a complex state or the need to interact with an external resource such as a database.

JUnit Factory is often able to generate mock instances automatically for problematic classes. When automocking fails, the developer can improve coverage by either extracting behaviors into private methods or by providing hints to JUnit Factory in the form of test data helpers.


JUnit Factory Part 2: Finding Regressions

Thursday, January 24th, 2008

Characterization tests provide a safety net for your legacy Java code by helping identify unintended changes in software behavior caused by code maintenance. JUnit Factory from Agitar Software may be used to automatically generate these tests for you. In this post, we’ll take a look at what happens to these characterization tests when a simple code change is made.


JUnit Factory Part 1: Generating Tests

Tuesday, January 15th, 2008

JUnit Factory is a free Eclipse plug-in from Agitar Software that generates characterization tests for your Java code. For more background on what characterization tests are, and how you use them, you’ll want read my post “Characterization Tests: How To Deal With Legacy Java Code”.

This article describes how to generate tests for a simple Java class and how to read the tests. Not all of your real code will be this simple, and not all generated tests will be this simple, either. But, bear with me as we start small and work our way up.