|
|
ziggurat29 |
It is expected that you would have found direct project pages through other means, but in case you land on this default page somehow, here are links to various public projects.
OpenVPN is a user-mode vpn using ssl for tunnel encryption. It has a huge number of options and is supported on many platforms. The price is right, and deployment is self-contained and easy (once you know what you're doing).
My contribution to the OpenVPN project was to create the needed TAP driver, do the required application porting, and provide a controlling GUI in support of PocketPC specifically, and Windows CE generally (though you may have to recompile for non-PocketPC due to
Build of OpenVPN 2.1 rc 8 for OpenWRT (<- the actual file to download)
OpenWRT is a fantastic project which transforms a consumer-grade wireless router into a full featured router. The current release doesn't have a build of the 2.1 openvpn, however, so I built it myself. I have provided the link to the ipkg in case anyone else has interest in it. I have also added the OCSP support patch to this build.
Older ones (if for some reason you think you need them):
Oregon Scientific WMR928 Embedded Web Server
This provides software for the Modtronix SBC65EC embedded
I produced some routines for using the FRAM on the SBC65 which are available for others to use.
SexyHexy is a TrueType™ font I created to serve as a quick hex viewer. The font has 256 glyphs, each of which is a two-digit hex number. This is handy for seeing control codes, and doing a quick ascii to hex conversion with a text editor.
XCA is an open-source Certificate Authority management app. PortableApps is project that provides a mechanism by which you package an application with a launcher so that the app, settings, and data are all stored on a removable media -- typically a usb flash drive. Since I like to keep my CA database on removable media anyway (it has all the private keys), it is nice to have the managing application come along with it. This is a PortableApps installer for XCA.
VNCViewer.paf.exe (<- the actual file to download)
VNC Viewer is pretty portable as it is -- it is a single executable that doesn't require an installer, but it does save settings in the registry. This Portable Apps launcher pivots the registry settings off of and onto the removable media, so your settings are made portable (e.g., MRU). Also, any settings on the actual machine being used are backed up during the pivot operation.
OpenVPNPortable.paf.exe (<- the actual file to download)
This is a PortableApps version of OpenVPN. This handles installing/removing the TAP driver (if needed) and starting up OpenVPN GUI. Then you can run your VPN connections off the configurations in the 'data' directory. When the GUI exits, an opportunity will be given to remove the TAP driver _if_ it was installed upon launch (i.e., this won't happen if it already existed).
OpenVPN GUI 1.0.3 with PKCS11 prompt (<- the actual file to download)
This is a modified version of the commonly used Windows GUI for OpenVPN. I added support for presenting the PIN prompt for use with pkcs11 tokens. This file is a zip of the modified source, and also contains a build binary. The significant changes were to openvpn_monitor_process.c, passphrase.h, and passphrase.c. To support building in VC6, I made some other superficial changes (e.g. header includes, etc) to other files.
These are all Windows command-line utilities (except where noted); execute with the -help option to determine usage.
DUKPT Decrypt (<- the actual file to download)
This is a utility that will decrypt Encrypted PIN Blocks that have been produced via the DUKPT triple-DES method. I used this for testing the output of some PIN Pad software I had created, but is also handy for other debugging purposes.
Also included are methods to compute the IPEK that would be be injected into a PIN Pad, and also to compute the (base) transaction key for an arbitrary KSN (the 'base' key is what DUKPT produces, before a variant is made for encrypting PINs or computing MACs).
VISA PVV Calculator (<- the actual file to download)
This is a utility that will compute and verify PIN Verification Values that have been produced using the VISA PVV technique. It has a bunch of auxiliary functions, such as verifying and fixing a PAN (Luhn computations), creating and encrypting PIN blocks, decrypting and extracting PINs from encrypted PIN blocks, etc.
It's interesting to use the -findpin feature to see that, most of the time, a PVV will actually have two PINs that will verify. E.g.:
PVKI: 1, KPV: 4CA2161637D0133E5E151AEA45DA2A16
PAN: 5999997890123457
PIN: 1234
generates a PVV of: 1122, but an exhaustive search of all PINs shows that 6221 will also work just as well. I haven't found any PVVs that do not have an alias (or have more than one), but I have only poked around a bit. If one were to assume that there is usually one alias, then the difficulty of random guessing is halved to 1 in 5000. Hm!
VISA CVV Calculator (<- the actual file to download)
This is a utility that will compute Card Verification Values that have been produced using the VISA CVV technique. MasterCard CVC uses the CVV algorithm, so it will work for that as well. It will compute CVV, CVV2, CVV3, iCVV, CAVV, since these are just variations on service code and the format of the expiration date. Verification is simply comparing the computed value with what you have received, so there is no explicit verification function.
NOTE: to compute CVVs, you need an encryption key. This fact will be obvious to those who can use this tool, however many folks seem to be under the mistaken impression that you can generate a CVV or CVV2 without knowing the secret encryption key. I mention this as a word of warning to folks, as there are many 'calculate a CVV' sites out on the web, where you can submit a PAN and get a CVV. Naturally, you will try with your personal card because you can verify that the number the site calculates is the same as the one printed on your card. The number you will receive will invariably (well, about a 1 in 1000 chance) be wrong. You will shrug your shoulders and leave. But in the process you will have sent an unknown third party your PAN and expiration date, which can still be used to perform transactions in some cases. It is my belief that these sites are often scams to cause folks to disclose this personal information. In sum:
Atalla AKB Calculator (<- the actual file to download)
This is a utility that will both generate and decrypt Atalla AKB cryptograms. You will need the plaintext MFK to perform these operations. When decrypting, the MAC will also be checked and the results shown.
BogoAtalla (<- the actual file to download)
Bogo Atalla is an HP Atalla emulator (or simulator). This software emulation (simulation) of the well-known Atalla Hardware Security Module (HSM/TRSM) that is used by banks and processors for cryptographic operations, such as verifying/translating PIN blocks, authorizing transactions by verifying CVV/CSC numbers, and performing key exchange procedures, was produced for testing purposes. This implementation is not of the complete HP Atalla command set, but rather the just portions that I myself needed. That being said, it is complete enough if you are performing acquiring and/or issuing processing functions, and are using more modern schemes such as Visa PVV and DUKPT, and need to do generation, verification, and translation.
This runs as a listening socket server and handles the native Atalla command set. I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native hardware), but definitely should get identical positive responses. Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available. Examples are generating PVV values and encrypting/decrypting plaintext PIN values.
There is a file, bogoatalla.conf, which is used to specify the MFK, the various enabled commands, and option values. You need to have this in the directory from which you run BogoAtalla002.exe. You should be able to figure it out. The one I provided here uses the MFK used in the examples in the Atalla docs, so you should be able to test with the Atalla examples. For instance:
Translate a PIN block from DUKPT to ANSI:
<31#7#1dDNE000,791AC3DAFF7D8502293D9D241D9BB9A80806FA3825F670E9,342946FE884AA8B2#1PUNE000,8B672E58F4435F901BCC617C95C16388F06F9853B09A2301,DAD1F04BAC6D34BD#BC14A8602228A412#000234567890#9876543210E00008#S#>
<41#50DD506F53C3828A#Y#>
And Verify PIN, using Visa PVV method:
<32#3#1#2BBF4AF75D2F8D62#1PUNE000,C118AFA8BDA9F01E832B5725DFCE45D60C5A5CA83A4D1258,0DBB2D4988A072F2#1VVNE000,C56554CDE94948D004EB47FF82A81D8C24F89AFF4C47776C,9DE7167F56F172D7##3691#3#12345678901#512345678901#>
<42#Y#>
Included in the zip file is a command-line utility bogoatallastress.exe. This can be used to hammer an Atalla (bogo or not) with a specific command over and over to determine the rate at which commands can be processed. There is a default test to localhost executing ID commands, but you will want to test with something sensible, like a real cryptographic command (like the ones above). The program will accept --help to print out a summary of the options available. If you use --cmd, don't forget to quote your command because the < and the > will confuse the shell's command line parsing. The verify PIN from DUKPT using Visa PVV method is an appreciable cryptographic workout:
<32#3#7#BC14A8602228A412#1dDNE000,791AC3DAFF7D8502293D9D241D9BB9A80806FA3825F670E9,342946FE884AA8B2#1VVNE000,C56554CDE94948D004EB47FF82A81D8C24F89AFF4C47776C,9DE7167F56F172D7##1607#3#00234567890#000234567890#9876543210E00008#1#>
<42#Y#>
Commands implemented:
00, 10, 11, 13, 1A, 30, 31, 32, 37, 5D, 5E, 7E, 90, 93, 97, 98, 99, 9E, 11B, 1111, 1226
(and some others that aren't ready to be mentioned yet)
Some have inquired about an implementation of other devices like Thales/Racal, Eracom, or whathaveyou. This is an interesting idea, but I don't have the manuals describing the command sets for these devices. If I had the manuals, then I probably could do it, though. I wonder where I could get some, or if they could be found via the search engines. Presently, such searches yield nothing, but maybe one day they will turn something up... Hmmm....
BogoAtalla for Linksys (<- the actual file to download)
This is the Atalla emulator ported to Linux and built for installation on an OpenWRT system, such as a Linksys WRT54GL. Makes for a really cheap (~$60 USD) development/test device.
Oh, you will also need the config parsing library, on which there is a dependency, which I have handy here as well: libconfuse_2.6-1_mipsel.ipk
When you install this package, the binary (bogoatalla) is placed in /usr/bin, and an init.d startup script is created to run as a daemon (you can also run it non-daemon as well, for playing perhaps, or to see some debug output on the terminal), and the configuration file is in /etc/bogoatalla.conf. The file should be fairly obvious. The most interesting thing of course is the MFK, which you will want to set to whatever is relevant for your environment. I set it to the once used in the examples in the Atalla docs, so you can easily play with it out-of-box. You'll also want to fiddle with the various options as well. I commented all the options as well as indicating their default value. As a mnemonic to myself, the options commented out altogether is a reminder that those options aren't relevant to the commands that I have implemented.
Atalla appears to cap their transaction processing rate artificially, depending on what model you purchased. If you run a command that does real work (i.e., not something like 9A#ID#, or an error), you are subject to the capping. For example, my real Atalla 8150 is rated at 66 transactions per second. bogoatallastress shows that this is indeed the rate provided I do a cryptographic command. However, my emulator on Windows will process 15,000 transactions per second for the same command. Even my Linksys version running on a WL500GP will achieve over 1,200 per second over the LAN, and about 250 per second over the wild, wild, Internet -- sometimes up to 500/sec if the gods of the Internet smile upon me. Interesting!
BogoAtalla for Linux (<- the actual file to download)
Same thing as above, but for regular x86 Linux machines. Statically linked. Only includes the executable and template .conf file -- you will have to write the init.d script. Use --help for help. Short story: use --conf to specify the location of the .conf file, and --daemon if you want to run it as a daemon (e.g. init.d).