Why Certified and Why No Non-Certified?

This topic has come up many times. And even #MartinFowler wrote a blog about this. Recently I was doing code review, found a code snippet. Let me show you a simplified code snippet.
public boolean isEligible(List list) {

  boolean isEligible = false;

  for (int i = 0;i < list.size(); i++) {

if (list.get(i) == 1) {

     isEligible = true;

}

  }

  return isEligible;

}

Now, when I asked developer to put in break statement, he replied, it’s small array. Though he was right, as there is not much performance penalty, but that code was wrong from “certified” developer point of view. And this pretty much sums up difference b/w certified & non-certified developer. 
I am a certified Java programmer (eleven years back) but whenever I do code reviews, looking at this kind of code, really makes me fire that developer. It’s not that, if you are not certified, you are not good or you are not capable, but it makes difference, how you started programming.
From my point of view, mostly non-certified programmers come in two categories.
  1. Very experience programmer, who started programming in 80s something.
  2. Comparatively newer breed of programmers after IT boom in late 90s.

First category of programmers, most of them, never bothered to get certified, as they been programming enough long time, to optimize code at assembly level. I always end up learning something new from them. (In-fact, they would have optimized above mentioned code, to use iterator and stored list.size() in one local variable 🙂 )
But after IT boom in late 90s, lots of college graduates jumped into programming (where is $$). Now, when they got jobs and did programming in languages like Java, no body really code reviewed their code and nobody did performance analysis at code loop level. And they were never penalized for that, they continued programming like this. If I interview them, they might know difference b/w stateless and stateful EJBs but no idea about IOC pattern. Are they programmers in true sense? Have they given serious enough preference to their skills set, to get certified in that.
You can say, certified programmers got certified only because, they can get better jobs. And you are right. But getting certifications, also made you complete programmer and make you think, before you commit your code. Hence if given choice of hiring someone for my team, I will go for certified programmer (unless he/she flunk my java/jee questions). 
To end my blog entry, here is another code example, from java developer, who has 8yrs of experience (and guess what? :)) . Same developer also wrote MyService class.
(see technical requirement as javadoc)

/** Finds service and invoke it.
      If service is not enabled, then don’t invoke it.
**/
public void findAndInvoke() throws Exception{
  try {
         MyService service = serviceFinder.findService(“MyService”);
service.invoke();
  } catch (NullPointerException ex) {
      logger.log(“Service is not enabled, hence ignoring”);
  }
}

Public Key Cryptography (Yet another guide)

Introduction
Traditional encryption method, where you encrypt using one key and de-crypt using same key. Of course it suffers with basic problem is sharing key. And it is difficult or impossible, when we want to exchange information in public domain. (secure websites extra.). 
Public key encryption is asymmetric, means, you encrypt using one key and other key decrypts it. Starting point of this encryption is to generate two keys using some tool at same time and share one key to other party. Other party can be public to all or internet. The key which gets published to public is called public key and key which you keep to yourself is called private key. Hence this type of cryptography called public key cryptography.

pub-key concept is basis for digital signatures and digital certs.


PGP (Pretty Good Privacy) encryption.
PGP uses both symmeteric and assymetric encryption. PGP uses one time session key for encrypting whole document and uses public-private key method to share that session key.

PGP is a hybrid cryptosystem.

Hence it’s faster to encrypt and decrypt compare to just using pub key to encrypt whole document. Conventional encryption is about 1,000 times faster than public key encryption. Public key encryption in turn provides a solution to key distribution and data transmission issues.
These days, PGP method is being used most widely.
Digital Signatures
One of important use of public key cryptography is, authentication of sender. Hence this type of cryptography is perfect for digitally signing documents (or emails). This even more secure than signing by hand (nobody can forge it) (Imagine, digital signing report cards of kids, they are out of luck 🙂 ).
Instead of encrypting information using someone else’s public key, you encrypt it with your private key. If the information can be decrypted with your public key, then it must have originated with you.
General rule of using PGP (or public key ) cryptography
If you want to exchange information, where origin from you has to be verified then you use your private key to encrypt. Example: Digital signatures in email.
If you want to authenticate origin of document, then you use that origin’s public key to decrypt. Example secure website of banks.
Hash Functions (Message Digest or MD5)
PGP tool can take any file and generate fixed length hash value of that file. Fixed length is generally couple of bytes to 10-20 bytes. (Lets say 160 bits). Now if recipient gets that file or downloads (or using torrents), then he can generate same hash code for received file. If that hash code matches from hash code published (on website), it means he has right file with no modifications. This concept is generally used if users are getting software archives from different sources (or server mirrors) and users want to make sure, they got original file.
Even a single bit changed in file, will cause different hash code. The generated hash code is called message digest or MD5.
To make cryptography even more fasted using PGP, instead of encrypting whole document with session key, PGP generates message digest and digitally sign it using private key. (Basically encrypted message digest). Recipient then uses public key to decrypt MD and generate new one from received file. If both matches, then voila.
Digital Certificates
Now with all above encryption methods, one thing is that, public key has to published and we need to make sure that public key originated from right party. To solve problem authentication of public key, digital certificates comes into picture.
A digital certificate consists of three things:
  1. A public key of entity, whole this certificate belongs to.
  2. Certificate information. (“Identity” information about the user, such as name, user ID, and so on.)
  3. One or more digital signatures of third party companies vouching for authenticity of public key. Digital signature is for public key of entity in question, signed by ‘trusted’ 3rd party. Example verisign, geotrust etc.

One way for a recipient to check whether a certificate is valid is by verifying its digital signature, using its issuer’s (signer’s) public key. That key can itself be stored within another certificate whose signature can also be verified by using the public key of that next certificate’s issuer, and that key may also be stored in yet another certificate, and so on. You can stop checking when you reach a public key that you already trust and use it to verify the signature on the corresponding certificate.
Hence there is hierarchy of CAs (Certificate Authority). Top most level CA is called root CA.
A CA creates certificates and digitally signs them using the CA’s private key.
Public Key Infrastructures (PKI)
A PKI contains the certificate storage facilities of a certificate server, but also provides certificate management facilities
Our browsers come equipped with some top level certificate issuing authority public keys.
Digital Certificates are of two types
  • PGP Certs (lesser used)

No 3rd Party digital signature
Self signed digital signature
Multiple people can sign it.

  • X.509 Certificates (most commonly used) (web browsers).

Apart from above three labels, it has DN (distinguished name)
Example: CN=Bob Allen, OU=Total Network Security Division, O=Network Associates, Inc., C=US
How to get X.509 Certificates?
To obtain an X.509 certificate, you must ask a CA to issue you a certificate. You provide your public key, proof that you possess the corresponding private key, and some specific information about yourself. You then digitally sign the information and send the whole package — the certificate request — to the CA. The CA then performs some due diligence in verifying that the information you provided is correct, and if so, generates the certificate and returns it
In other words, you send a self-signed certificate signing request (CSR) to the CA. The CA verifies the signature on the CSR and your identity, perhaps by checking your driver’s license or other information. The CA then vouches for your being the owner of the public key by issuing a certificate and signing it with its own (the CA’s) private key. Anybody who trusts the issuing CA’s public key can now verify the signature on the certificate. In many cases the issuing CA itself may have a certificate from a CA higher up in the CA hierarchy, leading to certificate chains.
Other Misc Topics

Passphrase
Further private key can be stored encrypted by using some password. Generally it is phrase, hence it’s called passphrase. Think of situation, if someone has access to your m/c and steal your private keys. Unless, they decrypt private key using same passphrase, they can’t use that key to encrypt any document

Strength of encryption.
Keys (private & public) are measured in bits. Generally it ranges from 64 bit to 1024 bit. Larger is key, more powerful encryption but bad performing. Hence while choosing key strength, it has to be right balance between strength and performance. Generally 128bit to 256 bit keys are enough for day to day operations like secure website etc. Unless it is military secret. 1024 bit keys are overkill.

References:
http://www.pgpi.org/doc/pgpintro/
http://java.sun.com/docs/books/tutorial/security/sigcert/index.html
http://www.debuntu.org/book/export/html/146
http://sial.org/howto/openssh/publickey-auth/
http://www.ibm.com/developerworks/library/l-keyc.html