Skip to content

Feed aggregator

Certificate Pinning in your Couchbase Mobile iOS App

NorthScale Blog - Wed, 06/21/2017 - 18:00

Communication between Couchbase Lite and Sync Gateway is encryped and secured using SSL/TLS. The SSL/TLS protocol relies on a Public Key Infrastructure (PKI) mechanism using a X.509 certificate to establish the Sync Gateway server’s identity. The certificate is typically issued/signed by a trusted Certificate Authority and is installed on the Sync Gateway. In a development environment, this certificate may be self-signed.
If the trustworthiness of the certificate is somehow compromised or if you are using a self signed certificate, then the identity of the server cannot be reliably established and there can be no confidentiality guarantees on the communication between the client and server.
To alleviate these issues, Couchbase Lite supports certificate pinning. Certificate pinning is a technique that can be used by applications to ‚Äúpin‚ÄĚ a host to it‚Äôs certificate/public key. The certificate is typically delivered to the client by an out-of-band channel and bundled with the client. By pinning the certficate, the verifying client application no longer needs to rely on a third party trusted party for verifying the signature and this technique will also work with self signed certificates.
This post will discuss how to pin certificates within your Coucbase Lite iOS client application.

Release 1.4 of Couchbase Lite only supports certificate pinning in iOS. The upcoming 2.0 Release (now in Developer Preview) will support pinning on all supported mobile platforms. Code snippets discussed in this post applies to the current production version of Couchbase Lite. Stay tuned for a future blog post on on certificate pinning in Release 2.0.

The Problem

Communication between Couchbase Lite and Sync Gateway is encryped using SSL/TLS.

At a very high level, the TLS protocol works as follows.
A X.509 certificate containing the public key and server identity is installed on the Sync Gateway. This public key certificate may be signed by a trusted third party Certificate Authority or may be self-signed, the latter typically the case in development environments.
During connection establishment, the client app running Couchbase Lite verifies the identity of the Sync Gateway using the server certificate. Couchbase Lite uses the trusted CA’s root certificate to validate the certificate. Once verified, the client proceeds with the secret key exchange. The shared secret is then used to encyrpt communication between the client and Sync Gateway.
Basic TLS Exchange
Please refer to the RFC for specifics on the SSL/TLS protocol.

There are some issues with this approach :-
– While under most circumstances, it is reasonable to rely on the trustworthiness of the CA, it is possible for a CA itself to be compromised. If that happens, then there is no reliable way to authenticate the Sync Gateway because the CA that is used for the verification itself is not trustworthy!
РThe client-server communication may be subject to a Man-in-the-Middle (MiTM) attack whereby a rogue server impersonating as a Sync Gateway can issue a fake certificate representing the Sync Gateway, signed by a bogus CA. If the client is somehow misled to include the fake CA’s certificate in it’s trusted root Certificate Authority store, then the client will trust the fake certificate signed by the bogus CA. This will result in the client now communicating with a bogus Sync Gateway.
– If you are using self-signed certificates in your development environment, there is no way for the client to reliably validate the identity of the server.

A Solution – Certificate Pinning

One common way to handle the issues above is to ‚Äúpin‚ÄĚ the Sync Gateway server to it‚Äôs certificate/public key. In this technique, the Couchbase Lite is pre-configured with the trusted Sync Gateway certificate. So during connection establishment, Couchbase Lite uses this pre-configured certificate to verify the identity of the server. This removes the reliance on an external third party CA for verification of certificate.
The OWASP website is a good reference on Certificate Pinning.

Caveat

It is important to note that since the applications are bundled with the certificate, every time the certificate expires, the application needs to be updated with the new certificate. This may be a bit more challenging in mobile environments where app releases may require App Store reviews and the onus is on the users to upgrade their apps. So be aware of when the certificates expire and make appropriate plans to publish the applications with the new certificates.

Background

The Couchbase Mobile stack includes the Couchbase Lite embedded database running locally on devices and Sync Gateway in the cloud which is typically backed by Couchbase server persisting the data in the cloud. The Sync Gateway handles the replication of documents across the devices.

Installing Certificate on the Sync Gateway

Follow the instructions in the Couchbase Developer Portal to install relevant server certificate on your Sync Gateway

Couple of points to note during certificate generation:-
– The certificate and corresponding private key must be in .pem format
– Install the certificates in a location accesible to the Sync Gateway
РIf you are generating a self-signed certificate, probably the most important field is the CommonName. It should be your Sync Gateway’s FQDN. If you Sync Gateway does not have one, then you must specify use localhost for localhost or the static IPAddress of your Sync Gateway.
self signed certificate
Once configured, your sync gateway should be accesible via https.

Bundling Certificate in your iOS App
  • Convert the PEM certificate in der format using command below

openssl x509 -inform PEM -in cert.pem -outform DER -out cert.cer

You can refer to this SSL cheat sheet for details on the various openSSL commands.

  • Open your .xcodeproj file and drag and drop the .der files into your poejct. Make sure you have ‚ÄúCopy files if needed‚ÄĚ option checked
    Copy files into xcode
  • After copying, your project structure would be something like this
    Certificate Added
  • Pinning the Sync Gateway Server Certificate
    This takes just a few lines of code. The code should be executed once. So doing it at the point in code where you initialize the CBLManager may be a good option.

// 1: Locate the certificate in the app bundle
if let pathToCert = Bundle.main.path(forResource: "cert", ofType: "cer") {
    //2 : Load the certificate
    if let localCertificate:NSData = NSData(contentsOfFile: pathToCert) {
        // 3: Create a SecCertificate
        let certificate = SecCertificateCreateWithData(nil, localCertificate)
        //4: Configure the Replicator with the certificate
        CBLReplication.setAnchorCerts([certificate], onlyThese: true)
    }
}

Steps 1 and 2 are self explanatory.

Step 3: SecCertificate is a Core Foundation object that represents a X.509 certificate

Step 4: The Couchbase Replicator must be configured with the Sync Gateway certificate using the setAnchorCerts method on the CBLReplication object. By specifying onlyThese as true, you are telling the Replicator that it must only trust this certificate. If you set it as false, you are appending the Sync Gateway certificate to list of built-in root certificates trusted by the iOS platform.

That’s it! With just a few steps, you can enable certificate pinning in your iOS App.

What Next

As you may have gathered from this post, Certificate Pinning is very easy to configure in your iOS Apps. While support in V1.4 is limited to iOS,stay tuned for the upcoming 2.0 Release (now in Developer Preview), that will include support on other mobile platforms as well.
If you have questions or feedback, please leave a comment below or feel free to reach out to me at Twitter @rajagp or email me priya.rajagopal@couchbase.com.  The Couchbase Forums are another good place to reach out with questions.

 

The post Certificate Pinning in your Couchbase Mobile iOS App appeared first on The Couchbase Blog.

Categories: Companies

Stephen Hawking awards medal to 'Big Bang Theory' - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 16:19
Astrophysicist Neil deGrasse Tyson and electronic music pioneer Jean-Michel Jarre are also honored with science communication awards.
Categories: Blogs

Samsung Galaxy Note 8 launch reportedly slated for August - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 16:15
A new phone, complete with curved screen and two rear cameras reportedly has a launch even scheduled for August, according to Reuters.
Categories: Blogs

Sega classics are coming to your phone for free - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 16:14
Sonic, Altered Beast and more are headed to iOS and Android phones.
Categories: Blogs

Tesla's head of Autopilot software quits in under 6 months - Roadshow

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 16:10
His replacement is a pretty talented person in his own right.
Categories: Blogs

N1QL Performance and Feature Enhancements in Couchbase 5.0

NorthScale Blog - Wed, 06/21/2017 - 16:06

With Couchbase 5.0 nearing stable release, it is a good idea to revisit some of the enhancements, both in performance and features, that are coming with the N1QL technology.

So what were some of the enhancements made on the subject of performance?

Performance Enhancements to N1QL

Let’s take index projection for example. ¬†When creating an index, you can create one with any number of properties. ¬†For example, take the following index:

CREATE INDEX idx ON default(type, firstname, lastname);

The above statement will create a covering index on the default Bucket for the type, firstname, and lastname properties of any given document.

Now let’s say we created the following N1QL query to retrieve a few documents with the¬†idx index we had created:

SELECT firstname
FROM default
WHERE type = 'person'

The above query would use the¬†idx index and return only the¬†firstname¬†property for every document that matches. ¬†The concept of querying this way is nothing new, however, what happens¬†behind the scenes has changed. ¬†You’ll notice that even though¬†our index has many keys, we’re only interested in a subset, or in this case two¬†keys.

So what is happening and why is this important?

In previous versions of Couchbase all keys of the index were taken into consideration regardless if only a subset were used.  As a result, more network, CPU, and memory were needed to accommodate what was happening.  Now this is not the case.

So how do you know index projection is happening?

Do an¬†EXPLAIN on the query that you’re running:

EXPLAIN SELECT firstname
FROM default
WHERE type = 'person'

In the results you should see something regarding index_projection that looks like the following:

...
"index_projection": {
    "entry_keys": [
        0,
        1
    ]
},
...

The entry_keys property will change based on your query.  For example, what if we add one WHERE condition like so?:

SELECT firstname
FROM default
WHERE type = 'person' AND lastname = 'Nic'

In the above scenario, we would get an EXPLAIN result that looks like the following:

...
"index_projection": {
    "entry_keys": [
        0,
        1,
        2
    ]
},
...

Now the above query wasn’t an index projection because we used all keys in our covering index.

Creating proper indexes paired with index projection can really help in overall performance and scaling your Couchbase Server cluster.

Index projection wasn’t the only performance enhancement made in the March 2017 build right? ¬†That is correct, there is more!

Let’s take the¬†COUNT(DISTINCT) operation for example. ¬†Now let’s use that operation in the following query:

EXPLAIN SELECT COUNT(DISTINCT type)
FROM default;

In the results you’ll notice that it is using¬†IndexCountDistinctScan2 and what it is doing is storing all¬†type in the index and processing the distinct values. ¬†While it happens in the indexer in Couchbase 5.0, it previously happened in the N1QL service in prior editions. ¬†By offloading¬†this operation in the indexer, we can experience significant performance gains.

Similarly, take the OFFSET, LIMIT, and ORDER BY operators that can be used in N1QL queries.  Take the following query for example:

EXPLAIN SELECT firstname
FROM default
WHERE type = 'person'
ORDER BY firstname
LIMIT 1
OFFSET 1;

You’ll notice that the¬†LIMIT, ORDER BY,¬†and¬†OFFSET operators will appear in the indexer. ¬†Prior to 5.0, the LIMIT operator appeared in the indexer, but now the others do as well. ¬†This is a huge win because in previous versions of Couchbase if you were to offset the results, N1QL would get all X number of results, and drop everything before the offset.

This brings us to the topic of N1QL and indexing feature enhancements.

Simplified Array Indexing

With Couchbase Server 4.5 came the array indexing. Take the following sample document for example:

{
  "type": "person",
  "firstname": "Nic",
  "lastname": "Raboy",
  "social-media": [
    {
      "type": "twitter",
      "url": "https://www.twitter.com/nraboy"
    },
    {
      "type": "website",
      "url": "https://www.thepolyglotdeveloper.com"
    }
  ]
}

New Array Index Syntax

Before Couchbase 5.0, to index the array elements found in social-media you had to write an index that looked something like the following:

CREATE INDEX ism 
ON `default` ( DISTINCT ARRAY media FOR media IN `social-media` END )
WHERE type = 'person';

In the above example, the FOR operator was necessary for array indexing.  In Couchbase Server 5.0 there is a much more simplified syntax.  The same index can be created via the following:

CREATE INDEX ism 
ON `default` ( DISTINCT `social-media` )
WHERE type = "person";

To make sure your index works, you can execute the following N1QL query:

EXPLAIN SELECT *
FROM default
WHERE type = 'person' AND ANY media IN `social-media` SATISFIES media.type = 'website' END;

When looking through the results of the EXPLAIN you should see that it is using the ism index that was previously created.

Now just because the simplified syntax exists doesn’t mean you can’t use the previous syntax when array indexing. ¬†The following would be a perfect example of why the previous syntax would still be valid:

CREATE INDEX ism_website
ON `default` ( DISTINCT ARRAY media FOR media IN `social-media` WHEN media.type = 'website' END )
WHERE type = 'person';

Notice that a WHEN operator was used when creating the ism_website index above.

More information on array indexing can be found here, along with other useful documentation on creating indexes in Couchbase.

Relaxed Variable Match Requirement for Array Indexes

In 4.x releases, the array indexing required usage of exactly same variable names in the SELECT query that were used in the CREATE INDEX statement. Find more details here.

For example, referring to the previous queries seen above, note that the variable media that is used to iterate through the array social-media is very important. Array indexing in 4.x mandates the exact variable name media to be used in the previous SELECT query.

Couchbase 5.0 release relaxes this requirement, and following query would work perfectly fine:

EXPLAIN SELECT *
FROM default
USE INDEX (ism)
WHERE type = 'person' AND ANY m IN `social-media` SATISFIES m.type = 'website' END;

Note that, the index ism uses variable name media, but the query above uses m. Still, the above query can use the index ism successfully.

A Relaxed Whole Array Index Key Requirement for Array Indexes

Also recall, in 4.x releases, the covered array indexing requires the whole array attribute as a mandatory index-key in the array index definition.  For example, take the following query again:

EXPLAIN SELECT *
FROM default
WHERE type = 'person' AND ANY media IN `social-media` SATISFIES media.type = 'website' END;

The covered array index corresponding to the above query would be:

CREATE INDEX ism_covered 
ON `default` ( DISTINCT ARRAY media FOR media IN `social-media` END,  `social-media`)
WHERE type = 'person';

Note that, the second index key social-media is mandatory, for example to cover following query:

EXPLAIN SELECT media
FROM default
WHERE type = 'person' AND ANY media IN `social-media` SATISFIES media IS NOT NULL END;

In Couchbase 5.0, this same query will be covered by index ism at the very start of this article.

It is important to note that, this feature brings lot of power to Array Indexes. Because, now each entry in the array index consumes less storage space and memory. It enables following benefits:

  • Usage of covered array indexes for larger arrays
  • Brings more efficiency and performance to queries using covered array indexes
Indexing Document Meta Information

Let’s take a turn here and discuss the new meta information that can be indexed. ¬†Previously indexes could be created on the meta().id property, but now both the meta().cas and meta().expiration properties are supported.

So how do we create an index that uses the meta properties as keys? ¬†It isn’t any different from what you already know. ¬†Take the following covering indexes for example:

CREATE INDEX idx_cas
ON `default` ( META().cas, META().expiration )

CREATE INDEX idx_exp
ON `default` ( META().expiration )

Now if I wanted to use the idx_cas and idx_exp indexes in a N1QL query, I could do something like the following:

SELECT META().id, META().cas
FROM default
WHERE META().cas > 1489531586248179712;

SELECT META().id, META().expiration
FROM default
WHERE META().expiration > NOW_MILLIS();

So why would being able to index these properties?  Well, what if you wanted to do a query for all documents that had expired today or all documents that were modified today?

For more information on the CAS and expiration properties, visit here.  For more information on indexing or using N1QL with Couchbase, check out the Couchbase Developer Portal.

The post N1QL Performance and Feature Enhancements in Couchbase 5.0 appeared first on The Couchbase Blog.

Categories: Companies

Ron Howard to paint a portrait of Picasso in 'Genius' season 2 - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 16:00
The 10-part National Geographic TV series will paint a portrait of the artist's turbulent life.
Categories: Blogs

Take a stroll through Bombardier's stretched CS300 jet - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 15:38
The largest passenger airliner from Canadian manufacturer Bombardier was on display at the Paris Air Show. Hop inside for a stroll down the aisle.
Categories: Blogs

Taylor Swift's streaming music just earned $400k in 12 days - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 15:36
Swift's music returned on June 8 to the streaming services she left in 2014, and it's already earned her nearly half a million dollars.
Categories: Blogs

Travis Kalanick resigns as Uber CEO to end the turmoil - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 15:35
Unrest behind the scenes finally comes to a head as big investors seek a big change. Kalanick says his resignation means "Uber can go back to building."
Categories: Blogs

For YouTube stars, breaking up is hard -- and epic -- to do - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 15:30
Online stars build millions of followers by opening up their lives, including relationships, to fans. But sometimes when the romance ends, a nightmare begins.
Categories: Blogs

Volvo promises 'world-beating' performance EVs under Polestar brand - Roadshow

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 15:03
Polestar has stepped out from under the shadow of its parent company.
Categories: Blogs

How Skytap Makes Production Environment Clones Easy to Use

In previous blog posts, we covered Jenga (our environment construction tool) and did a deep dive into how we use Jenga as a component in delivering fully functional clones of our production environment. We’re very ... Read More

The post How Skytap Makes Production Environment Clones Easy to Use appeared first on Skytap.

Categories: Companies

Why & How You Should Federate Your Business Apps Under Your Intranet

intranet business apps

With the high accessibility of digital work tools, the rise of low maintenance cloud computing and the evolving work culture and digital nativeness of newer generations of workers, companies today find themselves dealing with an increase in the sheer number of work tools. Sales teams use CRMs, customer support teams rely support ticket systems, finance…

The post Why & How You Should Federate Your Business Apps Under Your Intranet appeared first on Open Source Enterprise Social Platform | eXo Blog and News.

Categories: Companies

This software wants to protect millions of cars from hackers - Roadshow

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 14:31
A cyberdefense system that protects phones, printers and routers could soon help keep cars safe.
Categories: Blogs

eBay now guarantees its Deals offers are the cheapest online - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 14:00
With its new Price Match Guarantee program, the online seller promises the best prices on 50,000 daily discounts.
Categories: Blogs

New laws could erase your cringey teenage Facebook photos - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 13:53
The UK government has proposed new data protection legislation in today's Queen's speech.
Categories: Blogs

6 phones with the best battery life - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 13:01
If a long-life battery tops your list of phone needs, you can't do better than these. Did yours make the list?
Categories: Blogs

'Baby Driver': A 2-hour trailer as familiar as a favourite song - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 12:53
Music drives Edgar Wright's car chase caper to high-octane thrills but few surprises (spoiler-free review).
Categories: Blogs

Get behind the wheel of 'Baby Driver' - CNET

The Wisdom of Clouds - James Urquhart - Wed, 06/21/2017 - 12:50
Check out these behind the scenes pictures from Edgar Wright's tyre-squealing, music-fuelled car chase caper.
Categories: Blogs