FW: Image Unique Identifier

> -----Original Message-----
> From: Colin Putney [mailto:[hidden email]]
> Sent: Tuesday, August 22, 2006 4:45 PM
> To: [hidden email]; The general-purpose Squeak developers list
> Subject: Re: Image Unique Identifier
>
>
> On Aug 22, 2006, at 4:13 PM, Ron Teitelbaum wrote:
>
> > I need a unique image identifier.  Does anyone have any suggestions?
>
> Why not have a class that creates a UUID when the image comes up, and
> destroys it on shutdown? That would satisfy your requirements for
> uniqueness. If you need to be able to protect the identifier from
> modification by untrusted code in the image, it gets a lot harder.
> You might need a plugin for that.
>
> Colin

> -----Original Message-----
> From: [hidden email] [mailto:squeak-dev-
> [hidden email]] On Behalf Of Ramon Leon
> Sent: Tuesday, August 22, 2006 5:22 PM
> To: 'The general-purpose Squeak developers list'
> Subject: RE: Image Unique Identifier
>
> Speaking of UUID's, I have a need for something like a UUID, but shorter,
> more human readable.  I'd be fine with a UUID, but the biz folks don't
> like
> em.
>
> A buddy and I came up with the following...
>
> (String streamContents: [:string |
>     (MD5 hashMessage: UUID new)
>         do: [:each | string nextPutAll: (each printStringBase: 36)]])
> truncateTo: 16
>
> It does an MD5 hash on a GUID, then takes the base36 string of each
> resulting number, and chops the string to a length of 16.  I'm just
> guessing
> on the 16, might try it longer or shorter, hopefully shorter.  Was
> wondering
> if anyone had any comments about this, or an alternate approach?
>
>

> Hi Ramon,
>
> The thing to keep in mind about a UUID is that it is supposed
> to be unique.
> By hashing the UUID you will distribute the number more
> widely depending on the UUID implementation.  The beginning
> bytes of the UUID are supposed to be widely spread so I doubt
> that this makes much difference.  
>
> For example
>
> (1 to: 10) collect: [:i | UUID new]  I get:
> an UUID('48d374b0-b196-6a40-a15e-79a02a8dde89')
> an UUID('48eacb8f-4564-d84f-a456-2856c5226b97')
> an UUID('de67f9a4-4a42-cd44-bf79-8046366e6c9d')
> an UUID('59edd53d-eb69-164b-b7f6-5e63d6284d12')
> an UUID('fae32b90-49c8-ca46-a583-129e5a0fdc02')
> an UUID('cc760f65-1732-3647-b632-9087256a85f1')
> an UUID('6f23d070-a505-a240-addf-a749b02d6243')
> an UUID('a620fe16-4701-3d4a-9aee-0b549057d855')
> an UUID('154d299f-e2fe-3b42-bd3d-0fc4c3362db8')
> an UUID('0cc33014-4f35-6f4e-b9de-4a005a3ceb00'))
>
> Notice the first group of bytes are already well dispersed so
> there is no benefit to the MD5.

> -----Original Message-----
> From: [hidden email] [mailto:squeak-dev-
> [hidden email]] On Behalf Of Colin Putney
> Sent: Tuesday, August 22, 2006 5:52 PM
> To: [hidden email]
> Cc: 'The general-purpose Squeak developers list'
> Subject: Re: Image Unique Identifier
>
>
> On Aug 22, 2006, at 5:27 PM, Ron Teitelbaum wrote:
>
> > I was worried that someone would transfer my object to another
> > image before
> > it shut down with some distributed object framework; I wanted to
> > prevent
> > that by having the image access some data outside the image itself.  I
> > suppose that an external file containing a UUID would have the same
> > effect,
> > but would add to support problems.  It is a good thought.
>
> That's why I asked about trusted vs. untrusted code.
>
> It seems like there are 3 levels of paranoia here:
>
> Blasé: Do the simple thing, and if we find a situation where that
> causes problems, fix them.
>
> Cautious: Protect against accidentally transmitting the id by
> accident as might happen with code that blindly reflects over the
> entire system. Your remote string idea probably fits the bill here.
>
> Tinfoil Hat: Protect against malicious code in the image actively
> searching out and transmitting the id so as to defeat your security.
> Tough to do in Smalltalk.
>
> How paranoid are you?
>
> Colin

> From: Ramon Leon
> Sent: Tuesday, August 22, 2006 6:10 PM
>
> > Hi Ramon,
> >
> > The thing to keep in mind about a UUID is that it is supposed
> > to be unique.
> > By hashing the UUID you will distribute the number more
> > widely depending on the UUID implementation.  The beginning
> > bytes of the UUID are supposed to be widely spread so I doubt
> > that this makes much difference.
> >
> > For example
> >
> > (1 to: 10) collect: [:i | UUID new]  I get:
> > an UUID('48d374b0-b196-6a40-a15e-79a02a8dde89')
> > an UUID('48eacb8f-4564-d84f-a456-2856c5226b97')
> > an UUID('de67f9a4-4a42-cd44-bf79-8046366e6c9d')
> > an UUID('59edd53d-eb69-164b-b7f6-5e63d6284d12')
> > an UUID('fae32b90-49c8-ca46-a583-129e5a0fdc02')
> > an UUID('cc760f65-1732-3647-b632-9087256a85f1')
> > an UUID('6f23d070-a505-a240-addf-a749b02d6243')
> > an UUID('a620fe16-4701-3d4a-9aee-0b549057d855')
> > an UUID('154d299f-e2fe-3b42-bd3d-0fc4c3362db8')
> > an UUID('0cc33014-4f35-6f4e-b9de-4a005a3ceb00'))
> >
> > Notice the first group of bytes are already well dispersed so
> > there is no benefit to the MD5.
>
> Ah, yea we were hashing it in hopes that it'd lessen the impact of
> trimming
> it.  I wasn't aware it was already dispersed.
>
> >
> > Truncating to size 16 will remove some of the uniqueness of
> > the UUID.  Since some of the goal of UUID was to disperse the
> > values the likelihood of a truncated UUID overlapping goes up
> > as the number of objects increases but 16 bytes of 25 (which
> > is what you would get with base 36) is close to the
> > uniqueness you get with UUID.
> >
>
> Any idea how close?

>
> > But notice the following:
> >
> > A UUID new asInteger printStringBase: 36 returns a string
> > that is 25 bytes long for example:
> > 'BGI8YR7NBJJTUOWIBQJU7E5TA' and if you take the first 16 you
> > get only 16 bytes (one for each character).  But if you store
> > the UUID asInteger guess what?  The integer is only 16 bytes!
> >  So the right thing to do if you have a budget of 16 bytes is
> > to store the UUID as an integer instead of as a string!
>
> It's not about storage, I can store whatever I want, it's about a short
> string representation for human use.
>

> I understand the original implementation of UUID used information  
> from the
> computer but people said this was a bad thing since data created  
> from a
> computer could be traced back to that computer.  I don't see that  
> in this
> UUID and I'm not sure of our implementation.  If it is based on SHA  
> then the
> distribution should be very close to random meaning 3/5th's.  If it  
> is the
> old UUID where the distribution was wider on the beginning bits  
> then I'd say
> you have a larger amount of uniqueness in the first 16 of 25 bits,  
> although
> guaranteed uniqueness came from the computer id so who knows.

> -----Original Message-----
> From: Colin Putney [mailto:[hidden email]]
> Sent: Tuesday, August 22, 2006 7:24 PM
> To: [hidden email]; The general-purpose Squeak developers list
> Subject: Re: Image Unique Identifier
>
>
> On Aug 22, 2006, at 6:51 PM, Ron Teitelbaum wrote:
>
> > Hey Colin,
> >
> > Get out the tinfoil.
> >
> > The unique id is part of a key that protects security
> > certificates.  If the
> > image is shut down, or is copied to another machine, we don't want
> > that
> > image to have someone else certificate information.  Right now the
> > data is
> > encrypted in memory so that there is no leakage of information from
> > the
> > running image.  I generate a key to protect the data, but that key
> > currently
> > lives on the certificate object.  That means that if the
> > certificate object
> > were to be transferred to another machine they could use your
> > certificate.
> > I want to make sure that doesn't happen, or to make sure that it
> > would be
> > extremely difficult or impossible even for me (the guy writing to
> > the code)
> > to get the information to work outside of the image that imported
> > it (and
> > therefore had rights to the certificate in the first place).
>
> I should have known better than to ask a crypto guy how paranoid he
> is. Sorry. Let me try again.
>
> I was trying to ask where you want the boundary of trust to be.
> Clearly you have to trust the crypto code. You probably also have to
> trust the code it relies on. So lets say you have good test suite,
> and you can use Spoon to strip out all the code that SSL doesn't
> depend on. This, then, is what you *must* trust. Do a formal code
> review if you have to, but you can't run the crypto code without it.
>
> But SSL by its self isn't useful for much. So I've got to be able to
> load other code into the image - a web server, say, or a mail
> program. The question is, do you want to implement this id in such a
> way that you don't have to trust that code?
>
> So the three levels of trust I mentioned before would be:
>
> 1) just trust all the code in the image, anything else is impractical
>
> 2) trust the code not to reveal the id on purpose, but try to protect
> against accidents
>
> 3) don't trust the code
>
> Colin

> -----Original Message-----
> From: [hidden email] [mailto:squeak-dev-
> [hidden email]] On Behalf Of Craig Latta
> Sent: Tuesday, August 22, 2006 7:32 PM
> To: [hidden email]
> Subject: re: Image Unique Identifier
>
>
> Hi Ron--
>
>      For what it's worth, there are random-number servers on the net. I
> like randomnumbers.org, since it uses a quantum process (photons through
> a semi-transmissive mirror). Or you could buy the PCI card they use[1]
> and run such a server yourself.
>
>
> -C
>
> [1] http://www.idquantique.com/products/quantis.htm
>
> --
> Craig Latta
> http://netjam.org/resume
>
>
>

>
> Having worked for supersecurity-hyperparanoid www.nato.int in their  
> data centres for some years, I think that I have some background  
> knowledge which can protect that key inside the image.
>
> The short story is, to not have the key passed to the image (i.e.  
> during startup) and to not generate the key within the image (i.e.  
> between startup and shutdown and/or snapshot).
>
> The protection mechanism is to not allow to take a copy of the  
> running executable (means: VM) and also to not swap the executable  
> out of real (chip) memory, that means: the executable is never  
> written back onto disk again. Buy a B5000 (or a modern successor)  
> and its hardware and OS already does that for you ;-)

> -----Original Message-----
> From: [hidden email] [mailto:squeak-dev-
> [hidden email]] On Behalf Of Klaus D. Witzel
> Sent: Wednesday, August 23, 2006 3:14 AM
> To: [hidden email]
> Subject: Re: Image Unique Identifier
>
> Hi Ron,
>
> on Wed, 23 Aug 2006 02:26:06 +0200, you wrote:
>
> > The major issue for me is not finding a random key, I'm ok with that, my
> > worry is how to protect that key inside the image, or how to append
> image
> > instance information to that key so that only the running image can
> > retrieve information encrypted with that key.
>
> Having worked for supersecurity-hyperparanoid www.nato.int in their data
> centres for some years, I think that I have some background knowledge
> which can protect that key inside the image.
>
> The short story is, to not have the key passed to the image (i.e. during
> startup) and to not generate the key within the image (i.e. between
> startup and shutdown and/or snapshot).
>
> The protection mechanism is to not allow to take a copy of the running
> executable (means: VM) and also to not swap the executable out of real
> (chip) memory, that means: the executable is never written back onto disk
> again. Buy a B5000 (or a modern successor) and its hardware and OS already
> does that for you ;-)
>
> The get-it-going is to have some party (like the Squeak host OS) to
> implant a (new, unique) key, at the time it loads the VM's executable,
> into the (chip) memory of the loaded executable (you can patch linux for
> that, or else [again] go buy a B5000 ;-). So the key was not on disk in
> the past and will not be on disk in the future. The key can be accessed
> only by calling the VM and the VM will automagically destroy it when
> unwinding the process' expression stack (and when returning to a calling
> method, which is the more frequent case). Lots of details skipped here for
> the sake of brevity (like: the oop of the key cannot be stored in a
> non-context object).
>
> If the part which implants the key in the executable is too heavy a
> change, have the VM generate a key during startup. Of course this is
> weaker than the above (all other details skipped here).
>
> No other change is necessary. You're even free to deploy the compiler, no
> problem (perhaps except when you discuss that with paranoids ;-)
>
> > Basically I'm afraid of Spoon!  If you can copy my objects and move
> them,
> > then I need to protect against that by making sure decryption is
> > dependent
> > on something unique to the instance of the running image.
>
> This is the easier part: when doing any form of i/o (for example:
> networking, display, file r/w) the VM just has to guarantee that the key
> is not on the expression stack. This implies that the key is currently not
> in the image. Done.
>
> /Klaus
>
> > Ron
>
>

> -----Original Message-----
> From: [hidden email] [mailto:squeak-dev-
> [hidden email]] On Behalf Of Lex Spoon
> Sent: Wednesday, August 23, 2006 6:56 PM
> To: [hidden email]
> Subject: Re: FW: Image Unique Identifier
>
> "Ron Teitelbaum" <[hidden email]> writes:
> > I need a unique image identifier.  Does anyone have any suggestions?
> >
> > The identifier must be unique so that if someone copies an image to
> another
> > machine I get a new id.  It must also be unique by instance, so that if
> two
> > images or the same image is launched multiple times I should get unique
> > identifiers.   The id should be local and non transferable plus it
> should
> > never persist, since I would like to use this id to prevent movement
> between
> > images of objects like in spoon, magma, glorp, squeakELib, croquet, or
> any
> > other distributed objects scheme.
>
>
> UUID's are a sort of perpetual motion machine for computer science.
> They are nice to have, but none of them work, despite the large number
> of designs that are tantalizingly close.  It is better to talk about
> plain old identifiers, ID's.  They are never universally unique, so
> the first U should go; they are always *somewhat* unique, and so the
> second U is redundent.  It's just about identifiers.
>
> The "universally" part seems possible for some people, so let me dwell
> on it a minute.  One problem is, if you have no restrictions on the
> execution environment, then you can have no grounds for ensuring
> uniqueness, either.  Anything that you might be using for uniqueness,
> might get duplicated if people are running your code on a virtual
> machine such as VMWare.
>
> To address just one example, consider using a random number generator
> from the network.  First, you can never really know that two images
> are really calling the same generator server.  The Internet is a
> mysterious thing when you factor in firewalls, caches, and emulation.
> Further, if you somehow do know you are calling the same server, why
> not save yourself the headaches and have the server hand out plain old
> sequential ID numbers?
>
>
> Okay, enough bashing of UUID's.  For your problem, here are two
> possible avenues for (non-universally unique) ID's to use.
>
> 1. An IP plus a process ID (which might be an IP port number) plus an
> image-wide unique number.  Such an ID is unique relative to a
> particular IP network, but of course can be duplicated--just think
> about all the computers in the world with address 192.168.1.1.
>
> 2. You might want to use something like http URL's, with a hostname
> and a list of strings as the identifier.
>
>
> These are just ideas, though.  In the end, you need to spend some time
> thinking about the more specific problem.  Internet email's
> Message-ID's are a farce, but POP's UIDL's are simple and work.  The
> difference is that Message-ID's pretended to be universally unique,
> while UIDL's are only unique relative to a particular mail server.
>
> -Lex
>
>
>