Wednesday, July 15, 2009

I'll be there

Jackson five - I'll Be There, Show 1972

Lyrics:

You and I must make a pact, we must bring salvation back
Where there is love, I'll be there

I'll reach out my hand to you, I'll have faith in all you do
Just call my name and I'll be there

I'll be there to comfort you,
Build my world of dreams around you, I'm so glad that I found you
I'll be there with a love that's strong
I'll be your strength, I'll keep holding on

Let me fill your heart with joy and laughter
Togetherness, well that's all I'm after
Whenever you need me, I'll be there
I'll be there to protect you, with an unselfish love that respects you
Just call my name and I'll be there

If you should ever find someone new, I know he'd better be good to you
'Cause if he doesn't, I'll be there
Don't you know, baby, yeah yeah
I'll be there, I'll be there, just call my name, I'll be there

(Just look over your shoulders, honey - oo)

I'll be there, I'll be there, whenever you need me, I'll be there
Don't you know, baby, yeah yeah

I'll be there, I'll be there, just call my name, I'll be there...

Will you be there

Artist: Michael Jackson (from the Dangerous album, 1991)

One of my favorite songs by him..

Lyrics:
Hold Me
Like The River Jordan
And I Will Then Say To Thee
You Are My Friend

Carry Me
Like You Are My Brother
Love Me Like A Mother
Would You Be There?

Weary
Tell Me Will You Hold Me
When Wrong, Will You Skold Me
When Lost Will You Find Me?

But They Told Me
A Man Should Be Faithful
And Walk When Not Able
And Fight Till The End
But I'm Only Human

Everyone's Taking Control Of Me
Seems That The World's
Got A Role For Me
I'm So Confused
Will You Show To Me
You'll Be There For Me
And Care Enough To Bear Me

(Hold Me) show me
(Lay Your Head Lowly)
told me
(Softly Then Boldly)
(Carry Me There)
I'm Only Human

(Lead Me)
hold me
(Love Me And Feed Me)
ye yeah
(Kiss Me And Free Me)
yeah
(I Will Feel Blessed)
I'm Only Human

(Carry)
Carry
(Carry Me Boldly)
Carry me
(Lift Me Up Slowly)
yeah
(Carry Me There)
I'm Only Human

(Save Me)
need me
(Heal Me And Bathe Me)
lift me up lift me up
(Softly You Say To Me)
(I Will Be There)
I Will Be There

(Lift Me)
i'm gonna care
(Lift Me Up Slowly)
(Carry Me Boldly)
yeah
(Show Me You Care)
Show Me You Care

(Hold Me)
whoooo
(Lay Your Head Lowly)
i git lonly some times
(Softly Then Boldly)
i git lonly
(Carry Me There)
yeah yeah carry me there
yeah yeah yeah
[Spoken]
In Our Darkest Hour
In My Deepest Despair
Will You Still Care?
Will You Be There?
In My Trials
And My Tripulations
Through Our Doubts
And Frustrations
In My Violence
In My Turbulence
Through My Fear
And My Confessions
In My Anguish And My Pain
Through My Joy And My Sorrow
In The Promise Of Another Tomorrow
I'll Never Let You Part
For You're Always In My Heart.


Smile

Artist: Michael Jackson, 1995 ( originally from the 1936 Charlie Chaplin film Modern Times)

Lyrics:
Smile though your heart is aching
Smile even though its breaking
When there are clouds in the sky, you'll get by
If you smile with your fear and sorrow
Smile and maybe tomorrow
You'll find that life is still worthwhile

If you just
Light up your face with gladness
Hide every trace of sadness
Although a tear may be ever so near
That's the time you must keep on trying
Smile, what's the use of crying?
You'll find that life is still worthwhile

If you just
Smile though your heart is aching
Smile even though its breaking
When there are clouds in the sky, you'll get by
If you smile through your fear and sorrow
Smile and maybe tomorrow
You'll find that life is still worthwhile
If you just smile

that's the time you must keep on trying
Smile, what's the use of crying?
You'll find that life is still worthwhile
If you just smile


"A day without a laugh is a wasted day." ~Charles Chaplin


Tuesday, July 14, 2009

HMAC truncation vulnerability in XML signature

This blog post nicely explains the HMAC truncation security vulnerability in XML digital signature specification. In short the specification allows to truncate the signature to any length. If this length is too small, an adversary can guess the correct truncated HMAC with a high probability and hence the security vulnerability. Specifically, this leads to authentication bypass or forging.

I am not sure if there exists any security proof about truncation (reduces to birthday attack?). Generally speaking, smaller signature provides a higher entropy and hence less information to the attacker. But at the same time, attacker has to guess only a fewer bits. In any case, the truncation should not be less than 80 bits, since below this length is considered to be vulnerable to brute force attacks with the current computational capabilities of adversaries. What if the truncated length is less than half of the length of original MAC output? Then it is succeptible to birthday attacks.

Are you as an application developer vulnerable to this attack?
If you are using an XML digital signature library that allows to set any arbitrary truncation length, you'll need to enforce a minimum safe length depending on the algorithm you are using. The good news is most of the libraries including XML security library have already provided pathes for this. If you are a library developer, you probably want to release a patch to users.