What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

SSL has been around for long enough you’d think that there would be agreed upon container formats. And you’re right, there are. Too many standards as it happens. In the end, all of these are different ways to encode Abstract Syntax Notation 1 (ASN.1) formatted data — which happens to be the format x509 certificates are defined in — in machine-readable ways.

  • .csr – This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. The actual format is PKCS10 which is defined in RFC 2986. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate (which includes the public key but not the private key), which itself can be in a couple of formats.
  • .pem – Defined in RFC 1422 (part of a series from 1421 through 1424) this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.
  • .key – This is a (usually) PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.
  • .pkcs12 .pfx .p12 – Originally defined by RSA in the Public-Key Cryptography Standards (abbreviated PKCS), the “12” variant was originally enhanced by Microsoft, and later submitted as RFC 7292. This is a password-protected container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys: openssl pkcs12 -in file-to-convert.p12 -out converted-file.pem -nodes

A few other formats that show up from time to time:

  • .der – A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like…
  • .cert .cer .crt – A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
  • .p7b .keystore – Defined in RFC 2315 as PKCS number 7, this is a format used by Windows for certificate interchange. Java understands these natively, and often uses .keystore as an extension instead. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.
  • .crl – A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration. You can sometimes download them from CA websites.

In summary, there are four different ways to present certificates and their components:

  • PEM – Governed by RFCs, used preferentially by open-source software because it is text-based and therefore less prone to translation/transmission errors. It can have a variety of extensions (.pem, .key, .cer, .cert, more)
  • PKCS7 – An open standard used by Java and supported by Windows. Does not contain private key material.
  • PKCS12 – A Microsoft private standard that was later defined in an RFC that provides enhanced security versus the plain-text PEM format. This can contain private key and certificate chain material. Its used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.
  • DER – The parent format of PEM. It’s useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used very much outside of Windows.

Reference

https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file

What does –net=host option in Docker command really do?

After the docker installation you have 3 networks by default:

If you start a container by default it will be created inside the bridge (docker0) network.

$ docker run -d jenkins
1498e581cdba        jenkins             "/bin/tini -- /usr..."   3 minutes ago 

The –net=host option is used to make the programs inside the Docker container look like they are running on the host itself, from the perspective of the network. It allows the container greater network access than it can normally get.

Normally you have to forward ports from the host machine into a container, but when the containers share the host’s network, any network activity happens directly on the host machine – just as it would if the program was running locally on the host instead of inside a container.

While this does mean you no longer have to expose ports and map them to container ports, it means you have to edit your Dockerfiles to adjust the ports each container listens on, to avoid conflicts as you can’t have two containers operating on the same host port. However, the real reason for this option is for running apps that need network access that is difficult to forward through to a container at the port level.

For example, if you want to run a DHCP server then you need to be able to listen to broadcast traffic on the network, and extract the MAC address from the packet. This information is lost during the port forwarding process, so the only way to run a DHCP server inside Docker is to run the container as –net=host.

Generally speaking, –net=host is only needed when you are running programs with very specific, unusual network needs.

Lastly, from a security perspective, Docker containers can listen on many ports, even though they only advertise (expose) a single port. Normally this is fine as you only forward the single expected port, however if you use –net=host then you’ll get all the container’s ports listening on the host, even those that aren’t listed in the Dockerfile. This means you will need to check the container closely (especially if it’s not yours, e.g. an official one provided by a software project) to make sure you don’t inadvertently expose extra services on the machine.

Reference

https://stackoverflow.com/questions/43316376/what-does-net-host-option-in-docker-command-really-do

Adding Images in Azure DevOps Wiki

The wiki pages get created in their own Git repository and the image files are also added there. You can browse the repos from within DevOps at; https://dev.azure.com/MyOrganisation/MyProject/_git/MyProject.wiki

The markdown path for the image should begin /.attachments/ and make sure if you are adding dimension you use =500x and not =500 if you exclude the height e.g.

![MyImage.png](/.attachments/MyImage-98765432-abcd-1234-abcd-a1234567890b.png =500x)

For more info, click here.

Cognitive complexity theory with example

The cognitive complexity definition is how capable people perceive things in their world. It also describes the number of cognitive processes required to complete a task. Things that are complicated to perform have more processes involved than simple tasks.

Making a sandwich, for example, is a simpler task than writing a term paper. Many more cognitive processes are involved in writing the paper, such as using online resources, doing effective research, and writing within a specific style and tone. Cognitive complexity can also help individuals analyze situations more accurately by allowing them to see shades of nuance and meaning more clearly. The core determining factor in the complexity of an individual’s cognition is their life experience and education. Exposure to complex situations, either through life experience or education and training, allows individuals to form mental constructs.

Expounding upon this theory of what is cognitive complexity is the personal construct theory, which states that individuals interpret the world through mental constructs. These constructs serve as shortcuts, aiding individuals in quickly analyzing situations and tasks. For example, someone could color-code their notebooks to make it easy to identify which notebooks are for which subjects, rather than sifting through multiples of the same color notebook. Mental constructs make it easier to solve complex problems by breaking down parts of the problem-solving process into automatic processes.

Cognitive complexity is also used in computer programming to help software engineers describe units of code. Cognitive complexity, in this sense, is how difficult it is to understand a unit of code in a program. Some functions and classes are straightforward and are easy to understand, while there are those with multiple parts with several logic breaks and references to other files that make it difficult to follow. Complex code is generally more prone to bugs because there are more areas for things to go wrong when the program is being executed. It also makes it more challenging to write new code that interacts with the old complex code, making rework necessary to simplify the code.

Cognitive Complexity Example

Imagine that there is an individual who is learning how to cook and opens their new cookbook to a recipe they’ve been considering. The recipe calls for several ingredients that they’ve never heard of before. So, they must take the time out to research these ingredients, figure out what they are, and search for them at the store. They also discover that they do not have a pan big enough to cook the meal, so they must also purchase a new pan capable of doing so. Meanwhile, an accomplished chef is making the same recipe. However, because they have more experience, they already know what the recipe calls for and have the ingredients in stock. They also already have the correct pan. The first individual consults the recipe for every step, lengthening the prep and cooking process. The chef knows the recipe by heart, so they get the meal prepped and cooked more quickly. In this cognitive complexity example, the chef has more mental constructs available to them from experience with the dish, resulting in less time spent prepping and cooking. They also know what ingredients do what, so if the flavor is off, they know what to add while the inexperienced individual might not.

Cognitive Complexity Communication

Cognitive complexity in communication refers to the number of psychological constructs an individual might use to describe someone. These psychological constructs generally refer to personality traits, like “energetic” or “caring.” Those who are more perceptive of others tend to use more psychological constructs to describe people. These people have higher interpersonal cognitive complexity, allowing them to notice more details about a person than somebody with less skill. An average individual might describe someone as “friendly,” while the person with higher interpersonal cognitive complexity will notice that they are also giving and self-confident.

Uses of Cognitive Complexity Theory

As mentioned previously, cognitive complexity is a topic that is used in software development to describe how complex a given piece of code is. However, it is also used to design computers that think more as humans do. Computers process information through binary code, or ones and zeroes. They see the program to execute, and they do it. They do not pause for consideration or come up with creative solutions. So, software engineers and scientists are trying to develop ways in which a computer can think more like a human to solve more complex problems. These systems are called artificial intelligence. Artificial intelligence aims to develop computers capable of complex cognitive functions rather than simple functions like memory and perception. Teaching computers to see the nuances in different problems allows them to handle more complex situations in more optimal ways, rather than approaching a problem head-on in the most direct path.

In organizations, cognitive complexity refers to the ability of people to notice patterns in their organization so that they can optimize processes for efficiency. This capability requires seeing the organization in a broad sense and a specific one. Optimizing one part of an organization is a much simpler feat, where there are fewer variables to consider. Optimizing an entire organization requires the ability to see any potential bottlenecks, understand supply and demand, know market trends, and much more. If a company is underperforming, leaders need to be able to recognize why it is happening and come up with solutions to the problem. Cognitive complexity allows people to think outside the box and develop creative solutions.

Read more here