JSch, SFTP and Zlib compression

JSch is a superb library which I recommend for your Java SSH stuff.  Unfortunately the documentation is not good.  There's virtually nothing apart from the example programs in the distribution.  It sometimes takes a while to figure things out, so here's how I implemented SFTP client with Zlib compression (disclaimer: exception handling/structure removed for clarity):

JSch jsch = new JSch();

// configure to attempt zlib compression first, fallback to no compression if unsuccessful
java.util.Properties config = new java.util.Properties();
config.put("compression.s2c", "zlib,none");
config.put("compression.c2s", "zlib,none");
config.put("StrictHostKeyChecking", "no");

Session session = jsch.getSession(sftpUserName, sftpIP, sftpPort);
session.setPassword(sftpPassword);
session.setConfig(config);
session.connect(CONNECTION_TIMEOUT);

ChannelSftp channel = session.openChannel("sftp");
channel.connect();
ChannelSftp c = (ChannelSftp) channel;

// do whatever required

channel.disconnect();
session.disconnect();

Do not forget to put JZlib in your classpath!

What if you'd rather use SSH key authentication (instead of, or as well as, a password)?  Put this just after the first line:

jsch.addIdentity("<path to private key file>", "passphrase");

PuTTYgen is a nice windows tool for generating SSH key pairs.  It's likely you'll want to export in OpenSSH format (Conversions->Export OpenSSH key), but it will depend on the format your server is expecting.

Email Verification: DKIM and DomainKeys

How do you verify an email?  The from address can be easily spoofed and contents could have be tampered with.  Well, there's a system that's been around for a few years now and if you're a GMail or Yahoo! Mail user you may be surprised to learn that your emails are digitally signed and this signature can be used to validate the email contents and it's sender.

Take a look in the headers of a received email (View->Headers->All or similar in your email client).  If you see one of of the following:

DKIM-Signature
DomainKey-Signature

then your email has been digitally signed.  Note you won't necessarily see these headers if you send an email to yourself or recieve it from within the same domain as the mail server will often be configured not to add these headers for local mail.

DomainKeys was originally invented by Yahoo! to combat spam, but clearly DKIM and DomainKeys are useful wherever email authentication is desired.

How does it work?  Very simply, the body of the email message is formatted and any email headers of interest (such as  message-id, subject, date, to, from headers) concatentated.  A hash of this text is taken and then encrypted using public key encryption to produce a digital signature of the email. This work is done by the ISP mail server (only they know the private key).  The public key is available in their DNS records (as a TXT record) and is used by the mail client to authenticate the email.

This means you can verify the contents and the sender of the email.  As the message body has been hashed you can confirm the contents of the email are true, but you cannot use it to, say, construct the original contents of an email that has been tampered with.

I wrote a java program to verify emails I've been previously sent and were stored in a pst.  I found the JPST library useful for manipulating pst files and Chilkat for DomainKey work.  More recently I've seen java-libpst but not had time to try it out yet.

I've found problems with psts and multipart messages - MS has a habit of reformatting a multipart email body and hence the DomainKey authentication can fail.

I've also had issues with anti-virus programs adding signatures to received email.  Either stop your virus checker doing this, run email authentication before the anti-virus or remove the anti-virus signature before email authentication.

DomainKeys RFC4870

DKIM RFC4871