Home
May, 2008 - Live Mesh - Site Home - MSDN Blogs

May, 2008

Live Mesh

Here, There, Everywhere...

  • Live Mesh

    Behind Live Mesh: Authorization and encryption

    • 20 Comments

    Hi, I am Nikolai Smolyanskiy, a developer on the Accounts team. I work on the Account service that takes care of account management, and user/device authentication and authorization in Live Mesh.

    There were many questions asked by early adopters about how their data is transmitted and stored in Live Mesh, and how access is controlled. In this post I’ll talk about the security and authorization architecture behind Live Mesh, so that you understand the amount of care we take and feel better about trusting your data to the Mesh. This post can also be found here.

    Here is the diagram that illustrates all communications between user devices and Live Mesh cloud services and encryption/security mechanisms used in these communication channels:

    meshauth

    Live Mesh security is rooted at the authentication provider (Windows Live ID, aka Microsoft Passport is our provider today) which is used for initial user and device authentication. Once a user or a device is authenticated and a corresponding authentication token is obtained, the Live Mesh client passes this token to the Live Mesh Account service to access the root of the user’s mesh and to get the initial set of Live Mesh tickets. These tickets are used for further Mesh operations on other resources that this root is pointing to. All communications with the Live Mesh cloud services are done via HTTPS / SSL, so 3rd parties cannot intercept and read client-server communication.

    All user (or device) related resources in Live Mesh are organized in a RESTful manner, i.e. they form a graph where each node is identified by a unique URL and represents a given resource. Nodes contain resource metadata and links to other resources. Mesh operations are essentially CRUD operations on the nodes of the user tree or nodes of other user trees if those users shared any data. Live Mesh cloud services check access rights in each operation by inspecting passed tickets and authorizing access only if a correct set of tickets is passed. Tickets can be obtained from the Account service or from responses to previous cloud operations.

    Live Mesh authorization tickets are standard SAML tickets. They are digitally signed with the Live Mesh private key to prevent spoofing and they expire after a limited lifetime. Some tickets are used to just authenticate users or devices, other tickets contain authorization information about user/device rights. Cloud services inspect each resource request and authorize access only if it contains valid tickets (correctly signed and not expired) and these tickets specify that the requestor indeed has access to the requested resource. For example, a device X can initiate P2P data synchronization with device Y only if it presents a ticket that is correctly signed by Live Mesh and contains a record saying that both device X and Y are claimed by the same user OR if it contains a record saying that X and Y have the same Live Mesh Folder mapped on them (in the case that the devices are claimed by different users that are members of this Live Mesh Folder). Tickets are passed to the cloud services in the Authorization header using HTTPS to prevent replay attacks.

    Each device in Live Mesh (computers, PDAs, mobile phones) has a unique private key that is generated during Live Mesh installation and used to authenticate the device in P2P communications with other devices. When a P2P communication is being established between two devices, they first use asymmetric encryption (RSA algorithm) to exchange encryption keys and then use symmetric encryption (AES with 128 bit key) to transfer data/files over TCP/IP. The RSA exchange guards against leaking symmetric encryption keys. AES encryption protects actual data from prying eyes. Live Mesh also uses a keyed message authentication code (HMAC) to verify the integrity of the data exchanged on a P2P channel.

    If there is no direct connection between two devices (for example, if one device is behind a firewall), then the cloud communication relay located in the Microsoft data center is used to forward data packets from one device to another. All the traffic is encrypted in the same way as in the case with direct P2P link, i.e. first keys are exchanged with RSA and then traffic is encrypted with AES. The cloud relay cannot decrypt/read user data, since encryption keys are exchanged with the use of asymmetric encryption (RSA).

    Live Mesh cloud services help devices find each other and establish communications. They cannot read synchronized user data/files relayed through the cloud, except for the case when user files are synchronized with the cloud storage (i.e. Live Desktop). At the moment, the limited Tech Preview of Live Mesh synchronizes your files not only between your devices, but also with your cloud storage (which you can access via Live Desktop) until you reach your storage quota (5GB as of today). So your files and metadata that describes them are stored in the Microsoft datacenter. They are protected by strong access control mechanisms, but the data is not stored in encrypted form. After the storage quota has been reached, all files are synchronized only P2P and not stored in the cloud (only metadata is stored in the datacenter). In the future, Live Mesh will allow users to selectively choose which files or Live Mesh Folders they want to synchronize with the cloud. If you choose to synchronize your data/files between your devices only, Live Mesh will not store your files in the cloud and will only store metadata that lets the service to operate.

    Technorati Tags:
  • Live Mesh

    Service update: New build released

    • 20 Comments

    We've been listening to your feedback here and on the forum, and made a number of bug fixes and changes to better suit you. The update will be published later today. You may notice a slowdown in service or some display issues (missing icons, folders slow or not synchronizing) while the servers update. If you are still seeing these problems after the 20th, please report them!

    To install the new version

    · Use Live Mesh! New updates will automatically apply when you log in.

    Tell us what you think

    · Read and participate in the forums for current discussions about fixes, problems, and ways people are incorporating Live Mesh into their daily routines.

    Invite your friends and family

    · Share a folder with your family or friends so they can experience Live Mesh, too.

    What we fixed

    News

    · News not appearing until a second person has logged in.

    Language settings

    · Fixed date format and removed region requirement. You still need to set your OS language to English.

    · User names with non-US-ASCIIcharacters are now supported.

    Notifier

    · Fixed device appearing offline in the notifier but showing online on your Live Desktop.

    · Fixed synchronization failure when the network is unavailable.

    Explorer

    · Fixed the Windows Explorer crash when folders were closed

    · Fixed the Windows XP “Roaming Desktop Icons” issue with Live Mesh Remote Desktop.

    · Fixed the mesh bar not always opening when you open a Live Mesh folder

    Live Desktop

    · Fixed the “I’m interested in” in your Windows Live ID profile to be correctly viewed. No longer will you be “searching for love and romance” when you really wanted “Enterprise Networking.”

    Live Mesh

    · Fixed logs not being collected when your Windows XP login name has a space in it

    · Fixed SilverLight version error with the Beta release

    · Fixed SilverLight Play and Pause buttons being swapped around

    · Fixed login names with a single character domain (livemesh @ m.com) not working correctly

    Thank you for your time and participation!

    Technorati Tags:
  • Live Mesh

    Service update: email invitation outage

    • 0 Comments

    Yesterday (May 12th) we experienced an email service outage from approximately 12:30pm to 8:00pm PST.  If you invited anyone to share a folder during this time, they likely did not receive the invitation email.  We don't yet have support for re-sending an invitation, so for now the best option is to remove any impacted users and then re-invite them.

    To re-invite a user:

    1. Delete the pending invitation
      1. Sign in to Live Mesh at http://www.mesh.com
      2. Click on the Desktop button to view the Live Desktop
      3. Locate your folder on the Live Desktop and double click it
      4. On the right hand side of the folder view you will see the Live Mesh bar, click on Members at the bottom of the bar
      5. Confirm that the person you invited is still listed as being in the Pending state
      6. Click on Edit
      7. Select the person and then click Remove
      8. Now click OK
    2. Re-invite the member
      1. While still in the Live Desktop view of the folder that you want to invite the member to, click on Add
      2. Type the email address of the person you would like to invite to the folder
      3. Click OK

    Thank you for your understanding and for participating in the Live Mesh Tech Preview to help us make a better product.

    Technorati Tags:
  • Live Mesh

    Behind Live Mesh: What is MOE?

    • 20 Comments

    Howdy!  This is Richard Chung, a client developer for Live Mesh. You can find me blogging sporadically as DevDuck over on red hot place.  I was one of the first developers on the Live Mesh team—I’ve been working on this stuff for over 2 years now and have been itching to talk about it!

    By now, you’ve read all about Live Mesh.  Hopefully, some of it makes sense to you—you might even be able to envision how it can dramatically change the way you manage data across your devices, share and interact with your friends and family, and collaborate with peers or partners!  If not, that’s ok.  The whole concept of Live Mesh will become clearer in the months ahead, especially as more  applications and experiences are created on top of the platform.

    Software + Services

    When you were first introduced to Live Mesh, you probably played with the Live Desktop.  It’s pretty snazzy.  Maybe you even uploaded a few files too.  Hey, it’s a cool service!  You can store stuff in a cloud somewhere and access it anywhere using a webpage.  Great!

    As I look at the statistics on the service though, I notice that a significant portion of our users have stopped here.  This pains me, as there’s a whole lot more you can do with Live Mesh.  Didn’t you hear all the hoopla about Software + Services?  Ever wonder, “Where’s the software?”

    You might have noticed that on the device ring there’s a big orange button with a white ‘+’ sign.  The magic happens when you click that big orange button and opt to “add a device” to your mesh.  Click “Install” and you’ll download and install a very small program onto your machine.  Once set up, you may notice a process called MOE.exe running on your computer.  What exactly is MOE?

    MOE: Mesh Operating Environment

    MOE is an acronym for the “Mesh Operating Environment.”  MOE is a service composition runtime that provides a unified view of all Live Mesh services and a simple way for applications to interact with Live Mesh.  MOE is everywhere—it’s on all devices in your mesh (as “client MOE”), and it’s in the cloud (“cloud MOE”).  The two are quite similar; they provide a symmetrical and consistent programming model between client and cloud.  If you’re a developer, you’ll be able to take advantage of these flexible points of entry  to Live Mesh in the way that’s most natural for you.

    That’s a lot to digest.  I won’t go into the developer story today; you’ll see more of that in the months ahead.  For the purposes of this post, I’ll only focus on client MOE.  Client MOE is at the heart of every device connected to your mesh, be it your PC or Mac or mobile.

    The goals for client MOE are simple.  Here are some of them:

    · To allow seamless access to a user’s mesh and all the data in it;

    · To abstract away common functionality, like synchronization protocols;

    · To allow existing applications to participate in a user’s mesh, by optionally leveraging the local file system;

    · To provide a seamless online/offline experience (also known as “occasionally connected”) by synchronizing and caching metadata from the cloud;

    · To update seamlessly, providing new features and fixes in the platform; and

    · To use minimal system resources, running in the background all the time.

    You’ll notice that the idea of “seamlessness” really runs through these tenets.  Obviously, since what we just released is a “Tech Preview,” we have only just started towards achieving these goals today.  Rest assured that we will get better!

    Let me elaborate on a couple of these points.

    Online vs. Offline

    In today’s world, many applications just don’t work if they’re not connected to the Internet.  It’s much easier to write programs that assume connectivity to a service, than not.  But why should it be so hard?  MOE abstracts all this behavior for you.  It caches the metadata that’s in your mesh and automatically synchronizes it, so that talking to MOE is essentially like talking to the cloud.  And talking to MOE will always work, regardless of whether or not you have Internet connectivity.  MOE will do the heavy lifting for you by synchronizing changes you’ve made locally, whether you are online or offline, with your mesh (when you have internet connectivity).

    Today’s Applications

    As high as our hopes are for Live Mesh, we realize that there isn’t anything today that fully showcases the true power and potential of the mesh yet.  This is one of the reasons we’ve built simple file synchronization capability as a rich experience on top of MOE.  This way, any existing application that writes files to disk (virtually all applications) will suddenly be able to leverage Live Mesh, without *any* changes to the application.

    For example, say you use Windows Live Writer to collaboratively write blog posts, but it often takes several iterations before posting.  You can now save your blog drafts into a Live Mesh folder, and suddenly those drafts are everywhere—on each of your devices and those with whom you share the folder.  An idea for a post pops into your head on the bus ride to work?  Start a post on the bus, add content to it at work, have others read it over and revise it on their own devices, add your final touches, and post at home that very evening!  All without even thinking about e-mailing attachments back and forth.

    Working on Live Mesh

    I’ve been working on Live Mesh for over two years now.  Prior to this I was a developer on the Windows Live Messenger service.  When I first started on Live Mesh, I thought it would be a piece of cake.  After working on huge scalable services that support millions of users, how hard could writing a little lightweight client be?  It turns out that it’s quite hard.  Synchronization may appear to be an easy problem (and in fact, there are a ton of apps out there that do simple file sync already), but it’s actually really tough to solve it in a *generic* fashion so that other applications can be built on top of it.  That’s what we’ve strived for.  (We’ll have a future post on how Live Mesh uses FeedSync underneath the covers, and what types of extensibility and other advantages that provides.  Stay tuned!)

    Here, There, Everywhere

    Live Mesh is about to become your new best friend.  The one you can’t live without and is always in the background to take care of things for you.

    So what are you waiting for?  Download and install Live Mesh on all your devices today!  You’re missing out if you don’t.  And be sure to give us feedback and report any issues you see!

     

    Technorati Tags:
  • Live Mesh

    Blogs from the team

    • 3 Comments

    Several members of our team have begun posting about Live Mesh on their own personal blogs -- if you're looking for more perspective on Live Mesh, or to learn more about the team, here are a few pointers, with tantalizing excerpts!

     

    Mike Zintel (Product Unit Manager, Mesh and Storage Platform): Why Sync?

    For several decades after the invention of the computer, the dominant constraint was processor cost. While mainframes had, in relative terms, impressive storage and local I/O capacity, they were primarily designed to do useful work on every clock cycle. Indeed the humans who were running around mounting and unmounting tapes according to instructions in a job control stream were trying to keep the processor from ever executing a single very expensive NOP.

    It was very Tron. [...]

    It’s tempting to assume that web client server wins everything. But I don’t think so.

    I love the web. I’m using it now. But I still spend more time using Windows applications. At the moment I’m listening to very high quality glitch free music being streamed from my hard drive, through an iTunes client and into my headphones. I have a few folders open where I did some photo editing with Photoshop earlier today. I’m using Office to author this blog and enjoying best in class spelling and grammar checking. Messenger is open. I routinely use Premier, Lightroom, Dreamweaver, Nero, and various scanning programs.

    The industry’s newest, coolest, ease of use standard setting, cleverest mobile browser ever powered device, the iPhone, has a local application for text messaging, calendar, photo album, camera, YouTube, stocks, maps, weather, clock, calculator, notes, mail, music, the phone itself and of course, the shell. The reason for this is that local applications can have experiences that are highly tuned to the device capabilities and the preferences of the customers using them.

    Of course what is really happening it that the industry is moving toward the best of both worlds. Many of the local applications I describe above are invisibility connected to the web. This is nature of what we’ve been calling Software + Services.

     

    Roman Batoukov (Software Development Engineer): What's in your mesh?

    There are multiple perspectives to look at Live Mesh. [...]  First, I view the Mesh as a collaboration tool between individuals. [...]

    Second, I view the Mesh as a set of Devices people own or use. [...]

    Every time you add Device to a mesh, you create a new sync endpoint. You can then chose what subset of your data  you want to sync with the particular device by mapping Mesh Objects (such as Live folders) to the device.

     

    Archishmat Gore (Software Development Engineer): Live Mesh! - the appeal to a guy like me

    [...] that is what Mesh is at heart - the few guiding principles around which software and services were built. Rather than focus on "What will this service do to keep it extensible?", the Mesh team focused on "How can we represent anything and everything so that anyone can read it anywhere in the world?". The subtle difference here is the pivot point - for some, the pivot is the service, it is the hard absolute that cannot change. Everything else must be written around it to accommodate it somehow. Mesh has universally-readable data representation as it's pivot - services and software were written around it. To put it another way, the software+services implementations are a natural consequence of the design, rather than interoperability being the consequence of the implementations. Enough abstract philosophy, let's look at how these principles rendered themselves in practice

    Technorati Tags:
  • Live Mesh

    Behind Live Mesh: Live Desktop architecture

    • 12 Comments

    As the unveiling of Live Mesh is a tech preview of the platform, similarly the Live Desktop release is only a glimpse into what will be available via the web portal. The promise is a rich cross-browser web experience that requires no installations, but will offer an enhanced look-and-feel if plugins are installed. I'd like to take a moment to describe the architecture of this Live Mesh platform experience and illustrate how the design will enable it to grow into a much richer experience. Let me warn you that this is intended to be a detailed developer-focused post. The key architectural features are the generic presentation framework; Live Mesh communication layer; Live Desktop windowing system; and C# to JavaScript compilation with Script#.

    The generic presentation framework can be easily reused and extended to rapidly create performant data-driven applications. Its design resembles that of Windows Presentation Foundation in that there exist two clearly separated trees, one logical and one visual. In addition to being a natural separation for JavaScript and HTML, this has made code reuse and the addition of new features significantly faster and more seamless as logical controls can be customized with different styles for different UI components. The notable base classes in the logical tree are the UIElement and UIGroup.

    The UIElement is the base class and has a one-to-one relationship with a DOM Element, handles input events, supports command routing, and participates in databinding. The UIElement performs memory management by removing its associated visual element from the DOM and detaching its event listeners when disposed. Command routing offers a convenient way of bubbling events through the logical tree to notify parent containers that an event has occurred. Databinding offers a very flexible way to present data as a UIElement may listen for specific property change events and update its associated visual element when these occur. In our framework, Binding objects are reusable and are composed of a source data property, a target UIElement, and a Converter which contains the logic for rendering data.

    The UIGroup is a collection of UIElements and is the base class of all elements that participate in the rendering pass by the layout host. For expensive rendering events that involve more than small DOM manipulations, the UI Group will be added to the queue of items to be rendered and then its OnRender method will be called to perform the visual changes. It is worth mentioning the ItemsControl, which derives from UIGroup and represents a collection of data. The ItemsControl is instantiated with a shared visual template that is applied to render each item.

    The visual styles are defined in resource dictionaries, which are reusable html string snippets sent down in JavaScript files. DOM elements are instantiated from these strings, keyed by id. This offers performance benefits as each snippet is sent over the wire exactly once and cached by the browser.

    Let's look at a short example of how this framework is used to render the Icon View of files within a folder explorer on the Live Desktop. The files are represented by a ListBox, which derives from ItemsControl and extends it by maintaining a selected item. The style for the visual template for each item is defined in the resource dictionary as:

     

    <div id=""$spaceIconItem""> 
        <img id=""iconItemImg"" /> 
        <div id=""folderViewNameCellLabel""></div> 
    </div>

     

    The image represents an icon specific to mime type and the label represents the name of that file. When the visual template is executed to render an individual item, it sets up databinding for each of these DOM Elements:

    image.SetBinding( 
       "Src",  CommonBindings.MimeTypeToMediumIconOneTimeOneWay); 
    label.SetBinding( 
       "Text", CommonBindings.NameOneWay);

     

    The image source databinding will be executed only once, and will set the src property of the img to be that of the appropriate icon url. The label text will be updated whenever the name of the file changes and will modify the InnerText of the div. The ListBox will be added to the rendering queue of the layout host whenever the collection of files changes, for example by navigating into a new folder, and will instantiate each of its DOM children by invoking the above visual template.

    For completeness in discussing the presentation framework, it is important to note that each collection of data in memory is stored in an ObservableCollection, which maintains a list of items and fires unique change events when items are added, items are removed, or the entire collection changes. This enables an ItemsControl to intelligently decide whether to render an individual data item or the entire collection.

    The Live Mesh communication layer updates the ObservableCollections by performing incremental data requests on corresponding data feeds on a recurring interval. This layer also performs the http operations that result from user actions. It maintains a queue of operations and associated callbacks. It understands the Live Mesh cloud API and provides a layer of abstraction between app-specific transactions and the semantics of the Live Mesh platform.

    With all of the above infrastructure in place, it was straightforward to build a windowing system into the Live Desktop. The list of windows is maintained as an ObservableCollection. There are three different templates applied to render each window depending on whether it is in the taskbar, on the desktop, or in the window toggle control (shift+tab to see this view). Activating a window simply means setting the ActiveWindow property true, as the css class of the DOM Element is bound to that property. Opening or closing a window will fire a granular change event from the ObservableCollection that the ItemsControl listens for and will respond to by adding or removing the individual item from view.

    The architectural complexity and heavy usage of inheritance described above were greatly facilitated by Script#, a C# to JavaScript compiler developed by Nikhil Kothari. The strong IDE support from Visual Studio and compile-time syntax checking that this offers have been crucial as the Live Desktop codebase has grown.

    What all this means is that the foundation has been laid to add many more exciting features to your Live Desktop. When you view it today, you should see a visually appealing view of a desktop that works well cross-browser, performs responsively once loaded (and will soon load faster), and enables you to traverse your cloud. You might also think to yourself "I wish I could upload more than one file at once" or "I wish this SilverLight media view wasn't one-size fits all and only worked on a subset of my data". The good news is that these features and many more are planned and that the Live Desktop architecture will facilitate adding these new components rapidly. While we have a clear set of features that we think will make this offering more compelling, we are eager to hear ideas from you.

    - Alex Himel, developer for Live Desktop

    Technorati Tags:
  • Live Mesh

    Live Mesh service upgrade

    • 1 Comments

    We started deploying an update a few hours ago which is causing some temporary website issues. You might notice icons or buttons missing when visiting http://www.mesh.com or accessing your Live Desktop. These issues will disappear as soon as we’ve completed the servicing process.

    If you were using Live Mesh between 12:30pm PST and 2:30 pm PST time and are experiencing these issues, deleting your temporary internet files should fix things back up. Here's how to do that using Internet Explorer and Firefox.

    Today’s update includes:

    · Performance and reliability fixes based on Tech Preview customer feedback.

    · Fixes to the Live Desktop Silverlight player to address common customer reported errors.

    If you are still experiencing issues, please report them to the Live Mesh Forum and we will investigate shortly.

    Thank you for your participation and feedback,

    The Live Mesh Team

     [Update 6:15pm PST: the upgrade has completed]

Page 1 of 1 (7 items)