Security Theory : security is road and not a destination. Ongoing cycle of Reacting, Detering, Predicting, and Preventing Security Breaches.
Low level cryptograhic primitives (building blocks) include DES, 3DES, AES)
You put together these building blocks to build higher level protocols like Digital Signatures, Certificates,
One Time Pad: When you can use a key only once. (throwaway key - offers perfect secrecy)
Block Ciphers : Takes input in blocks (64 bit/128 bit) DES,3DES, AES (Reveals patterns in the ciphertext)
Stream Cipher: Encrypts one bit or byte at a time. (RC4 is an example and it uses modular arithemetic) RC4 is 1)X faster than DES>
Public Key PRIMITIVES (Asymetric Encryption Techniques): Diffie Hellman, DSS, RSA
Higher Level Proticols using Public Key Primitives : GPG, PGP, IKE, SSL,TLS, SSH. These protcols employ public key primitives.
SEcure Hash Function : is a cryptograhic primitive that takes an input "X" and created a Message Digest MD=h(M). M is the message and H is some has function. (MD5, SHA1 are examples)
Certificate : Binds a public key to someone's identity in some unforgeable way. The Certificate Authority has a public/private key pair (PublicKey(CA)&SecretKey(CA)
Digital Certificates :Certificates on documents that are digitally signed by a CA.
PKI: public key infrastructure (PKI) is an arrangement which provides for third-party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This is usually carried out by software at a central location together with other coordinated software at distributed locations. The public keys are typically in certificates. A set of hardware, software, organizational infrastructures required to used Public-key cryptosystems including Certificate Authorities.
US DOD Orange Book Security Specifications :
- Authentication : Verification of someone's identity (THe ability to prove who you are). (ie a login name & password, an IP address of a computer system, or a digital certificate)
- Authorization: Verifies a users authority. People can accomplish what they are authorized to do and unauthorized people cannot do what they should not. (File and directory permissions, shost files, trusted hosts, ACLs,)
- Confidentiality: Keep the Contents of a communication secret. (Usually acomplished with cryptography, steganography)
- Message & Data Integrity: Has the data been tampered with or were there any unauthorized modifications or deletions ? (acomplished with hashing, checksums, MD5)
- Accountability: The goal of accountability is to hold someone accountable for thier actions with logging and audit trails. (Triwire, BSM, syslog, praudit)
- Availability: Involveds ensuring that attackers cannot stop legitimate users from access the system. (ie web server response time, dial tone a phone, any kind of DOS attack including filling up /var/tmp etc)
- Non-Repudiation: Non-Redudiation is Undeniability. Non-repudiation services provide unforgeable evidence that a specific action occurred. (a digitally signed statement, a video recording of a transaction)
Xinetd Security Options
Sample xinetd service w/some security optionsym
- D : Minimal protection is provided.
- C1 : Discretionary access control and access permissions. Logins with passwords are required.
- C2 : Auditing and authentication events are audited. Authentication events are kept in a secure place.
- B1 : Mandatory access control and labeled output. Acces based on labels.
- B2 : Configuration control, facility management, and system configuration must be documented and controlled; All administrative and security operator functions are seperated.
- B3 : Access control lists and full system documentation are provide. Access is based on lists of users plus labels.
- A : Formal proof of the security of the system is required.
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
instances = 4 : Limit 4 concurrent instances of myserver
cps = 10 30 : (Prevent DOS Attacks) Limit 10 connections per second or sleep for 30 seconds.
max_load = 3.0 : Reject new requests if the one minute load system avg exceeds 3.0.
access_times = 8:00-16:00 : Restrict service Usage by time
only_from += 126.96.36.199 : (only accept traffic from)
no_access = badguy.evil.org : (explicitly block a server (everyone except))
Redirect a service with xinetd
Libwrap support (tcpwrappers / etc/hosts.allow, /etc/hosts.deny
Chroot Jails (Invoking a chroot jail from xinetd)
- User Account Based Filtering in ssh
- AllowedUsers john, mary, jack
user = root
server = /usr/sbin/chroot Invokes a chroot jail as the service
server_args = /var/cage /usr/sbin/myservice -a -b /var/cage is the root directory for this service. Just be sure to include all relevant libraries and files in the new "/".
Prohibiting root Logins on Terminal Devices
/etc/securetty (remove pseudo-devices etc)
SSL:a communication protocol that provides authentication and communication privacy. The client sends a hello message, some random bits, and supported asynchronous ciphers. Server senda a hello with a public key for a cipher they both support. The cline encrypts the random key with the server's public key and a secure session using symetrical encryption is established.
Authenticating by Public Key w/SSH
- openssl s_client -CAfile /usr/share/ssl/cert.pem -connect www.sun.com:443 :Validate an SSL Certificate.
- /usr/share/ssl/cert.pem is included with openssl and names all the CA's at the time of the ssl build. You can add an unlisted CA to this file.
- openssl x509 -text -in /usr/share/ssl/certs/imapd.pem : is how to decode a cert. Most certs are stored in ".pem files.
- SSL Certificate Signing Request
- Two files are created from running a the command below : a
tux.key file (private key) and a tux.csr file (Certificate Signing
Request). The private key is encrypted with your passphrase and to
decrypt it, issue the command $ openssl rsa -in tux.key . After
the CA signs the .csr you send them and returns a "cert.pem" file to
you you have a digitally signed public key and private key pair.
Creating a CSR request
jake@somewhere ssl]# openssl req -new -key domainname.key -out domainname.csr
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > tux.key
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -new -key tux.key -out tux.csr
Enter pass phrase for tux.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:New York
Locality Name (eg, city) [Newbury]:New York
Organization Name (eg, company) [My Company Ltd]:Tux Limited
Organizational Unit Name (eg, section) :Enterprise Technology
Common Name (eg, your name or your server's hostname) :tux
Email Address :firstname.lastname@example.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :abc321
An optional company name :
Decrypting a private key
[jake@somewhere ssl]# openssl rsa -in tux.key
Enter pass phrase for tux.key:
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
- Creating a Self Signed Certificate (Subject and the Issuer are the Same)
- make -f /usr/share/ssl/certs/Makefile selfSigned.crt (creates
both a .crt file (public key and .key file (encrypted privat key --see
- Setting Up a Mock Certificate Authority (A new root key, self signed certificate, etc)
- /usr/share/ssl/misc/CA.pl -newca (Create a new CA -files in ../DEmoCa/
- /usr/share/ssl/misc/CA.pl -newreq (Create a new certificate request-will crate a file called newreq.pem)
- usr/share/ssl/misc/CA.pl -sign (Sign your request)
- Now just compile apache 2.0 with ssl support and populate ssl.conf with the public/private key pair just created.
Trusted Hosts and SSH
SSH Agent : The ssh agent, controlled by the programs, ssh-agent and the ssh-add, maintains a cache of private keys on your local machine. SSH clients query the agent for passwords instead of you.
Symetric Encryption (shared keys between sender & receiver)
gpg -c somefile encrypt a file symetrically
gpg somefile decrypt a file symetrically
gpg --gen-key (generate a GnuPG key pair.)
This creates the following files and directories :
- Running the commands below will generate a public key and an encrypted private key pair. (You can optionally leave the private key unencrypted, at your own risk). You can use the openssl command (See above) to decrypt the encrypted private dsa key.
- mkdir ~/.ssh
- chmod 700 ~/.ssh
- cd ~/.ssh
- ssh-keygen -t dsa (will prompt you for a password - a null password means an unencrypted private key !)
Saving the key failed: /hello/.ssh/.
[root@localhost hello]# ssh-keygen -t dsa
[root@localhost hello]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): /hello/id_dsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /hello/id_dsa.
Your public key has been saved in /hello/id_dsa.pub.
The key fingerprint is:
[root@localhost hello]# cd /hello/id_dsa
- scp the da.pub key to the remote server
- cat id_dsa.pub >> ~/ssh/authorized_keys (append to authorized key list on the remote server)
- In addition to the step above, you can limit a user to issuing particular commands for more granular level of security as such :
command="/usr/local/bin/apachectl restart" ssh-dss AAABBGHQsrrf(rest of key
[root@localhost .gnupg]# ls -la
drwx------ 2 root root 4096 Jan 26 14:30 .
drwxr-x--- 22 root root 4096 Jan 26 14:28 ..
-rw------- 1 root root 7695 Jan 26 14:28 gpg.conf
-rw------- 1 root root 0 Jan 26 14:30 pubring.gpg (public key)
-rw------- 1 root root 600 Jan 26 14:29 random_seed
-rw------- 1 root root 0 Jan 26 14:30 secring.gpg (secret key)
Encrypting a file asymetrically with someone else's public key file.
gpg -e -r recipients_public_key myfile (generates an encrypted file myfile.gpg)
The receiver would then, decrypt the message you just encrypted with his public key as follows :
gpg --decrypt /tmp/myfile.gpg
Signing and Encrypting a File (Most Important):
gpg -c -s -r receiver_public_key file (encrypt a file and sign it with someone elses public key)
The receiver would decrypt the file similiar to above.
You can verify a signature : gpg --verify myfile.gpg
Finally, upload your public key up to a public pgp key server (pgp.mit.edu). This is only a common key store and does not assure ownership of keys!)
1. Provide a way to verify authenticity - used with public key cryptography. (Signing a certificate is essentially adding a digital signiture to a file)
Certificate Creation Process
1. The merchant generates a private/public key pair.
2. The merchant must then prove their identity to a CA and provide their public key to the CA.
3. The CA then creates a one-way hash of the following information:
* The CA's identity.
* The merchant's identity.
* The merchant's public key.
* Period of validity.
4. The one-way has is then encrypted with the CA's private key creating a detached digital signature.
5. The digital certificate is made up of the combined information above and the detached digital signature.
6. The CA then issues this to the merchant.
Auditing on Linux
C2 Level - BSM for Linux
Kernel Module (Linux recompile-patch your current kernel and create a device file in /dev) + auditd daemon. Information is stored in a binary format and you usr the praudit command to read the files.
Tripwire is an open source integrity checker. It stores a snaphot of your system in a known state, so you can periodically compare the files against the snapshot to discover discrepancies.
2 main concepts are a policy and a database. THe policy lists all the files and directories that tripwire should snapshot and rules around identifying violations and the database contains the database itself. You periodically run integrity checks and generate integrit check reports.
tripwire --init (starts tripwire for 1st time)
twadmin is used to generate the policy files, generate site keys etc.
tripwire --check (run an integrity check against the db.
- psacct package (Process accounting package)
- It was originally used for process accounting -but is a useful tool nowadays for historical information.
- Common commands include :
- aaccton /var/account/pacct (start ps accounting)
- lastcomm -f /var/account/pacct (prints command name, CPU time by command, start time, user who can a command, and the controlling terminal if any)