user and physical security
DESCRIPTION
TRANSCRIPT
Master on Free Software
Introduction to cryptography
Master on Free Software
Cryptography
● Used to protect information from unauthorized access.
● Basic requirements:● Confidentiality● Integrity● Availability● Authenticity● Non-repudiation
● Several mechanisms used to achieve these goals
Master on Free Software
Symmetric-key cryptography
● Uses a single key to encrypt and decrypt data● Keys are usually small● Algorithms are usually very fast● If A sends a message to B, B must know the key in advance
● A different key is needed for each pair of users● Examples: DES, AES, Blowfish, CAST5
Master on Free Software
Public-key cryptography
● Different keys are used to encrypt and decrypt● Keys are usually large● Algorithms are usually very slow● Solves the need of having keys for each pair of users
● Can be used for confidentiality and/or authenticity
● Examples: RSA, ElGamal
Master on Free Software
Hybrid cryptography
● Symmetric-key cryptography has the key distribution problem
● Public-key cryptography is very slow● Hybrid cryptography combines both methods:
● A random symmetric key is created to encrypt the message
● The key is sent with the message using public-key cryptography
● The public key still has to be sent using a secure channel
Master on Free Software
Hash functions
● Used to check the integrity of a message (among other uses).
● Returns a value 'h' for any given message 'm'.● All values have the same size.
Master on Free Software
Cryptographic hash functions
● Small changes in the input give a very different output.
● Given 'h', it should be hard to find 'm' such that hash(m) = h.
● Given 'm1', it should be hard to find 'm2' such that hash(m1) = hash(m2).
● Hard to find 'm1' and 'm2' with the same hash.
Master on Free Software
MD5 and SHA-1
● Very widespread hash functions● Used in many authentication systems● Output is 128 and 160 bits respectively● System tools md5sum and sha1sum available● Not recommended anymore for strong cryptography
● Superseded by SHA-256 and others
Master on Free Software
Digital signature
● Provides authentication and non-repudiation● A hash of the message is sent along with it● The hash is encrypted using the sender's private key
● The hash can be decrypted with the sender's public key
Master on Free Software
Cryptographic tools andnetwork security
Master on Free Software
PGP: Pretty Good Privacy
● Software for secure communication and data storage
● Written by Phil Zimmermann in 1991● Uses hybrid cryptography● Allows authentication using digital signatures
Master on Free Software
GnuPG
● GNU Privacy Guard● Implementation of the PGP standard under the GNU GPL
● Can also encrypt single files with symmetric-key algorithms
● Front-ends: Seahorse, Kgpg, ...● Integrated in many e-mail clients
Master on Free Software
PGP key
● Consist on a public and a private key● Each key has user info (name, e-mail, ...)● Web of trust: a key can be signed by other users to confirm that it's legitimate
● A key can have an expiration time● A key can be revoked if compromised or no longer used
● Public keys are stored in key servers
Master on Free Software
SSL/TLS
● Cryptographic protocols for internet communications
● The SSLv3 protocol was superseded by TLS● Based on hybrid cryptography● Used in many application protocols: HTTPS, SMTP, XMPP, ...
● Public keys distributed as X.509 certificates● Hierarchical system to validate certificates: CAs● Certificate metadata: name, validity, e-mail, ...
Master on Free Software
OpenSSL
● Implementation of the SSL/TLS protocols● Very widely used● Includes software to:
● Create certificates and private keys● Encrypt data● Establish secure connections
Master on Free Software
SSH: Secure SHell
● Secure protocol to open remote shells● Connection layer similar to SSL/TLS● Different authentication methods: password, public-key, ...
● Extended features:● Transfer files (sftp, scp, rsync)● Port forwarding (ssh -L, ssh -R)● X11 forwarding● Socks proxy● VPN
Master on Free Software
VPN: Virtual Private Network
● Formed by machines physically divided in several networks
● VPNs are usually encrypted and authenticated● Many different kinds of VPNs:
● IPsec: protocols to add security to IP● OpenVPN: user-space VPN software for Unix and Windows
Master on Free Software
OpenVPN
● User-space VPN software● Very easy to use and configure● Flexible and secure● Can work with tcp, udp, and http proxies● Works with Unix and Win32
Master on Free Software
IPsec
● Set of protocols to add security to IP● Extension to IPv4, standard in IPv6● Implemented in many routers● Complex protocol, interoperability problems● Can work in transport or tunnel mode
● AH/ESP protocols: kernel space (standard in Linux 2.6)
● Key management/negotiation: user space (Openswan, ipsec-tools, ...)
Master on Free Software
The boot process andthe UNIX password system
Master on Free Software
PC boot process
● The BIOS initializes the computer and looks for a bootable device
● The boot sector is loaded (MBR):● Simple MBR: active partition is booted● Boot loader (GRUB, LILO): a boot menu appears.
Master on Free Software
Protecting the BIOS
● Disable alternate booting methods (network, floppy, CD, ...)
● BIOS can be protected using a password● Useful to avoid some basic attacks● Not a real solution to protect the system:
● BIOS can be reseted● Hard disks can be physically removed
Master on Free Software
Linux boot process
● The boot loader loads the kernel into memory● The kernel is booted, hardware is detected● The kernel runs the init command (/sbin/init, see init/main.c)
● init launches all services and shows the login screen
Master on Free Software
Altering Linux boot process
● Most boot loaders allow passing parameters to the kernel
● The 'init' parameter overrides the default /sbin/init
● Thus, it is possible to change the boot process● Boot loaders usually can be protected with a password
● Examples: GRUB, LILO
Master on Free Software
UNIX password system
● On UNIX systems, user data is stored in /etc/passwd
● Includes user name, user ID, group ID, home directory and shell
● File is readable by everyone● It can include the encrypted password (if /etc/shadow is not used)
● man 5 passwd
Master on Free Software
The crypt(3) function
● Function to store passwords in /etc/passwd● It creates a cryptographic hash of the password● Algorithms: DES, MD5, Blowfish, ...● A random string ("salt") is appended to the password.
Master on Free Software
Breaking the UNIX password system
● Boot using /bin/sh instead of /sbin/init● Or boot from another partition (or rescue disk)● Edit password from /etc/passwd or /etc/shadow● Leave it blank● Boot the system again and login with no password
Master on Free Software
Encrypted filesystems
Master on Free Software
Encrypted filesystems
● Used to protect the data in a computer● Can be implemented either in software or hardware
● Many different implementations, no single standard:
● LUKS● Truecrypt● EncFS
Master on Free Software
Disk encryption features
● Plausible deniability:● Hidden volume● No identifying features
● Resizable volumes
Master on Free Software
Standard partitions to encrypt
● User data (/home)● Swap space● Temporary files● Program data, databases (/var)● Alternatively: full disk encryption
Master on Free Software
EncFS
● Userspace (FUSE) encrypted filesystem● Created on top of existing filesystems● Doesn't need to be resized● Very easy to use● Problems: ability to see the number of files, permissions, approximate size, etc.
Master on Free Software
LUKS
● Kernel-based disk encryption software● Specifies a standard disk format for encrypted partitions
● Supports multiple keys● Secure passphrase revocation● Available for Windows
Master on Free Software
cryptsetup
● Utilities to manage encrypted filesystems● Support for LUKS● File /etc/crypttab, similar to fstab
Master on Free Software
User authentication
Master on Free Software
PAM
● Pluggable Authentication Modules● Provide different authentication systems● Apps independent of the authentication scheme● PAM files in /etc/pam.d
Master on Free Software
PAM rule types
● account: Checks whether the account exists and it has access to the current service
● auth: Authenticate the user (normally using a password)
●password: update the authentication mechanism
● session: tasks to do before and after using the service
Master on Free Software
PAM control values
● required: if module fails, all other modules are tested but the process fails
● requisite: if module fails, return immediately● sufficient: if module succeeds, return immediately
●optional: module is evaluated, but it is ignored if it fails
Master on Free Software
Some basic PAM modules
● pam_unix: traditional password authentication (/etc/passwd)
● pam_securetty: root can only login from secure ttys
● pam_access: Restrict logins using a set of rules● pam_limits: Limit resources to the user (cpu time, memory, etc)
● pam_group: Give users access to certain groups in this session
Master on Free Software
Some advanced PAM modules
● pam_mount: mount filesystems upon login● pam_pwdfile: authenticate users using a text file
● pam_cracklib: prevents users from having weak passwords
● pam_thinkfinger: uses the fingerprint reader of some ThinkPads
● pam_ldap: authenticate using a LDAP directory● pam_mysql: authenticate using a MySQL database
Master on Free Software
File permissions
Master on Free Software
File permissions
● Define who can access a file or dir● Divided into read, write or execute● Different permissions:
● File owner● File group● Rest of users● setuid/setgid/sticky bits
Master on Free Software
Permissions on regular files
● Read: open a file and read its contents● Write: modify the contents of a file● Execute: execute a file
Master on Free Software
Permissions on directories
● Read: list the contents of a directory● Write: alter its contents (create, rename and delete files)
● Execute: enter a directory
Master on Free Software
setuid/setgid/sticky bits
● Bits to alter the behaviour of a file or dir● Setuid/Setgid files: executed as the owner or group of the file
● Setgid (not setuid) dirs: files created inherit the group
● Sticky bit dir: files can only be deleted by their owners
● Sticky bit file: deprecated
Master on Free Software
Changing ownerships
● chown newuser file● chown newuser:newgroup file● chgrp newgroup file
Master on Free Software
Changing permissions
● chmod mode file1 file2 ...● Octal: chmod 0755 file● Symbolic: chmod u=rwx,g+x,o-rwx file● Recursive: chmod -R mode file1 file2 ...
Master on Free Software
System services
Master on Free Software
System services
● Daemons, processes that run in the background
● Some of them listen to internet connections● Open services are vulnerable to external attacks
● Unused services should be disabled● All other services should be restricted
Master on Free Software
netstat
● Used to list network services● netstat -pnltu
● -p: show process name● -n: show ip address instead of name● -l: show listening sockets● -t: show tcp sockets● -u: show udp sockets
Master on Free Software
Inetd
● Super server that handles several services● Usually for services that don't receive many connections
● Configuration file in /etc/inetd.conf● Other similar servers: xinetd, micro-inetd, ...
Master on Free Software
Other services
● Started from /etc/init.d scripts● Some are configurable in /etc/default● Others cannot be disabled without uninstalling