SlideShare a Scribd company logo

Linux securities

Download as PPTX, PDF
Gaurav Mishra
Gaurav Mishra

This document contains information about encryption, SSH, and IPSec. It discusses encryption techniques like public key encryption and digital signatures. It describes the open source program GNU Privacy Guard (GnuPG) and how it can be used to encrypt and sign messages on Linux. It also covers Secure Shell (SSH) including how it provides secure connections using encryption and authentication. It discusses how SSH keys work and how to configure SSH. Finally, it discusses IPsec and how it incorporates network security directly into IP by providing encryption and authentication of packets sent over the network.

Technology
1 of 23
Gaurav Mishra <gmishx@gmail.com> Linux - 2 Encryption, SSH, IPSec 24-02-2018
Gaurav Mishra <gmishx@gmail.com> Encryption • Quick points • Encryption is changing the content of a message using mathematics • Encryption can be done to secure the content of the message, respecting the privacy, authentication. • When sending a data over a network, it is necessary to encrypt it. • The receiver must be sure the data is not altered so it should be signed as well.
Gaurav Mishra <gmishx@gmail.com> Major aspects of encryption Encryption can mean any one of the following: 1. Public key encryption ▫ In earlier days, a symmetric key was used to encrypt the message, which means same key is required to encrypt and decrypt the message. ▫ With advances in Mathematics, we now use asymmetric key, which means the message is encrypted with one key and decrypted with other. ▫ The message is encrypted using receiver's public key and decrypted using the receiver's private key. 2. Digital Signatures ▫ The messages on public networks need to fight against unwanted modifications. This leads to the question on integrity of the message. ▫ To sign a message, the message’s digest is calculated and encrypted using the sender’s private key. ▫ To check the integrity of message, the receiver calculate the digest of the message and compare with the encrypted digest sent by the sender which can be decrypted using the sender’s public key. 24-02-2018
Gaurav Mishra <gmishx@gmail.com> GNU Privacy Guard • Linux include an Open source program called GnuGP for the aid of encryption mechanism. • The command to invoke GnuGP is gpg. • gpg current support following algorithms: ▫ Public key: RSA, RSA-E, RSA-S, ELG-E, DSA ▫ Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 ▫ Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 ▫ Compression: Uncompressed, ZIP, ZLIB, BZIP2 24-02-2018
Gaurav Mishra <gmishx@gmail.com> GPG options Commands Options • -s, --sign ▫ Signs a document and create a signature. Can be combined with --encrypt • -e, --encrpyt ▫ Encrypts data. Can be combine with --sign • --decrypt [file] ▫ Decrypts file. If a signature is attached, it is verified. • --list-keys [name] ▫ List all the keys in keyring or the one specified. • --list-public-keys [name], --list-secret-keys [name] ▫ List the public/private keys from the keyring or the one specified. • --gen-key ▫ Generate new set of public and private key. • -o, --output ▫ Write the output to a file instead of STDOUT. • -r, --recipient names ▫ Encrypt data for the specified users from the public keyring. • --default-key name ▫ Set the default key for signatures • -i, --interactive ▫ Prompt before overwriting any files. • --cipher-algo name ▫ Use name as cipher algorithm. • --digest-algo name ▫ Use name as the message digest algorithm. 24-02-2018
Gaurav Mishra <gmishx@gmail.com> GPG options Commands Options • --delete-key name ▫ Removes a public key from keyring • --export [names] ▫ Export keys from the keyring • --import [files] ▫ Import keys defined in the file to the public keyring • --compress-algo name ▫ Use compression algorithm name. • --personal-cipher-preferences name ▫ Set the list of personal cipher preferences to name. • --personal-digest-preferences name ▫ Set the list of personal digest preferences to name. • -u, --local-user name ▫ Use name as the key to sign with. 24-02-2018
Gaurav Mishra <gmishx@gmail.com> GPG examples • gpg -se -r Bob file ▫ sign and encrypt for user Bob • gpg -u 0x12345678 -s file ▫ make a signature with the key 0x12345678 • gpg --list-keys user_ID ▫ show keys • gpg --fingerprint user_ID ▫ show fingerprint • gpg --verify pgpfile ▫ Verify the signature of the file but do not output the data. 24-02-2018
Gaurav Mishra <gmishx@gmail.com> SSH • OpenSSH is the open source version of the SSH. • SSH is use to have secure connection between two machines over a network. • SSH uses encryption an authentication. • SSH uses asymmetric keys for authentication and a cipher agreed for a session for the encryption. • SSH first verify the host machine then it authenticates the user. • Each user on the machine have their own keys for authentication. 24-02-2018
Gaurav Mishra <gmishx@gmail.com> SSH tools Application Description ssh SSH client sshd SSH server (daemon) sftp SSH FTP client scp SSH copy client ssh-keygen SSH Key generator ssh-add Add RSD and DSA identities to authentication agent 24-02-2018
Gaurav Mishra <gmishx@gmail.com> SSH Setup 1. Setting up keys 1. Run ssh-keygen -t [rsa/dsa] to generate your public and private keys. 2. Provide a passphrase to protect your private key and a location to store them (default: /~.ssh/id_{rsa/dsa}.pub and ~/.ssh/id_{rsa/dsa}) 2. Send the public key to the machine running SSH server. 1. Can be done through an email, any other medium or using ssh-copy-id program. 2. Add the public key to the user’s ~/.ssh/authorized_keys 3. Putting the public key in authorized_keys file allow you to login to the account without the need of user’s account password. 3. Making the connection 1. Once the steps above are done, you can connect to the SSH server using any SSH client. 2. Simple SSH example: ssh user@server.com ssh server.com -l user 24-02-2018
Gaurav Mishra <gmishx@gmail.com> SSH Configuration • The configuration file for each user can be found in their respecting $HOME/.ssh/config and for global configuration in /etc/ssh/ssh_config. • The SSH configuration file have different segments for each host and is in a format of Keyword Value • Every option for a host starts with the Host keyword and end at the next Host keyword • SSH Configuration helps in restricting the access to the SSH-Server 24-02-2018
Gaurav Mishra <gmishx@gmail.com> SSH Configuration • Host: ▫ Restrict the options to a given host, can accept patterns (‘*’ and ‘?’). ▫ IP address or name of the host. • Cipher: ▫ Define the cipher to be used for encryption. ▫ Supported: “blowfish”, “3des”, and “des”, Default: 3des • Compression: ▫ Whether to use compression or not. ▫ “yes” or “no”. Default “no” • IdentityFile: ▫ From where to take user’s private keys • Port: ▫ Which port is to be used for the connection. ▫ Default 22 • TCPKeepAlive: ▫ Specifies whether to send the TCP KeepAlive message. ▫ Helps in identifing Server/Client crash, default “yes” • User: ▫ To set the default user to be logged in as. 24-02-2018
Gaurav Mishra <gmishx@gmail.com> IPsec • IP Security (IPsec) incorporate network security into IP directly. • IPsec is integrated into IPv6. • Back ported to IPv4. • It helps in encryption and authentication of packets sent over the network by the kernel itself. • Can be used over LAN, WAN and Internet. 24-02-2018
Gaurav Mishra <gmishx@gmail.com> Downside of traditional IP • Traditional IP exposes the headers of each packet. • Anyone can resend a packet with malicious information. • Anyone trap packets and check the contents. • Original message can be trapped, modified and retransmitted. • Only the payload can be encrypted (application specific), e.g. HTTPS. 24-02-2018
Gaurav Mishra <gmishx@gmail.com> IPsec over Traditional IP • Built on traditional IP • Provides authentication using Hash Message Authentication Code (HMAC) • Provides encryption using Encapsulated Security Payload (ESP) • Prevents retransmit using sliding window mechanism • Prevents bare IP headers in tunnel mode • IPsec can be used in 2 modes: ▫ Transport mode:  Communication between two hosts ▫ Tunnel mode:  Communication between two networks Source: http://www.ipsec-howto.org/ipsec-howto.pdf 24-02-2018
Gaurav Mishra <gmishx@gmail.com> Elements of IPsec Security Association Example • All information needed to encapsulate and decapsulate IP datagram is store in Security Association (SA) which in- turn is stored in Security Association Database (SAD). • SA consist of: ▫ Source and destination IP address ▫ IPsec protocol (AH or ESP) ▫ Algorithm and secret key used by IPsec ▫ Security Parameter Index (SPI) to identify SA • Each SA is unidirectional • SAs can be added to SAD using setkey tool # AH SAs add 192.168.1.100 192.168.2.100 ah 15700 -A hmac-md5 “secret key”; # ESP SAs add 192.168.1.100 192.168.2.100 esp 15701 -E 3des-cbc “secret key”; • Here -A is Authentication algorithm, - E is encryption algorithm 24-02-2018
Gaurav Mishra <gmishx@gmail.com> Elements of IPsec Security Policy Example • To define which information is to be protected, Security Policy (SP) is to be defined which is store in Security Policy Database (SPD). • SP consist of: ▫ Source and destination address (same for transport mode, may differ in tunnel) ▫ Protocol or port to be secured ▫ Security association to be used for protection • SP can also be added to SPD using setkey spdadd 192.168.1.100 192.168.2.100 any -P out ipsec esp/transport//require ah/transport//require; • The command requires the source and destination IP addresses of the packets to be protected, the protocol (and port) to protect (any) and the policy to use (-P). • The policy specifies the direction (in/out), the action to apply (ipsec/discard/none), the protocol (ah/esp/ipcomp), the mode (transport) and the level (use/require). 24-02-2018
Gaurav Mishra <gmishx@gmail.com> IPSec protocols Authentication Header (AH) Encapsulated Security Payload (ESP) • AH uses hashing algorithms like SHA, MD5, etc. • AH uses the algorithm and secret code defined in the SA to calculate the digest. • The digest is calculated on the immutable IP headers and the payload. • The resultant digest is called Hash Message Authentication Code (HMAC). • The HMAC and the SPI is sent along with the original packet. • AH can not be used on NAT. • ESP provides integrity and confidentiality. • ESP uses the algorithm defined in the SA to first encrypt the payload using the secret key. • The encrypted payload is then digested using hash algorithm. • ESP do not use the source and destination address of the packets while calculating the HMAC thus can work on NAT as well. • In both protocols, symmetric key is used thus possess a threat which is solved using Internet Key Exchange (IKE) mechanism. 24-02-2018
Gaurav Mishra <gmishx@gmail.com> Traditional TCP/IP packets Using SSL (HTTPS) Without SSL (Plain HTTP) 24-02-2018
Gaurav Mishra <gmishx@gmail.com> IPsec packets Using AH and ESP in transport mode 24-02-2018
Gaurav Mishra <gmishx@gmail.com> IPsec key exchange using racoon • Setting up racoon (an IKE client) for Pre Shared Key configuration 1. Setup SP using setkey (SA not required, setup by racoon). 2. Setup PSK file. 1. The file is generally located in /etc/racoon/psk.txt 2. PSK file is arranged in column fashion, where first column is identifier and second column is the key. 3. You should not share the psk file with everyone. 3. Setup the racoon.conf file 1. The file is generally location in /etc/racoon/racoon.conf 2. The file is arranged in paragraphs. 3. Setup the necessary listen, remote and sainfo paragraphs. 4. Test the racoon config using racoon -F -f /etc/racoon/racoon.conf 5. Share the setkey.conf, psk.txt and racoon.conf with the participants. 24-02-2018
Gaurav Mishra <gmishx@gmail.com> Sample settings psk.txt racoon.conf setkey.conf 24-02-2018
Gaurav Mishra <gmishx@gmail.com> Key exchange using IKE Few packets trapped during a ping request 24-02-2018

Recommended

SSL Primer
SSL PrimerSSL Primer
SSL Primer
Mahadev Gaonkar
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
SSL247®
 
UVic Startup Slam September 2014 (Kiind)
UVic Startup Slam September 2014 (Kiind)UVic Startup Slam September 2014 (Kiind)
UVic Startup Slam September 2014 (Kiind)
sendwithus
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
RootedCON
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
Nate Lawson
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
Sarang Ananda Rao
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif
 

Recommended

SSL Primer
SSL PrimerSSL Primer
SSL Primer
Mahadev Gaonkar
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
SSL247®
 
UVic Startup Slam September 2014 (Kiind)
UVic Startup Slam September 2014 (Kiind)UVic Startup Slam September 2014 (Kiind)
UVic Startup Slam September 2014 (Kiind)
sendwithus
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
RootedCON
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
Nate Lawson
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
Sarang Ananda Rao
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Cryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPCryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHP
Anthony Ferrara
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
OWASP
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
JP Bourget
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
Evan J Johnson (Not a CISSP)
 
Ssh that wonderful thing
Ssh that wonderful thingSsh that wonderful thing
Ssh that wonderful thing
Marc Cluet
 
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick HardtINTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
apidays
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
Çağrı Çakır
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
Pina Parmar
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
wolfSSL
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
Timbal Mayank
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat Security Conference
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
MrArora Arjuna
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
wolfSSL
 
Password Security
Password SecurityPassword Security
Password Security
CSCJournals
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
Giuseppe Trotta
 
Passwords presentation
Passwords presentationPasswords presentation
Passwords presentation
Greg MacPherson
 
wget, curl and scp
wget, curl and scpwget, curl and scp
wget, curl and scp
Gaurav Mishra
 
Pgp1
Pgp1Pgp1
Pgp1
Sanjeevsharma620
 

More Related Content

What's hot

Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 

What's hot (20)

Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
 
Cryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPCryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHP
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
 
Ssh that wonderful thing
Ssh that wonderful thingSsh that wonderful thing
Ssh that wonderful thing
 
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick HardtINTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
 
Password Security
Password SecurityPassword Security
Password Security
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
Passwords presentation
Passwords presentationPasswords presentation
Passwords presentation
 

Similar to Linux securities

multiple encryption in clouud computing
multiple encryption in clouud computingmultiple encryption in clouud computing
multiple encryption in clouud computing
Rauf Wani
 
Digital signaturepattern 10 30
Digital signaturepattern 10 30Digital signaturepattern 10 30
Digital signaturepattern 10 30
Joaquin Ojeda
 

Similar to Linux securities (20)

wget, curl and scp
wget, curl and scpwget, curl and scp
wget, curl and scp
 
Pgp1
Pgp1Pgp1
Pgp1
 
Encryption
EncryptionEncryption
Encryption
 
E mail security
E mail securityE mail security
E mail security
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
 
Secure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLESecure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLE
 
Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013
 
Security Concepts - Linux
Security Concepts - LinuxSecurity Concepts - Linux
Security Concepts - Linux
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
CryptoGraphy Module in Mulesoft
CryptoGraphy Module in MulesoftCryptoGraphy Module in Mulesoft
CryptoGraphy Module in Mulesoft
 
Firewall and IPtables
Firewall and IPtablesFirewall and IPtables
Firewall and IPtables
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
multiple encryption in clouud computing
multiple encryption in clouud computingmultiple encryption in clouud computing
multiple encryption in clouud computing
 
Digital signaturepattern 10 30
Digital signaturepattern 10 30Digital signaturepattern 10 30
Digital signaturepattern 10 30
 
Sql_DG_presentation.pptx
Sql_DG_presentation.pptxSql_DG_presentation.pptx
Sql_DG_presentation.pptx
 
Cryptography
CryptographyCryptography
Cryptography
 
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptxUNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
 
Basics of GnuPG (gpg) command in linux
Basics of GnuPG (gpg) command in linuxBasics of GnuPG (gpg) command in linux
Basics of GnuPG (gpg) command in linux
 
Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
 

More from Gaurav Mishra

More from Gaurav Mishra (9)

FOSSology and OSS-Tools for License Compliance and Automation
FOSSology and OSS-Tools for License Compliance and AutomationFOSSology and OSS-Tools for License Compliance and Automation
FOSSology and OSS-Tools for License Compliance and Automation
 
FOSSology & GSOC Journey
FOSSology & GSOC JourneyFOSSology & GSOC Journey
FOSSology & GSOC Journey
 
Block Chain - Merkel and Key exchange
Block Chain - Merkel and Key exchangeBlock Chain - Merkel and Key exchange
Block Chain - Merkel and Key exchange
 
Block Chain - Introduction
Block Chain - IntroductionBlock Chain - Introduction
Block Chain - Introduction
 
Backup using rsync
Backup using rsyncBackup using rsync
Backup using rsync
 
Disk quota and sysd procd
Disk quota and sysd procdDisk quota and sysd procd
Disk quota and sysd procd
 
Linux User Management
Linux User ManagementLinux User Management
Linux User Management
 
Apache, cron and proxy
Apache, cron and proxyApache, cron and proxy
Apache, cron and proxy
 
Linux Run Level
Linux Run LevelLinux Run Level
Linux Run Level
 

Recently uploaded

UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
Wonjun Hwang
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 

Linux securities

  • 1. Gaurav Mishra <gmishx@gmail.com> Linux - 2 Encryption, SSH, IPSec 24-02-2018
  • 2. Gaurav Mishra <gmishx@gmail.com> Encryption • Quick points • Encryption is changing the content of a message using mathematics • Encryption can be done to secure the content of the message, respecting the privacy, authentication. • When sending a data over a network, it is necessary to encrypt it. • The receiver must be sure the data is not altered so it should be signed as well.
  • 3. Gaurav Mishra <gmishx@gmail.com> Major aspects of encryption Encryption can mean any one of the following: 1. Public key encryption ▫ In earlier days, a symmetric key was used to encrypt the message, which means same key is required to encrypt and decrypt the message. ▫ With advances in Mathematics, we now use asymmetric key, which means the message is encrypted with one key and decrypted with other. ▫ The message is encrypted using receiver's public key and decrypted using the receiver's private key. 2. Digital Signatures ▫ The messages on public networks need to fight against unwanted modifications. This leads to the question on integrity of the message. ▫ To sign a message, the message’s digest is calculated and encrypted using the sender’s private key. ▫ To check the integrity of message, the receiver calculate the digest of the message and compare with the encrypted digest sent by the sender which can be decrypted using the sender’s public key. 24-02-2018
  • 4. Gaurav Mishra <gmishx@gmail.com> GNU Privacy Guard • Linux include an Open source program called GnuGP for the aid of encryption mechanism. • The command to invoke GnuGP is gpg. • gpg current support following algorithms: ▫ Public key: RSA, RSA-E, RSA-S, ELG-E, DSA ▫ Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 ▫ Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 ▫ Compression: Uncompressed, ZIP, ZLIB, BZIP2 24-02-2018
  • 5. Gaurav Mishra <gmishx@gmail.com> GPG options Commands Options • -s, --sign ▫ Signs a document and create a signature. Can be combined with --encrypt • -e, --encrpyt ▫ Encrypts data. Can be combine with --sign • --decrypt [file] ▫ Decrypts file. If a signature is attached, it is verified. • --list-keys [name] ▫ List all the keys in keyring or the one specified. • --list-public-keys [name], --list-secret-keys [name] ▫ List the public/private keys from the keyring or the one specified. • --gen-key ▫ Generate new set of public and private key. • -o, --output ▫ Write the output to a file instead of STDOUT. • -r, --recipient names ▫ Encrypt data for the specified users from the public keyring. • --default-key name ▫ Set the default key for signatures • -i, --interactive ▫ Prompt before overwriting any files. • --cipher-algo name ▫ Use name as cipher algorithm. • --digest-algo name ▫ Use name as the message digest algorithm. 24-02-2018
  • 6. Gaurav Mishra <gmishx@gmail.com> GPG options Commands Options • --delete-key name ▫ Removes a public key from keyring • --export [names] ▫ Export keys from the keyring • --import [files] ▫ Import keys defined in the file to the public keyring • --compress-algo name ▫ Use compression algorithm name. • --personal-cipher-preferences name ▫ Set the list of personal cipher preferences to name. • --personal-digest-preferences name ▫ Set the list of personal digest preferences to name. • -u, --local-user name ▫ Use name as the key to sign with. 24-02-2018
  • 7. Gaurav Mishra <gmishx@gmail.com> GPG examples • gpg -se -r Bob file ▫ sign and encrypt for user Bob • gpg -u 0x12345678 -s file ▫ make a signature with the key 0x12345678 • gpg --list-keys user_ID ▫ show keys • gpg --fingerprint user_ID ▫ show fingerprint • gpg --verify pgpfile ▫ Verify the signature of the file but do not output the data. 24-02-2018
  • 8. Gaurav Mishra <gmishx@gmail.com> SSH • OpenSSH is the open source version of the SSH. • SSH is use to have secure connection between two machines over a network. • SSH uses encryption an authentication. • SSH uses asymmetric keys for authentication and a cipher agreed for a session for the encryption. • SSH first verify the host machine then it authenticates the user. • Each user on the machine have their own keys for authentication. 24-02-2018
  • 9. Gaurav Mishra <gmishx@gmail.com> SSH tools Application Description ssh SSH client sshd SSH server (daemon) sftp SSH FTP client scp SSH copy client ssh-keygen SSH Key generator ssh-add Add RSD and DSA identities to authentication agent 24-02-2018
  • 10. Gaurav Mishra <gmishx@gmail.com> SSH Setup 1. Setting up keys 1. Run ssh-keygen -t [rsa/dsa] to generate your public and private keys. 2. Provide a passphrase to protect your private key and a location to store them (default: /~.ssh/id_{rsa/dsa}.pub and ~/.ssh/id_{rsa/dsa}) 2. Send the public key to the machine running SSH server. 1. Can be done through an email, any other medium or using ssh-copy-id program. 2. Add the public key to the user’s ~/.ssh/authorized_keys 3. Putting the public key in authorized_keys file allow you to login to the account without the need of user’s account password. 3. Making the connection 1. Once the steps above are done, you can connect to the SSH server using any SSH client. 2. Simple SSH example: ssh user@server.com ssh server.com -l user 24-02-2018
  • 11. Gaurav Mishra <gmishx@gmail.com> SSH Configuration • The configuration file for each user can be found in their respecting $HOME/.ssh/config and for global configuration in /etc/ssh/ssh_config. • The SSH configuration file have different segments for each host and is in a format of Keyword Value • Every option for a host starts with the Host keyword and end at the next Host keyword • SSH Configuration helps in restricting the access to the SSH-Server 24-02-2018
  • 12. Gaurav Mishra <gmishx@gmail.com> SSH Configuration • Host: ▫ Restrict the options to a given host, can accept patterns (‘*’ and ‘?’). ▫ IP address or name of the host. • Cipher: ▫ Define the cipher to be used for encryption. ▫ Supported: “blowfish”, “3des”, and “des”, Default: 3des • Compression: ▫ Whether to use compression or not. ▫ “yes” or “no”. Default “no” • IdentityFile: ▫ From where to take user’s private keys • Port: ▫ Which port is to be used for the connection. ▫ Default 22 • TCPKeepAlive: ▫ Specifies whether to send the TCP KeepAlive message. ▫ Helps in identifing Server/Client crash, default “yes” • User: ▫ To set the default user to be logged in as. 24-02-2018
  • 13. Gaurav Mishra <gmishx@gmail.com> IPsec • IP Security (IPsec) incorporate network security into IP directly. • IPsec is integrated into IPv6. • Back ported to IPv4. • It helps in encryption and authentication of packets sent over the network by the kernel itself. • Can be used over LAN, WAN and Internet. 24-02-2018
  • 14. Gaurav Mishra <gmishx@gmail.com> Downside of traditional IP • Traditional IP exposes the headers of each packet. • Anyone can resend a packet with malicious information. • Anyone trap packets and check the contents. • Original message can be trapped, modified and retransmitted. • Only the payload can be encrypted (application specific), e.g. HTTPS. 24-02-2018
  • 15. Gaurav Mishra <gmishx@gmail.com> IPsec over Traditional IP • Built on traditional IP • Provides authentication using Hash Message Authentication Code (HMAC) • Provides encryption using Encapsulated Security Payload (ESP) • Prevents retransmit using sliding window mechanism • Prevents bare IP headers in tunnel mode • IPsec can be used in 2 modes: ▫ Transport mode:  Communication between two hosts ▫ Tunnel mode:  Communication between two networks Source: http://www.ipsec-howto.org/ipsec-howto.pdf 24-02-2018
  • 16. Gaurav Mishra <gmishx@gmail.com> Elements of IPsec Security Association Example • All information needed to encapsulate and decapsulate IP datagram is store in Security Association (SA) which in- turn is stored in Security Association Database (SAD). • SA consist of: ▫ Source and destination IP address ▫ IPsec protocol (AH or ESP) ▫ Algorithm and secret key used by IPsec ▫ Security Parameter Index (SPI) to identify SA • Each SA is unidirectional • SAs can be added to SAD using setkey tool # AH SAs add 192.168.1.100 192.168.2.100 ah 15700 -A hmac-md5 “secret key”; # ESP SAs add 192.168.1.100 192.168.2.100 esp 15701 -E 3des-cbc “secret key”; • Here -A is Authentication algorithm, - E is encryption algorithm 24-02-2018
  • 17. Gaurav Mishra <gmishx@gmail.com> Elements of IPsec Security Policy Example • To define which information is to be protected, Security Policy (SP) is to be defined which is store in Security Policy Database (SPD). • SP consist of: ▫ Source and destination address (same for transport mode, may differ in tunnel) ▫ Protocol or port to be secured ▫ Security association to be used for protection • SP can also be added to SPD using setkey spdadd 192.168.1.100 192.168.2.100 any -P out ipsec esp/transport//require ah/transport//require; • The command requires the source and destination IP addresses of the packets to be protected, the protocol (and port) to protect (any) and the policy to use (-P). • The policy specifies the direction (in/out), the action to apply (ipsec/discard/none), the protocol (ah/esp/ipcomp), the mode (transport) and the level (use/require). 24-02-2018
  • 18. Gaurav Mishra <gmishx@gmail.com> IPSec protocols Authentication Header (AH) Encapsulated Security Payload (ESP) • AH uses hashing algorithms like SHA, MD5, etc. • AH uses the algorithm and secret code defined in the SA to calculate the digest. • The digest is calculated on the immutable IP headers and the payload. • The resultant digest is called Hash Message Authentication Code (HMAC). • The HMAC and the SPI is sent along with the original packet. • AH can not be used on NAT. • ESP provides integrity and confidentiality. • ESP uses the algorithm defined in the SA to first encrypt the payload using the secret key. • The encrypted payload is then digested using hash algorithm. • ESP do not use the source and destination address of the packets while calculating the HMAC thus can work on NAT as well. • In both protocols, symmetric key is used thus possess a threat which is solved using Internet Key Exchange (IKE) mechanism. 24-02-2018
  • 19. Gaurav Mishra <gmishx@gmail.com> Traditional TCP/IP packets Using SSL (HTTPS) Without SSL (Plain HTTP) 24-02-2018
  • 20. Gaurav Mishra <gmishx@gmail.com> IPsec packets Using AH and ESP in transport mode 24-02-2018
  • 21. Gaurav Mishra <gmishx@gmail.com> IPsec key exchange using racoon • Setting up racoon (an IKE client) for Pre Shared Key configuration 1. Setup SP using setkey (SA not required, setup by racoon). 2. Setup PSK file. 1. The file is generally located in /etc/racoon/psk.txt 2. PSK file is arranged in column fashion, where first column is identifier and second column is the key. 3. You should not share the psk file with everyone. 3. Setup the racoon.conf file 1. The file is generally location in /etc/racoon/racoon.conf 2. The file is arranged in paragraphs. 3. Setup the necessary listen, remote and sainfo paragraphs. 4. Test the racoon config using racoon -F -f /etc/racoon/racoon.conf 5. Share the setkey.conf, psk.txt and racoon.conf with the participants. 24-02-2018
  • 22. Gaurav Mishra <gmishx@gmail.com> Sample settings psk.txt racoon.conf setkey.conf 24-02-2018
  • 23. Gaurav Mishra <gmishx@gmail.com> Key exchange using IKE Few packets trapped during a ping request 24-02-2018