Linux securities

Gaurav Mishra
<gmishx@gmail.com>
Linux - 2
Encryption, SSH, IPSec 24-02-2018

Gaurav Mishra <gmishx@gmail.com>
Encryption
• Quick points
• Encryption is changing the content of a message using
mathematics
• Encryption can be done to secure the content of the message,
respecting the privacy, authentication.
• When sending a data over a network, it is necessary to encrypt
it.
• The receiver must be sure the data is not altered so it should be
signed as well.

Major aspects of encryption
Encryption can mean any one of the following:
1. Public key encryption
▫ In earlier days, a symmetric key was used to encrypt the message, which means same
key is required to encrypt and decrypt the message.
▫ With advances in Mathematics, we now use asymmetric key, which means the message
is encrypted with one key and decrypted with other.
▫ The message is encrypted using receiver's public key and decrypted using the receiver's
private key.
2. Digital Signatures
▫ The messages on public networks need to fight against unwanted modifications. This
leads to the question on integrity of the message.
▫ To sign a message, the message’s digest is calculated and encrypted using the sender’s
private key.
▫ To check the integrity of message, the receiver calculate the digest of the message and
compare with the encrypted digest sent by the sender which can be decrypted using the
sender’s public key.
24-02-2018

GNU Privacy Guard
• Linux include an Open source program called GnuGP for the aid of encryption
mechanism.
• The command to invoke GnuGP is gpg.
• gpg current support following algorithms:
▫ Public key: RSA, RSA-E, RSA-S, ELG-E, DSA
▫ Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
▫ Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
▫ Compression: Uncompressed, ZIP, ZLIB, BZIP2
24-02-2018

GPG options
Commands Options
• -s, --sign
▫ Signs a document and create a signature. Can
be combined with --encrypt
• -e, --encrpyt
▫ Encrypts data. Can be combine with --sign
• --decrypt [file]
▫ Decrypts file. If a signature is attached, it is
verified.
• --list-keys [name]
▫ List all the keys in keyring or the one specified.
• --list-public-keys [name], --list-secret-keys [name]
▫ List the public/private keys from the keyring or
the one specified.
• --gen-key
▫ Generate new set of public and private key.
• -o, --output
▫ Write the output to a file instead of
STDOUT.
• -r, --recipient names
▫ Encrypt data for the specified users from
the public keyring.
• --default-key name
▫ Set the default key for signatures
• -i, --interactive
▫ Prompt before overwriting any files.
• --cipher-algo name
▫ Use name as cipher algorithm.
• --digest-algo name
▫ Use name as the message digest
algorithm.
24-02-2018

GPG options
Commands Options
• --delete-key name
▫ Removes a public key from keyring
• --export [names]
▫ Export keys from the keyring
• --import [files]
▫ Import keys defined in the file to
the public keyring
• --compress-algo name
▫ Use compression algorithm name.
• --personal-cipher-preferences name
▫ Set the list of personal cipher
preferences to name.
• --personal-digest-preferences name
▫ Set the list of personal digest
preferences to name.
• -u, --local-user name
▫ Use name as the key to sign with.
24-02-2018

GPG examples
• gpg -se -r Bob file
▫ sign and encrypt for user Bob
• gpg -u 0x12345678 -s file
▫ make a signature with the key 0x12345678
• gpg --list-keys user_ID
▫ show keys
• gpg --fingerprint user_ID
▫ show fingerprint
• gpg --verify pgpfile
▫ Verify the signature of the file but do not output the data.
24-02-2018

SSH
• OpenSSH is the open source version of
the SSH.
• SSH is use to have secure connection
between two machines over a network.
• SSH uses encryption an
authentication.
• SSH uses asymmetric keys for
authentication and a cipher agreed for
a session for the encryption.
• SSH first verify the host machine then
it authenticates the user.
• Each user on the machine have their
own keys for authentication.
24-02-2018

SSH tools
Application Description
ssh SSH client
sshd SSH server (daemon)
sftp SSH FTP client
scp SSH copy client
ssh-keygen SSH Key generator
ssh-add Add RSD and DSA identities to authentication agent
24-02-2018

SSH Setup
1. Setting up keys
1. Run ssh-keygen -t [rsa/dsa] to generate your public and private keys.
2. Provide a passphrase to protect your private key and a location to store them (default:
/~.ssh/id_{rsa/dsa}.pub and ~/.ssh/id_{rsa/dsa})
2. Send the public key to the machine running SSH server.
1. Can be done through an email, any other medium or using ssh-copy-id program.
2. Add the public key to the user’s ~/.ssh/authorized_keys
3. Putting the public key in authorized_keys file allow you to login to the account
without the need of user’s account password.
3. Making the connection
1. Once the steps above are done, you can connect to the SSH server using any SSH
client.
2. Simple SSH example:
ssh user@server.com
ssh server.com -l user
24-02-2018

SSH Configuration
• The configuration file for each user can be found in their respecting
$HOME/.ssh/config and for global configuration in /etc/ssh/ssh_config.
• The SSH configuration file have different segments for each host and is in a format of
Keyword Value
• Every option for a host starts with the Host keyword and end at the next Host
keyword
• SSH Configuration helps in restricting the access to the SSH-Server
24-02-2018

SSH Configuration
• Host:
▫ Restrict the options to a given host,
can accept patterns (‘*’ and ‘?’).
▫ IP address or name of the host.
• Cipher:
▫ Define the cipher to be used for
encryption.
▫ Supported: “blowfish”, “3des”, and
“des”, Default: 3des
• Compression:
▫ Whether to use compression or not.
▫ “yes” or “no”. Default “no”
• IdentityFile:
▫ From where to take user’s private
keys
• Port:
▫ Which port is to be used for the
connection.
▫ Default 22
• TCPKeepAlive:
▫ Specifies whether to send the TCP
KeepAlive message.
▫ Helps in identifing Server/Client
crash, default “yes”
• User:
▫ To set the default user to be logged in
as.
24-02-2018

IPsec
• IP Security (IPsec) incorporate
network security into IP directly.
• IPsec is integrated into IPv6.
• Back ported to IPv4.
• It helps in encryption and
authentication of packets sent over the
network by the kernel itself.
• Can be used over LAN, WAN and
Internet.
24-02-2018

Downside of traditional IP
• Traditional IP exposes the headers of
each packet.
• Anyone can resend a packet with
malicious information.
• Anyone trap packets and check the
contents.
• Original message can be trapped,
modified and retransmitted.
• Only the payload can be encrypted
(application specific), e.g. HTTPS.
24-02-2018

IPsec over Traditional IP
• Built on traditional IP
• Provides authentication using Hash
Message Authentication Code (HMAC)
• Provides encryption using Encapsulated
Security Payload (ESP)
• Prevents retransmit using sliding
window mechanism
• Prevents bare IP headers in tunnel mode
• IPsec can be used in 2 modes:
▫ Transport mode:
 Communication between two hosts
▫ Tunnel mode:
 Communication between two networks
Source: http://www.ipsec-howto.org/ipsec-howto.pdf
24-02-2018

Elements of IPsec
Security Association Example
• All information needed to encapsulate
and decapsulate IP datagram is store
in Security Association (SA) which in-
turn is stored in Security Association
Database (SAD).
• SA consist of:
▫ Source and destination IP address
▫ IPsec protocol (AH or ESP)
▫ Algorithm and secret key used by
IPsec
▫ Security Parameter Index (SPI) to
identify SA
• Each SA is unidirectional
• SAs can be added to SAD using setkey
tool
# AH SAs
add 192.168.1.100 192.168.2.100 ah
15700 -A hmac-md5 “secret key”;
# ESP SAs
add 192.168.1.100 192.168.2.100 esp
15701 -E 3des-cbc “secret key”;
• Here -A is Authentication algorithm, -
E is encryption algorithm
24-02-2018

Elements of IPsec
Security Policy Example
• To define which information is to be
protected, Security Policy (SP) is to be
defined which is store in Security
Policy Database (SPD).
• SP consist of:
▫ Source and destination address
(same for transport mode, may
differ in tunnel)
▫ Protocol or port to be secured
▫ Security association to be used for
protection
• SP can also be added to SPD using setkey
spdadd 192.168.1.100 192.168.2.100 any
-P out ipsec
esp/transport//require
ah/transport//require;
• The command requires the source and
destination IP addresses of the packets to
be protected, the protocol (and port) to
protect (any) and the policy to use (-P).
• The policy specifies the direction
(in/out), the action to apply
(ipsec/discard/none), the protocol
(ah/esp/ipcomp), the mode (transport)
and the level (use/require).
24-02-2018

IPSec protocols
Authentication Header (AH) Encapsulated Security Payload (ESP)
• AH uses hashing algorithms like SHA,
MD5, etc.
• AH uses the algorithm and secret code
defined in the SA to calculate the digest.
• The digest is calculated on the immutable
IP headers and the payload.
• The resultant digest is called Hash
Message Authentication Code (HMAC).
• The HMAC and the SPI is sent along with
the original packet.
• AH can not be used on NAT.
• ESP provides integrity and
confidentiality.
• ESP uses the algorithm defined in the SA
to first encrypt the payload using the
secret key.
• The encrypted payload is then digested
using hash algorithm.
• ESP do not use the source and
destination address of the packets while
calculating the HMAC thus can work on
NAT as well.
• In both protocols, symmetric key is used
thus possess a threat which is solved
using Internet Key Exchange (IKE)
mechanism.
24-02-2018

Traditional TCP/IP packets
Using SSL (HTTPS) Without SSL (Plain HTTP)
24-02-2018

IPsec packets
Using AH and ESP in transport mode
24-02-2018

IPsec key exchange using racoon
• Setting up racoon (an IKE client) for Pre Shared Key configuration
1. Setup SP using setkey (SA not required, setup by racoon).
2. Setup PSK file.
1. The file is generally located in /etc/racoon/psk.txt
2. PSK file is arranged in column fashion, where first column is identifier and
second column is the key.
3. You should not share the psk file with everyone.
3. Setup the racoon.conf file
1. The file is generally location in /etc/racoon/racoon.conf
2. The file is arranged in paragraphs.
3. Setup the necessary listen, remote and sainfo paragraphs.
4. Test the racoon config using racoon -F -f /etc/racoon/racoon.conf
5. Share the setkey.conf, psk.txt and racoon.conf with the participants.
24-02-2018

Sample settings
psk.txt
racoon.conf
setkey.conf
24-02-2018

Key exchange using IKE
Few packets trapped during a ping request
24-02-2018

Linux securities

More Related Content

What's hot (20)

Similar to Linux securities (20)

More from Gaurav Mishra (11)

Recently uploaded (20)

Linux securities