User And Physical Security

Master on Free Software

User and physicalsecurity

Alberto Garcia Gonzalez<[email protected]>

mailto:[email protected]


Introduction to cryptography


Cryptography

● Used to protect information from unauthorized access.

● Basic requirements:● Confidentiality● Integrity● Availability● Authenticity● Non-repudiation

● Several mechanisms used to achieve these goals


Symmetric-key cryptography

● Uses a single key to encrypt and decrypt data● Keys are usually small● Algorithms are usually very fast● If A sends a message to B, B must know the key in advance

● A different key is needed for each pair of users● Examples: DES, AES, Blowfish, CAST5


Public-key cryptography

● Different keys are used to encrypt and decrypt● Keys are usually large● Algorithms are usually very slow● Solves the need of having keys for each pair of users

● Can be used for confidentiality and/or authenticity

● Examples: RSA, ElGamal


Hybrid cryptography

● Symmetric-key cryptography has the key distribution problem

● Public-key cryptography is very slow● Hybrid cryptography combines both methods:

● A random symmetric key is created to encrypt the message

● The key is sent with the message using public-key cryptography

● The public key still has to be sent using a secure channel


Hash functions

● Used to check the integrity of a message (among other uses).

● Returns a value 'h' for any given message 'm'.● All values have the same size.


Cryptographic hash functions

● Small changes in the input give a very different output.

● Given 'h', it should be hard to find 'm' such that hash(m) = h.

● Given 'm1', it should be hard to find 'm2' such that hash(m1) = hash(m2).

● Hard to find 'm1' and 'm2' with the same hash.


MD5 and SHA-1

● Very widespread hash functions● Used in many authentication systems● Output is 128 and 160 bits respectively● System tools md5sum and sha1sum available● Not recommended anymore for strong cryptography

● Superseded by SHA-256 and others


Digital signature

● Provides authentication and non-repudiation● A hash of the message is sent along with it● The hash is encrypted using the sender's private key

● The hash can be decrypted with the sender's public key


Cryptographic tools andnetwork security


PGP: Pretty Good Privacy

● Software for secure communication and data storage

● Written by Phil Zimmermann in 1991● Uses hybrid cryptography● Allows authentication using digital signatures


GnuPG

● GNU Privacy Guard● Implementation of the PGP standard under the GNU GPL

● Can also encrypt single files with symmetric-key algorithms

● Front-ends: Seahorse, Kgpg, ...● Integrated in many e-mail clients


PGP key

● Consist on a public and a private key● Each key has user info (name, e-mail, ...)● Web of trust: a key can be signed by other users to confirm that it's legitimate

● A key can have an expiration time● A key can be revoked if compromised or no longer used

● Public keys are stored in key servers


SSL/TLS

● Cryptographic protocols for internet communications

● The SSLv3 protocol was superseded by TLS● Based on hybrid cryptography● Used in many application protocols: HTTPS, SMTP, XMPP, ...

● Public keys distributed as X.509 certificates● Hierarchical system to validate certificates: CAs● Certificate metadata: name, validity, e-mail, ...


OpenSSL

● Implementation of the SSL/TLS protocols● Very widely used● Includes software to:

● Create certificates and private keys● Encrypt data● Establish secure connections


SSH: Secure SHell

● Secure protocol to open remote shells● Connection layer similar to SSL/TLS● Different authentication methods: password, public-key, ...

● Extended features:● Transfer files (sftp, scp, rsync)● Port forwarding (ssh -L, ssh -R)● X11 forwarding● Socks proxy● VPN


VPN: Virtual Private Network

● Formed by machines physically divided in several networks

● VPNs are usually encrypted and authenticated● Many different kinds of VPNs:

● IPsec: protocols to add security to IP● OpenVPN: user-space VPN software for Unix and Windows


OpenVPN

● User-space VPN software● Very easy to use and configure● Flexible and secure● Can work with tcp, udp, and http proxies● Works with Unix and Win32


IPsec

● Set of protocols to add security to IP● Extension to IPv4, standard in IPv6● Implemented in many routers● Complex protocol, interoperability problems● Can work in transport or tunnel mode

● AH/ESP protocols: kernel space (standard in Linux 2.6)

● Key management/negotiation: user space (Openswan, ipsec-tools, ...)


The boot process andthe UNIX password system


PC boot process

● The BIOS initializes the computer and looks for a bootable device

● The boot sector is loaded (MBR):● Simple MBR: active partition is booted● Boot loader (GRUB, LILO): a boot menu appears.


Protecting the BIOS

● Disable alternate booting methods (network, floppy, CD, ...)

● BIOS can be protected using a password● Useful to avoid some basic attacks● Not a real solution to protect the system:

● BIOS can be reseted● Hard disks can be physically removed


Linux boot process

● The boot loader loads the kernel into memory● The kernel is booted, hardware is detected● The kernel runs the init command (/sbin/init, see init/main.c)

● init launches all services and shows the login screen


Altering Linux boot process

● Most boot loaders allow passing parameters to the kernel

● The 'init' parameter overrides the default /sbin/init

● Thus, it is possible to change the boot process● Boot loaders usually can be protected with a password

● Examples: GRUB, LILO


UNIX password system

● On UNIX systems, user data is stored in /etc/passwd

● Includes user name, user ID, group ID, home directory and shell

● File is readable by everyone● It can include the encrypted password (if /etc/shadow is not used)

● man 5 passwd


The crypt(3) function

● Function to store passwords in /etc/passwd● It creates a cryptographic hash of the password● Algorithms: DES, MD5, Blowfish, ...● A random string ("salt") is appended to the password.


Breaking the UNIX password system

● Boot using /bin/sh instead of /sbin/init● Or boot from another partition (or rescue disk)● Edit password from /etc/passwd or /etc/shadow● Leave it blank● Boot the system again and login with no password


Encrypted filesystems


Encrypted filesystems

● Used to protect the data in a computer● Can be implemented either in software or hardware

● Many different implementations, no single standard:

● LUKS● Truecrypt● EncFS


Disk encryption features

● Plausible deniability:● Hidden volume● No identifying features

● Resizable volumes


Standard partitions to encrypt

● User data (/home)● Swap space● Temporary files● Program data, databases (/var)● Alternatively: full disk encryption


EncFS

● Userspace (FUSE) encrypted filesystem● Created on top of existing filesystems● Doesn't need to be resized● Very easy to use● Problems: ability to see the number of files, permissions, approximate size, etc.


LUKS

● Kernel-based disk encryption software● Specifies a standard disk format for encrypted partitions

● Supports multiple keys● Secure passphrase revocation● Available for Windows


cryptsetup

● Utilities to manage encrypted filesystems● Support for LUKS● File /etc/crypttab, similar to fstab


User authentication


PAM

● Pluggable Authentication Modules● Provide different authentication systems● Apps independent of the authentication scheme● PAM files in /etc/pam.d


PAM rule types

● account: Checks whether the account exists and it has access to the current service

● auth: Authenticate the user (normally using a password)

●password: update the authentication mechanism

● session: tasks to do before and after using the service


PAM control values

● required: if module fails, all other modules are tested but the process fails

● requisite: if module fails, return immediately● sufficient: if module succeeds, return immediately

●optional: module is evaluated, but it is ignored if it fails


Some basic PAM modules

● pam_unix: traditional password authentication (/etc/passwd)

● pam_securetty: root can only login from secure ttys

● pam_access: Restrict logins using a set of rules● pam_limits: Limit resources to the user (cpu time, memory, etc)

● pam_group: Give users access to certain groups in this session


Some advanced PAM modules

● pam_mount: mount filesystems upon login● pam_pwdfile: authenticate users using a text file

● pam_cracklib: prevents users from having weak passwords

● pam_thinkfinger: uses the fingerprint reader of some ThinkPads

● pam_ldap: authenticate using a LDAP directory● pam_mysql: authenticate using a MySQL database


File permissions


File permissions

● Define who can access a file or dir● Divided into read, write or execute● Different permissions:

● File owner● File group● Rest of users● setuid/setgid/sticky bits


Permissions on regular files

● Read: open a file and read its contents● Write: modify the contents of a file● Execute: execute a file


Permissions on directories

● Read: list the contents of a directory● Write: alter its contents (create, rename and delete files)

● Execute: enter a directory


setuid/setgid/sticky bits

● Bits to alter the behaviour of a file or dir● Setuid/Setgid files: executed as the owner or group of the file

● Setgid (not setuid) dirs: files created inherit the group

● Sticky bit dir: files can only be deleted by their owners

● Sticky bit file: deprecated


Changing ownerships

● chown newuser file● chown newuser:newgroup file● chgrp newgroup file


Changing permissions

● chmod mode file1 file2 ...● Octal: chmod 0755 file● Symbolic: chmod u=rwx,g+x,o-rwx file● Recursive: chmod -R mode file1 file2 ...


System services


System services

● Daemons, processes that run in the background

● Some of them listen to internet connections● Open services are vulnerable to external attacks

● Unused services should be disabled● All other services should be restricted


netstat

● Used to list network services● netstat -pnltu

● -p: show process name● -n: show ip address instead of name● -l: show listening sockets● -t: show tcp sockets● -u: show udp sockets


Inetd

● Super server that handles several services● Usually for services that don't receive many connections

● Configuration file in /etc/inetd.conf● Other similar servers: xinetd, micro-inetd, ...


Other services

● Started from /etc/init.d scripts● Some are configurable in /etc/default● Others cannot be disabled without uninstalling

Technology

User And Physical Security