Complete Referance of Encryption in Linux Security

Posted by

  • Introduction to Encryption
  • Using GNU GPG
  • Using SSH
  • Hashing Utilities
  • Using PKI Certificates in Linux

Introduction to Ecryption

  • Linux has built-in ability to encrypt files
  • Protects files in storage
  • Protection during transmission
  • Uses common standard algorithms
  • MD5 & SHA for Hashing
  • 3DES & AES for data encryption
  • Supports many other algorithms as well
  • PKI enabled
  • OS can generate self-signed certificates
  • Can use 3rd party generted certs

Using GNU GPG

  • GNU Privacy Guard comes built-in with most distros
  • Complete implementation of the OpenPGP Internet tandard a described in RFC 2440
  • Most popular personal encryption package
  • Ability to encrypt and digitally sign files
  • Used to send secure email messages
  • Used to encrypt files in storage
  • Uses DSA, EIGamal, 3DES and Twofish as encryption algorithms
  • Many other algorithms also supported
  • Some algorithms not legal for export outside US – obtain from International sites
  • First step is to generate a key pair (one public, one private)
  • Command to generate is ‘gpg –gen-key’
  • Use higher key length – minimum is 768
  • Enter user name and email address – key is generated baed upon this info
  • Enter password that will be used – use complex password rules
  • Export public key so others may exchange data securely with you
  • Other public keys can be imported as well
  • Sign your public keys before issue so others will know they are valid, and only accept signed keys from others
  • Encrypt data to send to others
  • Decrypring involves receiving and converting encrypted file
  • Digitally sign all encrypted files to verify they came from you
  • GPG has both command and GUI utilities
  • Use ‘gpg’ command with various options,performs all encryption/descryption tasks
  • GPG Demonstration

Using Secure Shell

  • Secure Shell(SSH) developed to protect communications
  • Telnet and FTP do not encrypt data; passwords and login info pased as plaintext
  • ‘r’ commands(rlogin, rsh, rcp, and rdist) also insecure
  • SSH developed to take their place and encrypt all data during communications session
  • SSH can also be used over X-windows
  • SSH allows remote login as root to perform system maintenance tasks
  • Several versions available, including SSH Tectia, OpenSSH, F-secure, and Reflection for Secure IT
  • OpenSSH is most popular in Linux distros
  • RSA authentication or conventional password based authentication can be used
  • Secure Shell then opens up a user program or interactive shell
  • Current version of OpenSSH is OpenSSH 8.7/8.7p1
  • SSH uses 2 protocol versions, 1 and 2
  • Version 1 is insecure due to integer overflow vulnerabilities
  • Use SSH implementation with version 2 protocol instead

Hashing Utilities

  • Hashed are produced to ensure file integrity
  • Ensure file has not been altered
  • Slightest alteration changes hash and indicates a file change
  • Hashing is method of verifying installation files and packages, as well as system files
  • Hashing also encrypts password
  • Actual passwords not stored,but hashes are stored
  • User enters password, which is hashed
  • Matching hash from /etc/shadow indicates correct password
  • Linux uses 2 major hashing algorithms
  • SHA(160-bit and higher)
  • MD5(Message Digest version 5) 128-bit
  • SHA is newer and stonger algorithm
  • Available in 160-bit, (SHA-1), 224, 256, and 512-bit versions (SHA-2)
  • Successor to MD5; required for US govt applications under FIPS 180-2
  • SHA2 preferred due to identified collision vulnerabilities in SHA1
  • Built-in Linux SHA utilities include:
  • sha1sum: computes and checks message digest(hash) for file
  • dgst: older utility that computes hashes using sha1 or md5
  • MD5 is older(but still widely used) hashing algorithm
  • Developed by Ron Rivest and replaced earlier algorithm MD4
  • 128-bit strength algorithm
  • Discovered to be vulnerable due to collision problems
  • MD5 utilities include:
  • md5sum: computes or checks hash value of file
  • md5crypt: encrypts a password for use in Grub boot loader

Using PKI Certificates in Linux

  • Linux has built-in ability to use and generate digital certificates
  • Used for variety of purposes:
  • Secure trasactions, web site verification, user authentication, and software sigining
  • Linux can use trusted certificates from 3rd parties
  • Can self-generate its own certifictes
  • Use ‘genkey’ command to generate SSL certificates and cert requests