Cryptography: Difference between revisions
No edit summary |
|||
Line 24: | Line 24: | ||
This method is used in [[OSI]] session layer communication. A public-key exchange takes place to agree on a [[session key]] which is [[random]] and also a Symmetric encryption and all data following will be encrypted. This is used extensively in [[ssh]] and most [[SSL]] enabled software. | This method is used in [[OSI]] session layer communication. A public-key exchange takes place to agree on a [[session key]] which is [[random]] and also a Symmetric encryption and all data following will be encrypted. This is used extensively in [[ssh]] and most [[SSL]] enabled software. | ||
=== Cheap cryptography === | === Cheap cryptography === | ||
Line 49: | Line 51: | ||
Surprisingly some [http://microsoft.com/ companies] employ XOR cryptography in their products. Very sad. | Surprisingly some [http://microsoft.com/ companies] employ XOR cryptography in their products. Very sad. | ||
=== IPsec === | |||
[[IPsec]] (outlined in [[RFC]] 2401) is a security enhancement to the [[IP]] and [[IPv6]] protocols in [[Internet]] communication. Since [[IPsec]] is a combination of hashing, symmetric cryptography as well as assymetric cryptography it's proper to make this a seperate section outlining all functions of the protocol here. | |||
[[IPsec]] has three protocols Authenticated Header ([[AH]]), Encapsulating Security Payload ([[ESP]]), and IP Compression ([[IPComp]]). In a short explanation [[AH]] adds a [[One way hash]] to the header ensuring integrity of the payload. [[ESP]] encrypts the payload following the [[IPsec]] header making it safer from [[sniffing]]. | |||
[[OpenBSD]] has a built-in [[IPsec]] stack. It has a daemon called [[isakmpd]] which speaks the ISAKMP/Oakley aka. IKE Key management protocol which is used for establishing security associations (private encryption keys) between peers. |
Revision as of 03:09, 13 October 2005
Cryptography is the method for distorting plain text so that it is unreadable by someone other than the intended recipient. For example, someone that is using a packet sniffer (see bpf) to listen in on network communication. Only if this third party knows the secret key to the ciphertext will they break the encryption and be able to see the plaintext. We highly recommend anyone using plain text protocols these days to use their free, open source, equivalents.
Cryptography found in UNIX
One way hashing
The UNIX programmers implemented a One way hash of DES to "encrypt" passwords as part of the crypt(3) function. It was impossible to decrypt these passwords since they were a modified version of DES, so in order to know if someone had the right password the plain text would be encrypted and the result compared with the hash of the password database, if they matched a user would be granted access. As computers became faster so did the speed at which DES would be cracked. An amd64 3500+ running OpenBSD using the systems crypt(3) functions can hash 121,000 passwords in 1 second in 2005. So a slower hash algorithm was needed and one that could take more than 8 characters for the passwords. Many Operating Systems have implemented MD5 hashing which does 1880 crypts per second on the aforementioned OpenBSD system. OpenBSD went even further and designed an interesting hash of blowfish that has a variable setting for rounds that blowfish will encrypt the hash with the string "OrpheanBeholderScryDoubt" 64 times per round. The result is that with 12 rounds a crypt will do 2 passwords in 1 second.
One way hashing wasn't confined to just passwords, with the md5 and sha1 as well as the rmd160 commands one can make a cryptographic hash sum (or fingerprint) of a file or text in the system. For example, if you want to ensure a file or directory has not been altered, you can print the checksum onto read-only media (i.e. paper/burn onto a cd). Whenever you run the checksum program against the same file or directory, you should get the same results unless something has been altered. If this topic interests you, tripwire is popular software you'll want to read more about.
Symmetric cryptography
True private key cryptography was also present with the bdes and the openssl commands which could encrypt files with a variety of ciphers. Some well known ciphers are DES, AES, blowfish, CAST128 and Arcfour. Many ciphers are imported through the openssl library.
Public Key cryptography
Also called assymetric cryptography. It uses 2 or more keys, usually one that's private and one that's public which is publically known. Ciphers include Diffie Hellman (DH), and RSA. GPG a program to encrypt mail on the application OSI layer uses this.
Symmetric / Assymmetric Hybrids
This method is used in OSI session layer communication. A public-key exchange takes place to agree on a session key which is random and also a Symmetric encryption and all data following will be encrypted. This is used extensively in ssh and most SSL enabled software.
Cheap cryptography
Rotational Ciphers based on the alphabet are CHEAP. Often used by Usenet trolls who think that the people they troll don't have a clue what they are talking about.
$ echo OrpheanBeholderScryDoubt | /usr/games/rot13 BecurnaOrubyqreFpelQbhog
rot13 is probably good to keep data safe from your 7 year old sister.
Another lovely and sucky type of cryptography is the XOR method, although XOR used as a One time pad is probably secure. Here is an example of a typical XOR encryption the xortext.c program is also available:
$ cat /etc/passwd | ./xortext blah | hexdump -C | head 00000000 10 03 0e 1c 58 46 5b 58 58 5c 5b 2b 0a 0d 13 04 |....XF[XX\[+....| 00000010 0b 09 41 4e 4e 40 4d 52 4d 1e 0e 07 16 56 4e 0a |..ANN@MRM....VN.| 00000020 0b 02 4e 1b 0a 66 05 09 07 01 0e 06 58 46 5b 59 |..N..f......XF[Y| 00000030 58 5d 5b 3c 0a 09 41 0c 07 1a 08 04 42 04 08 05 |X][<..A.....B...| 00000040 11 09 0d 0e 58 43 13 07 0d 18 5b 47 11 0e 08 06 |....XC....[G....| 00000050 4d 02 0e 04 0d 0b 08 06 68 03 11 0d 10 0d 15 07 |M.......h.......| 00000060 10 56 4b 52 50 56 54 52 31 15 12 1c 07 01 41 4e |.VKRPVTR1.....AN| 00000070 58 43 0e 18 07 1e 00 1c 0d 1e 5b 47 11 0e 08 06 |XC........[G....| 00000080 4d 02 0e 04 0d 0b 08 06 68 0e 08 06 58 46 5b 5b |M.......h...XF[[| 00000090 58 5b 5b 2a 0b 02 00 1a 0b 09 12 48 21 03 0c 05 |X[[*.......H!...|
Surprisingly some companies employ XOR cryptography in their products. Very sad.
IPsec
IPsec (outlined in RFC 2401) is a security enhancement to the IP and IPv6 protocols in Internet communication. Since IPsec is a combination of hashing, symmetric cryptography as well as assymetric cryptography it's proper to make this a seperate section outlining all functions of the protocol here.
IPsec has three protocols Authenticated Header (AH), Encapsulating Security Payload (ESP), and IP Compression (IPComp). In a short explanation AH adds a One way hash to the header ensuring integrity of the payload. ESP encrypts the payload following the IPsec header making it safer from sniffing.
OpenBSD has a built-in IPsec stack. It has a daemon called isakmpd which speaks the ISAKMP/Oakley aka. IKE Key management protocol which is used for establishing security associations (private encryption keys) between peers.