10 results back to index
Linux Security Cookbook by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
Additionally, applications needn't be recompiled to change their authentication behavior: just edit a PAM configuration file (transparent to the application) and you're done. Secure Sockets Layer (SSL) A network protocol for reliable, bidirectional, byte-stream connections. It provides cryptographically assured privacy (encryption), integrity, optional client authentication, and mandatory server authentication. Its authentication relies on X.509 certificates: data structures that bind an entity's public key to a name. The binding is attested to by a second, certifying entity, by means of a digital signature; the entity owning the public key is the certificate's subject , and the certifying entity is the issuer. The issuer in turn has its own certificate, with itself as the subject, and so on, forming a chain of subjects and issuers. To verify a certificate's authenticity, software follows this chain, possibly through several levels of certificate hierarchy, until it reaches one of a set of built-in, terminal (self-signed ) certificates marked as trusted by the user or system.
Recipe 4.10 Converting SSL Certificates from DER to PEM 4.10.1 Problem You have an SSL certificate in binary format, and you want to convert it to text-based PEM format. 4.10.2 Solution $ openssl x509 -inform der -in filename -out filename.pem 4.10.3 Discussion It may happen that you obtain a CA certificate in a different format. If it appears to be a binary file (often with the filename extension .der or .crt), it is probably the raw DER-encoded form; test this with: $ openssl x509 -inform der -text -in filename DER stands for Distinguished Encoding Rules, an encoding for ASN.1 data structures; X.509 certificates are represented using the ASN.1 standard. The openssl command uses PEM encoding by default. You can convert a DER-encoded certificate to PEM format thus: $ openssl x509 -inform der -in filename -out filename.pem 4.10.4 See Also openssl(1). Recipe 4.11 Getting Started with Kerberos 4.11.1 Problem You want to set up an MIT Kerberos-5 Key Distribution Center (KDC). 4.11.2 Solution Confirm that Kerberos is installed; if not, install the necessary Red Hat packages: $ rpm -q krb5-server krb5-workstation Add /usr/kerberos/bin and /usr/kerberos/sbin to your search path.
Recipe 8.14 Securing POP/IMAP with stunnel and SSL 8.14.1 Problem You want to read mail on a POP or IMAP mail server securely. Your mail client supports SSL, but the mail server does not. 8.14.2 Solution Use stunnel, installed on the mail server machine. Suppose your client host is myclient, the mail server host is mailhost, and the mail server listens on standard port numbers (110 for POP, 143 for IMAP). Generate a self-signed X.509 certificate foo.crt, with private key in foo.key. [Recipe 4.8] Place the certificate and key into a single file: $ cat foo.crt foo.key > foo.pem $ chmod 600 foo.pem Choose an arbitrary, unused TCP port number on mailhost, such as 12345. Run this stunnel process on mailhost for a POP server, supplying the certificate's private-key passphrase when prompted: mailhost$ /usr/sbin/stunnel -p foo.pem -d 12345 -r localhost:110 -P none -f 2003.03.27 15:07:08 LOG5[621:8192]: Using 'localhost.110' as tcpwrapper service name Enter PEM pass phrase: ******** 2003.03.27 15:07:10 LOG5[621:8192]: stunnel 3.22 on i386-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6b [engine] 9 Jul 2001 2003.03.27 15:07:10 LOG5[621:8192]: FD_SETSIZE=1024, file ulimit=1024->500 clients allowed For an IMAP server, use port 143 instead of 110.
Beautiful security by Andy Oram, John Viega
Albert Einstein, Amazon Web Services, business intelligence, business process, call centre, cloud computing, corporate governance, credit crunch, crowdsourcing, defense in depth, Donald Davies, en.wikipedia.org, fault tolerance, Firefox, loose coupling, Marc Andreessen, market design, Monroe Doctrine, new economy, Nicholas Carr, Nick Leeson, Norbert Wiener, optical character recognition, packet switching, peer-to-peer, performance metric, pirate software, Robert Bork, Search for Extraterrestrial Intelligence, security theater, SETI@home, Silicon Valley, Skype, software as a service, statistical model, Steven Levy, The Wisdom of Crowds, Upton Sinclair, web application, web of trust, x509 certificate, zero day, Zimmermann PGP
This is a great incentive for the merchant to implement 3-D Secure, but moves the requirement of proof of a fraudulent transaction to the consumer, an area where the consumer previously had little liability. Since 3-D Secure is not foolproof, this may not go over very well with cardholders. It essentially places blame for a successful phishing attack on the victim. Secure Electronic Transaction Secure Electronic Transaction (SET) is a protocol Visa and MasterCard developed in 1996 for securing credit card transactions over insecure networks such as the Internet. SET utilizes X.509 certificates and extensions, along with public key cryptography to identify each party within the e-commerce transaction and transmit the data while maintaining confidentiality. SET’s unique binding algorithm substitutes a temporary certificate for the consumer’s account number, so that the online merchant never needs access to this sensitive information. Each party is required to preregister with the certificate authority (CA), allowing the card issuer to perform due diligence before it allows the merchant to perform e-commerce transactions, and then authenticating all parties in the transaction.
This can extend some number of times before we get to the actual certificate we’re interested in. To verify that certificate, we trace a chain of certificates. Alice’s certificate is signed by a certificate that is signed by a certificate that is signed by the certificate that Jack built. Many THE EVOLUTION OF PGP’S WEB OF TRUST 109 large corporations, governments, and so on have their own hierarchies that they create and maintain. X.509 certificates of the sort that we use for SSL connections on the Web use hierarchical trust. If you go to Amazon.com, that web server has a certificate that was signed in a hierarchy that traces up to a root certificate that we trust. For these commercial Certificate Authorities, they typically use a depth of two or three. Ah, now we hear you ask, “But how do we trust that root certificate?” The answer is: direct trust.
Identity certificates are the most common. They bind a name and a public key (an email address is just a type of name) together. An attribute certificate binds information about the key holder to the key. For example, a certificate that says “the holder of this certificate is over 21 years of age” is an attribute certificate. Certification A certification is a single binding of information and the key with a digital signature. X.509 certificates contain a single certification. OpenPGP certificates may contain a number of certifications. A certification (and thus a certificate) is created by a certificate authority (CA) when it creates the signature that binds the key and information together. THE EVOLUTION OF PGP’S WEB OF TRUST 111 Key OpenPGP’s term for what other PKIs call a certificate. Whitfield Diffie coined this term because it is easier to say, type, and understand than “certificate.”
Principles of Protocol Design by Robin Sharp
accounting loophole / creative accounting, business process, discrete time, fault tolerance, finite state, Gödel, Escher, Bach, information retrieval, loose coupling, packet switching, RFC: Request For Comment, stochastic process, x509 certificate
. • An identification of the issuer of the certificate, S. • The issuer’s digital signature, DSS , for the content of the certificate. Additional information may appear in the form of extensions, which can describe the applications for which the key has been issued, the security policy associated with the certificate, the Web site at which information about revoked (cancelled) certificates can be found, and so on. Since X.509 certificates were originally designed for use with the ITU-T Directory, the identities of the owner and the issuer are specified as X.500 names in terms of a set of attributes; we shall describe these in more detail in Section 7.1.1. The issuer is expected to be a trusted party, in the sense described in the previous sections, and is known as a Certification Authority (CA). Since the certificate associates its owner, A, with a public key, PKA , it is often said to be a certificate for the owner’s public key.
We have seen in Section 8.4.5 some examples of how this can be done; further details can be found in references [269, 270]. In a SOAP document, it is standard practice to include the security information within the SOAP Header as an XML Security element. This is defined in the XML namespace wsse and includes the signature and/or ciphertext for all or part of the SOAP Body, together with one or more security tokens in the form of user ids, X.509 certificates or other forms of authentication which can prove the sender’s identity and right to perform the requested operations. Further details can be found in [261, 263, 264]. We shall return in the next chapter to a number of contexts in which SOAP is used in combination with HTTP to offer services through the Internet. 10.7 Security Middleware Middleware is also a useful solution when security has to be dealt with in applications.
If a previous session is to be resumed, the server is expected to be able to recognise the Session ID and select the CipherSuite and other parameters as used previously; if it cannot do so, it executes the Alert protocol to transfer an error message to the client, and the Handshake Protocol terminates. 2. Server authentication and key exchange: The server performs the selected key exchange protocol. If an anonymous key exchange protocol, such as the original Diffie-Hellman key agreement protocol described in Section 6.5 on page 184, has been selected, then authentication is omitted. Otherwise the server will first authenticate itself to the client, typically by sending a X.509 certificate. If this does not itself include enough information to establish a shared secret, the server assumes that the client will respond with the necessary information in the next phase of the Handshake Protocol. 3. Client authentication and key exchange: The client performs the selected key exchange protocol in an analogous manner to the server. If unauthenticated key exchange by the Diffie-Hellman protocol is to be used, the client just replies to the server with Diffie-Hellman parameters in the usual way.
Deploying OpenStack by Ken Pepple
Nova Database Schema Table NameDescription migrate_version Stores current version of the database schema as well as other migration-related info. Only used internally and by developers during upgrades. migrations Used for running host-to-host migration. auth_tokens Maps Authorization tokens (for all API transactions) to actual users (via the user id field). certificates Mappings for user, projects, and x509 certificates files networks Information pertaining to networks defined in Nova. Includes IP addressing, VLAN, and VPN information. compute_nodes Capabilities (vcpus, memory, etc.) and state (vcpus used, memory used, etc.) of each compute node. projects Information about projects, including project manager. console_pools Pool of consoles on the same physical node. quotas Quota overrides for particular projects.
The Debian Administrator's Handbook, Debian Wheezy From Discovery to Mastery by Raphaal Hertzog, Roland Mas
bash_history, Debian, distributed generation, en.wikipedia.org, failed state, Firefox, GnuPG, Google Chrome, Jono Bacon, NP-complete, QWERTY keyboard, RFC: Request For Comment, Richard Stallman, Skype, SpamAssassin, Valgrind, web application, x509 certificate, zero day, Zimmermann PGP
Unfortunately, this change also meant that the RNG was employing only one source of entropy corresponding to the process number (PID) whose 32,000 possible values do not offer enough randomness. → http://www.debian.org/security/2008/dsa-1571 Specifically, whenever OpenSSL was used to generate a key, it always produced a key within a known set of hundreds of thousands of keys (32,000 multiplied by a small number of key lengths). This affected SSH keys, SSL keys, and X.509 certificates used by numerous applications, such as OpenVPN. A cracker had only to try all of the keys to gain unauthorized access. To reduce the impact of the problem, the SSH daemon was modified to refuse problematic keys that are listed in the openssh-blacklist and openssh-blacklist-extra packages. Additionally, the ssh-vulnkey command allows identification of possibly compromised keys in the system.
Its setup involves creating virtual network interfaces on the VPN server and on the client(s); both tun (for IP-level tunnels) and tap (for Ethernet-level tunnels) interfaces are supported. In practice, tun interfaces will most often be used except when the VPN clients are meant to be integrated into the server's local network by way of an Ethernet bridge. OpenVPN relies on OpenSSL for all the SSL/TLS cryptography and associated features (confidentiality, authentication, integrity, non-repudiation). It can be configured either with a shared private key or using X.509 certificates based on a public key infrastructure. The latter configuration is strongly preferred since it allows greater flexibility when faced with a growing number of roaming users accessing the VPN. CULTURE SSL and TLS The SSL protocol (Secure Socket Layer) was invented by Netscape to secure connections to web servers. It was later standardized by IETF under the acronym TLS (Transport Layer Security); TLS is very similar to SSLv3 with only a few fixes and improvements. 10.2.1.1.
This certificate is only used to sign other certificates (key pairs), after proper steps have been undertaken to check the identity stored on the key pair. Applications using X.509 can then check the certificates presented to them, if they know about the trusted root certificates. OpenVPN follows this rule. Since public CAs only emit certificates in exchange for a (hefty) fee, it is also possible to create a private certification authority within the company. For that purpose, OpenVPN provides the easy-rsa tool which serves as an X.509 certification infrastructure. Its implementation is a set of scripts using the openssl command; these scripts can be found under /usr/share/doc/openvpn/examples/easy-rsa/2.0/. The Falcot Corp administrators use this tool to create the required certificates, both for the server and the clients. This allows the configuration of all clients to be similar since they will only have to be set up so as to trust certificates coming from Falcot's local CA.
Jenkins Continuous Integration Cookbook by Alan Berg
Generic A set of small generic handlers, such as a handler to accept a user from a list or from a file. JDBC Connect to databases, and there are even drivers for spreadsheets and LDAP. Legacy Supports the CAS2 protocol. SPNEGO Simple and Protected GSSAPI Negotiation Mechanism allows the CAS server to negotiate between protocols with a backend service, possibly allowing transitioning between backend services. X.509 Certificates Require a trusted client certificate. An alternative installation recipe using ESUP CAS The ESUP consortium also provides a repackaged version of CAS, which includes additional ease-of-use features, including an out of the box demonstration version. However, the ESUP version of the CAS server lags behind the most current version. If you want to compare the two versions, you can find the ESUP installation documentation at http://esup-casgeneric.sourceforge.net/install-esup-cas-quick-start.html.
Intrusion Detection With Snort, Apache, Mysql, Php, and Acid by Rafeeq Ur Rehman
Host Defines remote host where data will be logged. Port Defines the port number on the remote host where data will be logged. Default port numbers for HTTP, HTTPS, and TCP are 80, 443, and 9000 respectively. Cert This is the certificate to be used with HTTPS protocol. It is X.509 client certificate. Key The client private key. Ca The server certificate used for authentication. Server The Common Name or CN for X.509 certificate. Note that XML output is important for much web application development and for integrating Snort into such systems. Some Snort XML parsers exist, including ACID-XML at http://www.maximumunix.org, although these are still in their infancy. 188.8.131.52 Examples Logging to a file "xmlout" on the local host: output xml: log, file=xmlout The date and time will be appended to the name of the file so that data can be saved for multiple Snort sessions.
Building Microservices by Sam Newman
airport security, Amazon Web Services, anti-pattern, business process, call centre, continuous integration, create, read, update, delete, defense in depth, don't repeat yourself, Edward Snowden, fault tolerance, index card, information retrieval, Infrastructure as a Service, inventory management, job automation, load shedding, loose coupling, platform as a service, premature optimization, pull request, recommendation engine, social graph, software as a service, source of truth, the built environment, web application, WebSocket, x509 certificate
SAML, in particular, makes implementing a client a painful affair. OpenID Connect has a simpler workflow, but as we discussed earlier it isn’t that well supported yet. Client Certificates Another approach to confirm the identity of a client is to make use of capabilities in Transport Layer Security (TLS), the successor to SSL, in the form of client certificates. Here, each client has an X.509 certificate installed that is used to establish a link between client and server. The server can verify the authenticity of the client certificate, providing strong guarantees that the client is valid. The operational challenges here in certificate management are even more onerous than with just using server-side certificates. It isn’t just some of the basic issues of creating and managing a greater number of certificates; rather, it’s that with all the complexities around the certificates themselves, you can expect to spend a lot of time trying to diagnose why a service won’t accept what you believe to be a completely valid client certificate.
Multitool Linux: Practical Uses for Open Source Software by Michael Schwarz, Jeremy Anderson, Peter Curtis
business process, Debian, defense in depth, GnuPG, index card, indoor plumbing, Larry Wall, optical character recognition, publish or perish, RFC: Request For Comment, Richard Stallman, SETI@home, slashdot, web application, x509 certificate
., company) [Snake Oil, Ltd]: Home 5. Organizational Unit Name (eg, section) [Web server Team]: Parents 6. Common Name (e.g., FQDN) [www.snakeoil.dom]: friend.dsl.isp.com 7. Email Address (e.g., name@FQDN) [email@example.com]: firstname.lastname@example.org 8. Certificate Validity (days) : 365 _____________________________________________________________________________________ STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt] Certificate Version (1 or 3) : 3 (omitted) Encrypt the private key now? [Y/n]: n (omitted) While the certificate process correctly notes that this certificate should not be used on a production system, for home use it should be just fine. Basically, there is no trust mechanism in place, so the certificate could be a forged one, allowing an attacker to listen to sensitive information.
Exim: The Mail Transfer Agent by Philip Hazel
* See http://www.openssl.org/. 9 October 2001 09:11 Encrypted SMTP Connections 369 To support TLS on a server, you must set tls_advertise_hosts to match some hosts, and you must also specify files that contain a certificate and a private key. For example: tls_advertise_hosts = * tls_certificate = /etc/secure/exim/cert tls_privatekey = /etc/secure/exim/privkey The first file contains the server’s X509 certificate, and the second contains the private key that goes with it. These files need to be readable by the Exim user. They can be the same file if both the certificate and the key are contained within it. With just these two options set, Exim will work as a server with clients such as Netscape. It does not require the client to have a certificate (but see the next section for how to insist on this).