Decrypting FilesTo use GnuPG to decrypt files you have received, use the following command: where file.doc is the resulting file name you want and file.gpg is the encrypted file.. You ca
Trang 1Decrypting Files
To use GnuPG to decrypt files you have received, use the following command:
where file.doc is the resulting file name you want and file.gpg is the encrypted file You must have the private key for the user it was encrypted for on your secret ring This prompts you for the pass-phrase, and once you have entered it correctly, GnuPG produces the decrypted file
Signing Files
As mentioned earlier, another use of GnuPG and PGP is signing documents to verify their integrity You can do this by issuing the following command:
Replace signed.doc with the resulting output filename you want and
unsigned.doc with the file you want signed This command signs and encrypts the doc-ument and produces the output file signed.doc When it is decrypted, GnuPG will also ver-ify the document You can verver-ify a file with the following command:
where signed.doc is the encrypted file you want to verify You can also create signatures separate from the file if you want users without GnuPG to be able to access them but still want to include the signature There are two commands for this The command
creates a text addendum to the file with the signature If you don’t want to alter the file, you can create a separate signature file with the command
The PGP/GnuPG Web of Trust Model
As mentioned earlier, rather than use a hieratical trust system like digital certificates and their central certificate authority, PGP and GnuPG use a web of trust model By signing the keys of people you know, you can verify that their key is worthy of trust And if they sign other people’s keys who you don’t know directly, you create a chain of trust The model is based on the idea of “any friend of yours is a friend of mine.” Granted this model doesn’t work perfectly; someone far down the trust chain could turn out to be a bad apple and get away with stuff for a while But the idea behind this system is that it spreads organically and doesn’t require any infrastructure Because of this, it can’t be dismantled
or co-opted on a large scale easily The way you establish this web of trust is by signing people’s keys and having them sign yours In the example in Figure 9.7, Tony can implic-itly trust Jane, Joe, John, and Eve’s keys even though he doesn’t know them directly
Trang 2Signing Keys and Managing Your Key Trusts
In GnuPG you sign keys and manage your key trusts by going into key edit mode with the following command:
where friend@example.org matches the e-mail address of the key you want to sign or manage and must be one of the keys on your public ring It prints out basic information on the key Within this mode, type fpr to print the fingerprint of that key Just like humans, the key fingerprint is a specific identifier of that key Make sure that this is the person’s key by comparing it with him or her either on the phone or by some other manner You can also check to see who else has signed this key by typing check This prints a list of other signers of this key and may help you decide the validity of the key
When you are sure that this is the person’s key, type sign This signs that person’s key so that anyone looking at it knows that you trust him or her In this mode you can also edit the trust levels of the different keys in your ring Enter this mode from within key edit mode by typing trust This displays the following menu
1 = Don’t know
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
Figure 9.7 Web of Trust Model
Web of Trust Model
Trusts
Trusts
Trusts
Trusts
Trusts
Trusts Trusts
Trusts Trusts
Trusts
Tony
Eve
Trusts
Trang 3s = Please show me more information
m = Back to the main menu Pick one of the items and that key will be marked as such by you This is another way you can communicate to yourself and others about which users have your highest level of trust and which ones you barely know
This should give you a good introduction to the world of PGP and GnuPG Again, this chapter is not intended to be the conclusive source on these, and you should refer to their respective Web sites and the other listed sources to read further on these revolutionary programs
PGP and GnuPG are great for encrypting files However, what if you want to encrypt all communications between two points? PGP is not really viable for this function (the newly included VPN client with the commercial version not withstanding) An open source tool for creating these standing connections where everything is encrypted on the fly is discussed next
O p e n S S H : A F r e e S u i t e o f S e s s i o n E n c r y p t i o n T o o l s
OpenSSH (Server)
Author/primary contact: Tatu Ylönen (original author) and others
Mailing lists:
Announcement list
A read-only list that contains general announcements of new version releases, bug fixes, and so on Subscribe at
www.mindrot.org/mailman/listinfo/openssh-unix-announce
General SSH users list Questions and general discussion on SSH usage Subscribe by sending an empty message to secureshell-subscribe@securityfocus.com
To unsubscribe to the list, send an empty message to secureshell-unsubscribe@securityfocus.com
There is also an archive of this list at http://marc.theaimsgroup.com/?l=secure-shell&r=1&w=2
Developers list Discussions on SSH development and coding Subscribe at www.mindrot.org/mailman/listinfo/openssh-unix-dev
Trang 4Most of the file and communication utilities used on the Internet today hark back to the days when the Internet was a small and safe place One of the most common tools used, other than a Web browser, is Telnet This utility is used for remote terminal access to all types of servers, routers, firewalls, and other devices The big downside of Telnet is that
it sends its transmissions in the clear, so if you are using Telnet to log into a system over the Internet, someone could capture your traffic, including your passwords You may think finding your password in the stream of data would be like finding a needle in a haystack, but hackers have written programs that run on top of sniffers to search for common login terms and catalog the results This is also true of other remote tools such as FTP, TFTP, and RCP
SSH fixes this problem by using both public key and symmetric cryptography to encrypt your session starting from the first keystroke This way, all anyone listening to your connection gets is random noise SSH not only provides confidentiality for your data
by using encryption, but it also provides strong authentication that foils spoofing and other identity-type attacks It does this by using digital certificates to authenticate users Don’t confuse SSH with SSL, the Web encryption standard Though they both do the same thing, SSH works with any protocol, whereas SSL is primarily designed for Web communications
SSH also includes SCP, which is a secure replacement for RCP, the remote copying tool, and SFTP, a secure replacement for FTP SSH can also be used to tunnel other proto-cols, such as HTTP and SMTP, between machines Several applications are discussed at the end of this section Using this suite of programs instead of their older counterparts ensures that your remote communications to servers aren’t being read Eliminating the use Telnet and FTP on your network may be difficult, but the more you do it, the more secure you will be
In order to use SSH, you must have a SSH server running on the machine you want to connect to and a SSH client on the machine you are connecting to Regular FTP and Telnet clients won’t connect to a SSH server The client is built into most current Linux operating systems, although you may have to select this option when installing your OS (See Chap-ter 2 for information on the SSH client.) The SSH server is usually optional and you have
to select it when you install your OS To determine if it is already installed, type ps and see if the sshd process is running If not, you will have to install the server to allow con-nections to your machine via SSH
Installing and Starting the OpenSSH Server
1.First, download and unzip the package from the Web site or the book’s CD-ROM
2.Issue the usual Linux compile commands:
/.configure make make install
Trang 5This builds and installs the SSH programs The binaries and associated libraries will be located in /usr/local/bin (on the Mandrake Linux system, other distributions may vary) The system daemons are found in /usr/local/sbin, and the config files are in /usr/local/etc/ssh or /etc/ssh, depending on your install
You can choose an alternative install path by using
prefix=filepath
where filepath is replaced with your desired alternate location
3.Once OpenSSH is installed, check the configuration file located in /etc/ssh to make sure it matches your system parameters The configuration file for the server piece
is sshd_config You can use a text editor such as vi or EMACS to make your changes A few items to check are:
• Port: The port that SSH listens to for incoming connections This defaults to 22
If you change this, people attempting to connect to you will have to manually change the port number on their SSH clients
• Protocols: This tells the server what SSH protocols to accept The default is to accept both SSH1 and SSH2 type connections For slightly better security, you could change this to accept only SSH2, but this will keep some older clients from connecting
• Hostkey: This gives the location of the keys used to generate key-based authenti-cation of a user when connecting to a separate machine These are not the same
as the server keys that are generated on install
4.Before you can use the SSH server, you must generate its various keys You do this
by typing the following command:
ssh make-host-key
You will get something like the following response
Generating public/private rsa key pair
Enter file in which to save the key (/home/me/.ssh/
id_rsa):
Created directory '/home/me/.ssh'
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/me/.ssh/id_rsa
Your public key has been saved in /home/me/.ssh/id_rsa.pub
The key fingerprint is
Trang 6The fingerprint provides a unique identifier for your server’s keys
5.You can now start the SSH server at the command line by typing sshd&
This runs sshd, the server daemon, in the background and listens continuously for connections If you want to run sshd automatically when you reboot (which is pref-erable), place that line at the end of the rc.local file in your /etc/rc.d/ directory (on Mandrake Linux, or in the corresponding start-up file for your distribution) Remember, to connect to your server via SSH you need to be running a compatible version of the SSH on the client end Instructions on the installation and use of the SSH client are in Chapter 2
Port Forwarding with OpenSSH
While SSH was primarily intended for Telnet-like command line interaction, it can also be used to set up a secure tunnel between two machines for any application You can create a secure connection between two servers with the built-in port forwarding capability in SSH For this to work, you must have SSH running on both ends of the connection You can do with any service on any port with the following statement issued on the client end
ssh -L local_port:local_host:remote_port remote_hostname –N &
where you replace:
• local_port with a random high number port chosen by you to make the new encrypted connection
• local_host with your local machine
• remote_port with the port of the service you want to tunnel on the remote end
• remote_hostname with the IP address or host name of the server on the other end
of the connection The -L option tells SSH to listen on the local_port on local_host and forward any connections to the remote_port on the remote_host The -N option tells SSH not
to try to log in, just to keep the connection open for forwarded traffic The & runs the task
in the background, so it will run as a system process and you can do other things on the machine If the machine is rebooted, you will have to enter the command again unless you put it in the start-up script
Using this method, you do not need a login on the remote end to establish the encrypted connection to the remote server You will need appropriate credentials for any-thing you want to do over the forwarded port if they are required
The following are two examples to show how this works
Example 1: Creating an Encrypted E-mail Connection with OpenSSH Nor-mally, e-mail is sent over port 25 unencrypted Let’s say you want to encrypt this connec-tion instead The way to do this is to use SSH to set up an encrypted tunnel for any traffic
Trang 7bound for port 25 traffic on your mail server Using the above format and assuming your mail server has IP address 192.168.1.2, the correct command would be:
ssh –L 5000:localhost:25 192.168.1.2 –N &
This sets up port 5000 on your local machine as the port that would tunnel the mail port (25) to your remote mail server So if you set up your mail client to connect to local-host:5000 instead of the default mail port, SSH will automatically forward the traffic to port 25 on your mail server using SSH to encrypt it Now, you can receive and send mail to this machine without worry of having your mail read off of the wire
Example 2: Creating a Secure Web Connection What if you want to connect your Web server for a secure transaction? If the server wasn’t set up to do SSL, you could still use SSH to securely tunnel your Web traffic to the server If your Web server is located at 192.168.1.3, the command string looks like this:
ssh –L 5000:localhost:80 192.168.1.3 –N &
Now you can connect by entering localhost:5000 in your Web browser, and you will actually be forwarded via a secure tunnel to port (80) on the remote machine You can port forward several different ports on the same machine For example:
ssh –L 5000:localhost:5000:25 –L 5001:localhost:80 192.168.1.2 –N &
will forward all traffic on port 5000 locally to the mail port on 192.168.1.2, and all traffic
to port 5001 to port 80 on the remote machine Of course, this example assumes you have
a mail account on the remote server
As you can see, SSH works great for creating a secure connection between two machines for just about any protocol However, what if you want to encrypt all traffic, regardless of what port or service? In this case, setting up a virtual private network makes more sense
Virtual Private Networks
Companies used to create private networks using expensive point-to-point data lines from the phone company to keep their information safe These lines cost thousands of dollars per month per location and linked only two sites at a time Companies often ended up with
a spider web of expensive communication lines connecting their sites With the advent of the commercial Internet, people immediately saw its potential for interoffice communica-tions Unfortunately, the open nature of the Internet presented a major security risk This is where encryption came to the rescue By using encryption technology, companies can cre-ate a Virtual Privcre-ate Network (VPN) and harness the low-cost Internet for their corporcre-ate communications, safely and securely Their data is encapsulated in a “tunnel” of encryp-tion, so any parties intercepting the packets in between cannot recover any usable data
Trang 8There are many vendors selling dedicated hardware devices to do virtual public net-works However, there is an open source solution that will let you set up your own VPN with nothing more than a couple of extra PCs
The FreeS/WAN project is sponsored and managed by John Gilmore John is a leg-endary name in coder and net-libertarian circles He is one of the founders of the Elec-tronic Freedom Foundation, which was an early proponent of free strong encryption After making his fortune in several Silicon Valley start-ups, most notably Sun Microsystems, he now dedicates his time to various projects, many of them open source software–related The FreeS/WAN project started as an effort to have everyone encrypting his or her communications While it hasn’t quite had this effect yet, it does offer users of Linux a cost-effective way to set up a VPN It also allows you to connect to other devices using IPsec, since the IPsec protocol is a widespread standard Some vendors may not stick pre-cisely to the standard, so your results may vary when using other equipment or software for one of the ends Check the FreeS/WAN Web site for a list of compatibility with other vendor’s implementations
F r e e S / W A N : O p e n S o u r c e I P s e c V P N S o f t w a r e
FreeS/WAN
Author/primary contact: John Gilmore
Mailing lists:
Users-moderated A moderated less-trafficked version of the above
For instructions on subscribing to any of the above lists, see
www.freeswan.org/mail.html
Posts from an older list are currently archived at www.sandelman.ottawa 33on.ca/linux-ipsec/
Trang 9Using IPsec, everything is encrypted at the IP level, regardless of the application or port This is what makes IPsec the most popular system for creating secure
communica-tions FreeS/WAN also can use what is called opportunistic encryption, which means it
will use encryption to communicate with hosts that support IPsec, and will use regular IP communications for those that don’t So if you run FreeS/WAN on your firewall box, you can have an automatic VPN to sites running IPsec and still interoperate with other sites that don’t
You need two machines to act as your gateways To use FreeS/WAN, these machines must be UNIX boxes, preferably Linux If you want to set up an IPsec connection between Windows systems, you can use the built-in IPsec support (Windows 2000 and later) and don’t need FreeS/WAN Supposedly, the newest Linux kernel is going to have IPsec inte-grated into it But even when it does, FreeS/WAN will still have an application for commu-nicating with older versions and using the opportunistic encryption feature The FreeS/ WAN team is also working on interoperability with the upcoming Linux kernel IPsec support
Installing and Starting FreeS/WAN
FreeS/WAN comes preinstalled on many Linux distributions To see if you have FreeS/ WAN installed, type ipsec verify at the command line If you get a “file not found” response, then you don’t have it preloaded Even if you don’t have the RPMs, you can get the source code from the book’s CD-ROM or you can download the latest version to take advantage of the latest cryptographic protocols and features Follow these instructions to compile FreeS/WAN from source code
1.Download the latest package from the Web site and unzip it, or copy the file from the CD-ROM
2.Run the following commands as root from the FreeS/WAN directory to compile and install the package:
Make oldmod Make minstall
3.Once FreeS/WAN is installed, you need to reboot your system for the changes to take effect
4.When your system comes back up, use the verify ipsec at the command line
to check your install You should see a message something like this:
Checking your system to see if IPsec got installed and started correctly
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Trang 105.If you see this, you can start the IPsec service using this command:
service start ipsec
The IPsec service runs in the background You are now ready to initiate IPsec sessions
Using FreeS/WAN
There are several ways to use FreeS/WAN One is for a gateway-to-gateway permanent
connection, which is called peer-to-peer mode This mode is appropriate if you have two
offices wanting to communicate securely over the Internet The second method is called
road warrior mode, where you have remote users wanting to connect securely to your
LAN Finally, you can operate in Opportunistic Encryption (OE) mode, in which it
con-nects with encryption to any hosts or gateways that are capable of it The following proce-dures describe how to set up each one
Peer-to-Peer Mode FreeS/WAN uses the names Right and Left to refer to the two
machines you are connecting via IPsec This doesn’t have anything to do with direction or location; it just makes it easier to refer to the different sides of the IPsec connection Just pick one to be your Left machine and one to be your Right machine
1.First, get on one machine that you are going to call the Right machine Type the following command to get its public key:
ipsec showhostkey right
FreeS/WAN shows you some information about the IPsec on that machine, includ-ing its public key After the equals sign will be a long list of seeminclud-ingly random digits This is the key Copy this number down or use the copy function in your text editor
2.Now get the public key from the Left machine by using the same command, except use the left switch in the command
3.Go to /etc/freeswan and edit the file ipsec.conf (some distributions may store this file in /etc) Table 9.2 lists and describes the parameters you need to set in the conn net-to-net section
4.Leave the rest of the settings as is and save the file
5.Copy this file onto the other machine in the same place
6.Use the verifyipsec command described earlier to be sure that the IPsec ser-vice is running on both machines
7.To start up the IPsec connection, type:
ipsec auto up net-to-net
You should see the message IPsecSA established If you don’t, check your settings or consult the man pages for troubleshooting information