Please wait... If this message doesn't disappear soon, check whether you have JavaScript enabled?
Based on presentations by:
You can access this presentation at: http://afnog.github.io/sse/crypto/presentation
Download or edit this presentation on GitHub.
Commands to enter are shown like this:
openssl smime -encrypt -binary -aes-256-cbc -in message3.txt -out message3.txt.enc yourpartner.crt.pemopenssl smime -decrypt -binary -in encrypted.zip.enc -out decrypted.zip -inkey private.key -passin pass:your_password
Please note:
What is security?
What is security?
What do you want to prevent? What is the threat?
What is security?
What do you want to prevent? What is the threat?
Make a list of measures that you actually use.
Make a list of measures that you actually use.
For example:
How would you crack the defensive measures that we just listed?
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. - Gene Spafford
Security is impossible if:
Why do you lock your doors?
Cryptography can help establish identity for authentication purposes (how?)
Written by Bruce Schneier. Perhaps the best book around if you want to understand how cryptography works.
https://www.schneier.com/book-applied.html
The foundation of all of cryptography:
The same key is used to encrypt the document before sending and to decrypt it once it is received.
Different related keys are used to encrypt the document before sending and to decrypt it once it is received.
Solutions?
Solutions?
Algorithms that take any amount of input and return a fixed-size output string, which is called the hash value or hash.
Has these properties:
What does infeasible mean?
A hash function that maps each valid input to a different hash value is said to be perfect.
Using this hash function:
Perform the following exercise:
Does this hash function meet our ideal properties?
Not really!
ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/i386/ISO-IMAGES/10.0/
CHECKSUM.MD5
and CHECKSUM.SHA256
files.ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/i386/ISO-IMAGES/10.0/
CHECKSUM.MD5
and CHECKSUM.SHA256
files.What do they tell you? The checksums of the large binary files in that directory.
Do you actually need to download this file from ftp.freebsd.org
?
fetch http://mini1.sse.ws.afnog.org/~inst/FreeBSD-10.0-RELEASE-i386-bootonly.isomd5 FreeBSD-10.0-RELEASE-i386-bootonly.isosha256 FreeBSD-10.0-RELEASE-i386-bootonly.iso
message1.txt
)sha256
command to generate a signature for the file.scp
to copy the file to your partner's computer:scp message1.txt afnog@pcYY.sse.ws.afnog.org:/tmp
/tmp
directory.message2.txt
)openssl
:openssl aes-256-cbc -a -salt -in message2.txt -out message2.txt.enc
message2.txt.enc
)openssl aes-256-cbc -d -a -in message2.txt.enc -out message2.txt.new
openssl req -x509 -new -out yourname.crt.pem -keyout yourname.key.pem
Questions:
openssl x509 -in yourpartner.crt.pem -noout -text
Questions:
message3.txt
)openssl
:openssl smime -encrypt -binary -aes-256-cbc -in message3.txt -out message3.txt.enc yourpartner.crt.pem
Questions:
message2.txt.enc
)openssl smime -decrypt -binary -in message3.txt.enc -out message3.txt.dec -inkey yourname.key.pem
Questions:
Why do we verify host keys?
Why do we verify host keys?
When you SSH to your partner's computer for the first time, what do you see?
When you SSH to your partner's computer for the first time, what do you see?
The authenticity of host 'pc34.sse.ws.afnog.org (196.200.219.134)' can't be established. ECDSA key fingerprint is ae:09:ce:83:09:fc:d5:ca:69:ae:df:7d:c6:92:1e:e5. Are you sure you want to continue connecting (yes/no)?
What should you do about it?
ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
What happens after the first time you connect? Why?
What happens after the first time you connect? Why?
~/.ssh/known_hosts
.To see what happens, replace your host key:
sudo /etc/rc.d/sshd keygen
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)!It is also possible that a host key has just been changed.The fingerprint for the ECDSA key sent by the remote host isae:09:ce:83:09:fc:d5:ca:69:ae:df:7d:c6:92:1e:e5.Please contact your system administrator.Add correct host key in /home/chris/.ssh/known_hosts to get rid of this message.Offending ECDSA key in /home/chris/.ssh/known_hosts:228 remove with: ssh-keygen -f "/home/chris/.ssh/known_hosts" -R pc34.sse.ws.afnog.orgECDSA host key for pc34.sse.ws.afnog.org has changed and you have requested strict checking.Host key verification failed.
For now, fix it on your client by running:
ssh-keygen -R pcYY.sse.ws.afnog.org
And test that you can SSH without this warning.
Passwords, and don't use them!
Two-factor authentication.
If you don't already have an SSH key, generate one:
ssh-keygen
afnog
as the passphrase!afnog
as the passphrase?Copy the key to your partner's server:
ssh-copy-id -i ~/.ssh/id_rsa.pub pcYY.sse.ws.afnog.org
Now try logging in to their server. What's different?
ssh pcYY.sse.ws.afnog.org
Copy the key to your partner's server:
ssh-copy-id -i ~/.ssh/id_rsa.pub pcYY.sse.ws.afnog.org
Now try logging in to their server. What's different?
ssh pcYY.sse.ws.afnog.org
You should be prompted for your passphrase instead of a password:
Enter passphrase for key '/home/afnog/.ssh/id_rsa':
Any questions?
Based on presentations by:
You can access this presentation at: http://afnog.github.io/sse/crypto/presentation
Download or edit this presentation on GitHub.
Keyboard shortcuts
↑, ←, Pg Up, k | Go to previous slide |
↓, →, Pg Dn, Space, j | Go to next slide |
Home | Go to first slide |
End | Go to last slide |
b | Toggle blackout mode |
f | Toggle fullscreen mode |
c | Clone slideshow |
p | Toggle presenter mode |
w | Pause/Resume the presentation |
t | Restart the presentation timer |
?, h | Toggle this help |
Esc | Back to slideshow |