110.3. Securing data with encryption

Weight: 3

Description: The candidate should be able to use public key techniques to secure data and communication.

Key Knowledge Areas:

  • Perform basic OpenSSH 2 client configuration and usage

  • Understand the role of OpenSSH 2 server host keys

  • Perform basic GnuPG configuration, usage and revocation

  • Understand SSH port tunnels (including X11 tunnels)

Terms and Utilities:

  • ssh

  • ssh-keygen

  • ssh-agent

  • ssh-add

  • ~/.ssh/id_rsa and id_rsa.pub

  • ~/.ssh/id_dsa and id_dsa.pub

  • /etc/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub

  • /etc/ssh/ssh_host_dsa_key and ssh_host_dsa_key.pub

  • ~/.ssh/authorized_keys

  • ssh_known_hosts

  • gpg

  • ~/.gnupg/

First lets start about some concepts.

Cryptography

Cryptography is a method of using advanced mathematical principles in storing and transmitting data in a particular form so that only those whom it is intended can read and process it. Encryption is a key concept in cryptography

  • Encryption :In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot.

  • Decryption: The conversion of encrypted data into its original form is called Decryption. It is generally a reverse process of encryption.

Symmetric vs. asymmetric encryption

Encryption algorithms are often divided into two categories, known as symmetric and asymmetric encryption.

Symmetric Encryption

Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.

Asymmetric Encryption

The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message. One answer is asymmetric encryption, in which there are two related keys--a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.

Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key. This means that you do not have to worry about passing public keys over the Internet (the keys are supposed to be public).

A problem with asymmetric encryption, however, is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the content of the message.

encryption vs signing

When encrypting, you use their public key to write a message and they use their private key to read it.

When signing, you use your private key to write message's signature, and they use your public key to check if it's really yours.

Whats is a key server?

Key server (cryptographic), a server on which public keys are stored for others to use

With that introduction lets talk about SSH.

Whats is SSH?

The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

Typical uses of the SSH protocol are:

  • providing secure access for users and automated processes

  • interactive and automated file transfers

  • issuing remote commands

  • managing network infrastructure and other mission-critical system components.

How does the ssh protocol work?

The way SSH works is by making use of a client-server model to allow for authentication of two remote systems and encryption of the data that passes between them.

SSH operates on TCP port 22 by default (though this can be changed if needed). The host (server) listens on port 22 (or any other SSH assigned port) for incoming connections.

SSH provides multiple mechanisms for authenticating the server and the client. Two of the commonly used authentication mechanism are password based, and key based authentication. Although password based authentication is also secure, its advisable to use key based authentication instead.

the connection is established by the SSH client connecting to the SSH server. The SSH client drives the connection setup process and uses public key cryptography to verify the identity of the SSH server. After the setup phase the SSH protocol uses strong symmetric encryption and hashing algorithms to ensure the privacy and integrity of the data that is exchanged between the client and server.

What is OpenSSH?

OpenSSH is a free, open source implementation of the SSH (Secure Shell) protocols. Open OpenSSH is so popular among system administrators because of its multi-platform capability and very useful nice features.

All communications and user credentials using OpenSSH are encrypted, they are also protected from man in the middle attacks. If a third party tries to intercept our connection, OpenSSH detects it and informs us about that.

We use Ubuntu16-1 as ssh server and Ubuntu16-2 as client.

/etc/ssh

OpenSSH has two different sets of configuration files: one for client programs (ssh, scp, and sftp) and one for the server daemon (sshd).

Thesshd_configis the ssh daemon(or ssh server process) configuration file, Whereas, the ssh_config file is the ssh client configuration file. The client configuration file only has bearing on when you use the ssh command to connect to another ssh host . As you can see there are public keys and private keys here with different algorithems and they can be used by SSH to encrypt the session.

ssh client configurations

Till now we have understood how ssh works. As we mentioned when ssh connection is started, the public key of ssh server is tranfered to the client(stored in ./ssh/known_hosts) and the client will use it to continue negotiation with the server and user will be required to get authenticated by sending username and password.

Lets start by connecting toUbuntu16-1 from Ubuntu16-2 and see the keys:

What is fingerprint ? a public key fingerprint is a short sequence of bytes used to identify a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks.

now lets compare the keys in server and client:

Configuring SSH Key Based authentication

Its possible to omit entring user name and password and get connected to the ssh server using client public and private key.

Now lets generate public and private keys for client and copy client public key to the server.

ssh-keygen

ssh-keygen - creates a key pair for public key authentication:

We haven't set passphrase in our demonstration but if we set we would be asked to enter it when we copy it to the server.

ssh-copy-id

we use ssh-copy-id - configures a public key as authorized on a server

Now lets take a look the server side:

now lets check the result from the client:

and it seems okey.We can copy and paste the keys for other users if you like, but do not forget that these keys give power to users to login with out the password.

Why use passphrase? Why it is for?

We have configured a password less ssh connection using key based authentication. But what would happened if our system compromised? An evil hacker would be able to get connected to other servers using key based authentication without knowning the passwords.

Passphrase can help us to avoid this kinds of security issues by requiring a passphrase at the beginning of every ssh key-based authentication. So let clear previous authorized_key, and start:

Now generate a new key pairs with passphrase on the client (Let it over write current private and public key):

Now lets tranfer our new public key to the server:

Lets check the key we have copied on the server:

Now when we ssh to the remote server (ubuntu16-1) from our client(ubuntu16-2), we are asked to enter our local key passphrase intead of remote user account password:

lets exit and ssh again and again:

as you can see each time we are asked to enter passphrase and that was what we were seeking for inorder to stop a hacker if our system get compromised. There is way to stick passphrase to the current user session and keept if for next ssh connections inorder to avoid entering passphrase again and again.

ssh-agent

The ssh-agent is a helper program that keeps track of user's identity keys and their passphrases. The agent can then use the keys to log into other servers without having the user type in a password or passphrase again. This implements a form of single sign-on (SSO). The SSH agent is used for SSH public key authentication.

if you got an error try ssh-agent /bin/bash first.

ssh-add

By default, the agent uses SSH keys stored in the .ssh directory under the user's home directory. The ssh-add command is used for adding identities to the agent. In the simplest form, just run if without argument to add the default files ~/.ssh/id_rsa, .ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519, and ~/.ssh/identity. Otherwise, give it the name of the private key file to add as an argument.

-l will list private keys currently accessible to the agent,

-DDeletes all identities from the agent, if you like!

And then we can login to OpenSSH server (ubuntu16-1) without any password or passphrase again and again:

Until we exit from the bash that uses associated key with that, then we would need to enter passphrase again.

What is SSH Tunneling ?

SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications. It can also be used to implement VPNs (Virtual Private Networks) and access intranet services across firewalls.

SSH is a standard for secure remote logins and file transfers over untrusted networks. It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH. This means that the application data traffic is directed to flow inside an encrypted SSH connection so that it cannot be eavesdropped or intercepted while it is in transit. SSH tunneling enables adding network security to legacy applications that do not natively support encryption.

what is ssh port forwarding?

SSH port forwarding is a mechanism in SSH for tunneling application ports from the client machine to the server machine, or vice versa. some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines. It can also be abused by hackers and malware to open access from the Internet to the internal network.

There are three types of SSH port forwarding:

  • Local port forwarding - connections from an SSH client are forwarded, via the SSH server, to a destination server.

  • Remote port forwarding - connections from an SSH server are forwarded, via the SSH client, to a destination server

  • Dynamic port forwarding - connections from various programs are forwarded, via the SSH client to an SSH server, and finally to several destination servers.

ssh

Like other command ssh has also some options.Lets take a look at most usefull switches:

SSH commands

Description

ssh -V

Shows ssh client version

ssh user1@server1.example.com

Connect to the remote host, add "-v" for verbose mode

ssh -l login_name server1.example.com

Specifies the user to log in as on the remote machine.

ssh user1@server1.example.com <command>

Running <command> on the remote host over ssh

ssh -X user@server1.example.com

Enable Xforwarding on the clients side, X11Forwarding should be enabled on the server side in sshd_config file.

data encryption

Encryption is important because it allows you to securely protect data that you don't want anyone else to have access to.

gpg

GnuPG (more commonly known as GPG) is an implementation of a standard known as PGP (Pretty Good Privacy). It uses a system of "public" and "private" keys for the encryption and signing of messages or data.

for demonstration, we use two users on ubuntu16, user1 and user2.

okey, lets login via user1 and start creating keypairs using gpg --gen-key command:

it create keys inside ~/.gupg directory.

lets see the created key-pair using gpg --list-key commmand:

Then we need to share our public key to other people. To export our public key file we need to run:

lets put in /tmp directory for user2:

now login as user2 and import user1 public key via gpg --import :

next create a sample file for encrypting:

every thing is ready for encrypting user2 file:

time to send user 2 secret to user1:

Log in as user1 and try to decrypt user2 secret:

lets see what is user2 secret information?

Generating a Revocation Certificate

If your private key becomes known to others, you will need to disassociate the old keys from your identity, so that you can generate new ones. To do this, you will require a revocation certificate. We’ll do this now and store it somewhere safe.

The --output option must be followed by the filename of the certificate you wish to create. The --gen-revoke option causes gpg to generate a revocation certificate. You must provide the email address that you used when the keys were generated.

signing

By encrypting a document using your private key, you let everyone to try to open it using your public key and if they succeed, they will be sure that you have signed it using YOUR private key! gpg has a specific command to sign documents:

here the --clearsign tells the gpg to include the clear text message in the output file too. The output file will be originalfile.asc :

copy notice.asc file to /tmp and other users can verify that a document is singed correctly:

and that's all folks!

Congratulation we have done lpic1-102 !!! do not forget to give a star and donate :-)

You can start studying my LPIC-2 book: https://borosan.gitbook.io/lpic2-exam-guide/

.

.

.

https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences

https://hackernoon.com/symmetric-and-asymmetric-encryption-5122f9ec65b1

https://economictimes.indiatimes.com/definition/decryption

https://support.microsoft.com/en-us/help/246071/description-of-symmetric-and-asymmetric-encryption

https://stackoverflow.com/questions/454048/what-is-the-difference-between-encrypting-and-signing-in-asymmetric-encryption

https://en.wikipedia.org/wiki/Key_server

https://www.ssh.com/ssh/protocol

https://www.hivelocity.net/kb/what-is-openssh/

https://www.ssh.com/ssh/agent

https://www.ssh.com/ssh/tunneling

https://www.ssh.com/ssh/tunneling/example

https://unix.stackexchange.com/questions/115897/whats-ssh-port-forwarding-and-whats-the-difference-between-ssh-local-and-remot

https://www.ssh.com/ssh/command

https://www.taoeffect.com/espionage/EspionageHelp/pages/faq-encryption.html

https://www.privex.io/articles/what-is-gpg/

https://www.howtogeek.com/427982/how-to-encrypt-and-decrypt-files-with-gpg-on-linux/

https://jadi.gitbooks.io/lpic1/content/1103_securing_data_with_encryption.html

.

Previous110.2. Setup host security

Last updated

Was this helpful?