Security

From Things and Stuff Wiki
Revision as of 15:40, 2 December 2013 by Milk (talk | contribs) (→‎Firewalls)
Jump to navigation Jump to search


General

Resources

News

Passwords

Server

See also Distros

Firewalls

csf/lfd

FireHOL

Windows

Logging

Integrity

Hardening

AppArmor

SELinux

Intrusion detection



Shells

Honeypot

Cryptography

a mess


Ciphers

Blowfish

1993

AES

2001

Symmetric-key

DES

1977. Symmetric-key algorithm

Public-key cryptography

There are several methods to use a block cipher to build a cryptographic hash function, specifically a one-way compression function. The methods resemble the block cipher modes of operation usually used for encryption. All well-known hash functions, including MD4, MD5, SHA-1 and SHA-2 are built from block-cipher-like components designed for the purpose, with feedback to ensure that the resulting function is not invertible. SHA-3 finalists included functions with block-cipher-like components (e.g., Skein, BLAKE) though the function finally selected, Keccak, was built on a cryptographic sponge instead.


Cryptographic hash function

to sort


RSA

1977, by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT

ECC

NTRU

Suites

Encryption

PGP / GPG

Guides

gpg --export --armor <keyid> | awk '{ print "    "$0 }' 

Tools

  • WebPG - Browser Extensions
  • Monkeysphere project's goal is to extend OpenPGP's web of trust to new areas of the Internet to help us securely identify servers we connect to, as well as each other while we work online. The suite of Monkeysphere utilities provides a framework to transparently leverage the web of trust for authentication of TLS/SSL communications through the normal use of tools you are familiar with, such as your web browser0 or secure shell.

Key servers

DNS

E-mail

Libraries

Google

  • Penango is a web browser add-on that allows people to send and receive authenticated and encrypted messages end-to-end on the Internet with standards-based, interoperable protocols.
  • gAES - Encrypt your google chats and make the NSA sad

Other

File system

  • LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly. While LUKS is a standard on-disk format, there is also a reference implementation. LUKS for dm-crypt is implemented in an enhanced version of cryptsetup.
  • Tomb aims to be an 100% free and open source system for easy encryption and backup of personal files, written in code that is easy to review and links commonly shared components. Tomb generates encrypted storage files to be opened and closed using their associated keyfiles, which are also protected with a password chosen by the user.
  • zuluCrypt is a front end to cryptsetup and tcplay and its a tool that make it easy to manage LUKS, PLAIN and TRUECRYPT encrypted volumes through a GUI and a simpler to use CLI interface. zuluCrypt can manage encrypted volumes residing in regular files, LVM devices, mdraid devices as well as regular block devices and partitions.
  • EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL. As with most encrypted filesystems, Encfs is meant to provide security against off-line attacks; ie your notebook or backups fall into the wrong hands, etc. The way Encfs works is different from the “loopback” encrypted filesystem support built into the Linux kernel because it works on files at a time, not an entire block device. This is a big advantage in some ways, but does not come without a cost.
  • Cryptkeeper is a Linux system tray applet that manages EncFS encrypted folders.

Other

  • The Guardian Project creates easy-to-use open source apps, mobile OS security enhancements, and customized mobile devices for people around the world to help them communicate more freely, and protect themselves from intrusion and monitoring.

Homomorphic

TLS/SSL

  • Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. They use asymmetric cryptography for authentication of key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).

In the TCP/IP model view, TLS and SSL encrypt the data of network connections at a lower sublayer of its application layer. In OSI model equivalences, TLS/SSL is initialized at layer 5 (the session layer) then works at layer 6 (the presentation layer): first the session layer has a handshake using an asymmetric cipher in order to establish cipher settings and a shared key for that session; then the presentation layer encrypts the rest of the communication using a symmetric cipher and that session key. In both models, TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data.

  • .csr This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.
  • .pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. The name is from Privacy Enhanced Email, a failed method for secure email but the container format it used lives on.
  • .key This is a PEM formatted file containing just the private-key of a specific certificate. In Apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong.
  • .pkcs12 .pfx .p12 Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Every time I get one I have to google to remember the openssl-fu required to break it into .key and .pem files.

HTTPS

See HTTP#SSL

PFS

Software

Gnutils

OpenSSL

openssl ciphers -v
openssl verify -CAfile /etc/nginx/ca.pem certs/client.crt

Other

Certificates

some rfcs..

Wildcard

Domain Validation

Organisational Validation

involving better/slower background checks for the Organisation Name field

Extended Validation

Self-signed

Vulnerable to MITM as cracker can generate their own, OK if you control both ends.

CAs

Services

Comodo
VeriSign
GlobalSign
StartCom

Free certs, one cert per domain, 1 year. One only pays for acions that require human intervention, i.e., validation.

Cacert.org

Community group providing certs. Web of trust based assurance point system. Not carried by major browsers, just Linux distros.

Other

Tools

Software

DNSSEC

DANE

Future

  • TACK, a proposal for a dynamically activated public key pinning framework that provides a layer of indirection away from Certificate Authorities, but is fully backwards compatible with existing CA certificates, and doesn't require sites to modify their existing certificate chains.

HTML

Disk cleanup

Vulnerabilities

Legal

UX

Windows

Testing

Metasploit

Web

  • w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

DB

Burp

Inception

  • Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

DetecTor.io

to sort

  • Gitian is a secure source-control oriented software distribution method. This means you can download trusted binaries that are verified by multiple builders.

Other

  • Pond is forward secure, asynchronous messaging for the discerning. Pond messages are asynchronous, but are not a record; they expire automatically a week after they are received. Pond seeks to prevent leaking traffic information against everyone except a global passive attacker. [12]
  • EZCrypt - We provide you with the power to encrypt the data BEFORE it gets stored on our site. All encryption/decryption is done on the client end using AES-CBC 128bit with a hash key generated on each paste. The server will only store the encrypted data without the hash key, so only you have the power to decrypt it.