Security concepts

Written on 24 November 2014, 11:08pm

Tagged with:

The CIA of security
Confidentiality + Integrity + Availability
+ (in time) – Authentication and Non-repudiation

Operational model of computer security
Protection = Prevention + (Detection + Response)

Other security concepts
– Least privilege
– Separation of duties
– Implicit deny
– Job rotation
– Layered security
– Diversity of defense
– Security through obscurity: pushing your favorite ice cream to the back of the freezer, or making your admin URL hard to guess 🙂

Identification vs Authentication vs Authorization
Identification – who are you? (typically an username)
Authentication – how can you prove who you are?
– something you know (a password)
– something you have (a physical token)
– something you are (fingerprint reader)
Authorization – what you can do once you are authenticated?

Access control
– DAC – discretionary access control
– MAC – mandatory access control
– RBAC – role based access control
– RBAC – rule based access control

iStock_000015705097Small
Image: istockphoto

Random things about security

Written on 23 November 2014, 11:12pm

Tagged with: , ,

1. OpenSSL common commands

A list of the most common commands used in OpenSSL: https://www.sslshopper.com/article-most-common-openssl-commands.html

Generate a CSR along with a private key:
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out domain.csr
Probably the most used openssl command because it’s the first step in moving to HTTPS.

Generate a CSR using an existing private key:
openssl req -out CSR.csr -key privateKey.key -new

Remove a passphrase from a private key (Warning: leaving a private key unencrypted is a major security risk #):
openssl rsa -in privateKey.pem -out newPrivateKey.pem

Transform a certificate from PEM (text) format to DER (bynary) format:
openssl x509 -outform der -in certificate.pem -out certificate.der

Transform a key from PEM to DER format:
openssl rsa -in key.pem -out key.der -inform pem -outform der

These last 2 commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers (ex – a PEM file for Apache to a PFX for Tomcat or IIS).

The main command options in OpenSSL – req, rsa and x509:
req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
rsa RSA key management.
x509 X.509 Certificate Data Management.

DER (Distinguished Encoding Rules) is a case of BER (Basic Encoding Rules)
OpenSSL as Windows binary: http://slproweb.com/products/Win32OpenSSL.html

2. Let’s encrypt!

https://letsencrypt.org:

When Let’s Encrypt launches in Summer 2015, enabling HTTPS for your site will be as easy as installing a small piece of certificate management software on the server.
The Let’s Encrypt management software will:
– Automatically prove to the Let’s Encrypt CA that you control the website
– Obtain a browser-trusted certificate and set it up on your web server
– Keep track of when your certificate is going to expire, and automatically renew it, etc

3. Some security books

If you plan to get CompTIA Security+:
Get Certified Get Ahead
All-in-One Exam Guide
Comparison between the two books. Amazingly, they are both from 2011 (so more than 3 years old, which in the security field should be ages).

If you know about the Fermat enigma (somehow related), then you you should probably know about its author, Simon Singh. He also wrote a very known book about code and cypher: The Code Book (I know, it’s from 1999, but we were in the context of old books about security 🙂 ). Here’s an idea out of it:

It has been said that the First World War was the chemist’s war, because mustard gas and chlorine were employed for the first time, and that the Second World War was the physicists’ war, because of the atom bomb was detonated. Similarly, it has been argued that the Third World War would be the mathematicians’ war, because they will have control over the next great weapon of war – information.

PS – iPad mini feels just right
finish_silver_large

Some security basics

Written on 24 September 2014, 04:33pm

Tagged with: ,

This is an attempt to understand the basics of cryptography. The very basics 🙂
Beware of a link-intensive post, it is meant (as many others) to serve me as a reference.
It started with the recent iCloud privacy problems, then the article about hashing of secrets intrigued me a bit and made me curious to read more about this field. So here it is.

Hashing vs Encrypting vs Encoding

Hashing – irreversible; used to check integrity of data, to irreversibly encode data (passwords) and also to sign data (in conjunction with HMAC).
Encrypting – reversible; used for maintaining data confidentiality
Encoding – reversible, for usability (ex Base64Encode) #

Update 16/Dec/2014: There is a small debate whether applying ROT13 to a string is considered encryption or not. ROT13 is a very simple substitution cipher (one of the 26 possible ones) – which substitutes each letter by another one placed 13 positions further in the alphabet.
I would say that ROT13 is a form of encryption; true, a very very weak one. But it has an algorithm (substitution of letters) and a key (13 positions). So in theory it encodes a message so that only authorized parties can read it. In practice, almost anyone with a basic motivation can read it.

Hashing vs HMAC vs KDF

1. Hashing algorithms

A hashing algorithm converts a variable-length string to a fixed-length string that can act as a “fingerprint” or unique identifier for the original string. It is not possible to convert the hash result back to the source string.
In ColdFusion:
Hash(string [, algorithm [, encoding ]])
In PHP:
string hash ( string $algo, string $data [, bool $raw_output = false ] )

2. HMAC (Hash-Based Message Authentication Codes)

HMAC is used to verify the data integrity and authenticity of a message transmitted. It involves a cryptographic hash function in combination with a secret key.

According to the official specifications, HMAC is defined as:
H(K XOR opad, H(K XOR ipad, text))
where:
H is a cryptographic hash function where data is hashed by iterating a basic compression function on blocks of data
B is the byte-length of such blocks (B=64 for MD5, SHA-1)
L is the byte-length of hash outputs (L=16 for MD5, L=20 for SHA-1)
K is the authentication key and can be of any length up to B, the block length of the hash function.
Applications that use keys longer than B bytes will first hash the key using H and then use the resultant L byte string as the actual key to HMAC. In any case the minimal recommended length for K is L bytes (as the hash output length). »» this is an interesting fact leading to potential problems, but it does not make pbkdf-hmac-sha1 unsecure
ipad, opad (inner/outer pad) are two fixed and different strings defined as
ipad = the byte 0x36 repeated B times
opad = the byte 0x5C repeated B times.
Why 0x36 and 0x5C? “Their values have been arbitrarily chosen by the HMAC designers, and any pair (opad,ipad) could have been selected, as long as opad≠ipad. #

In PHP:
string hash_hmac ( string $algo , string $data , string $key [, bool $raw_output = false ] )

In ColdFusion, the hmac() function exists starting ColdFusion 10, while in the Open Source world Railo had introduced it with version 4 (see cfml.io)
hmac(object message,object key,[string algorithm,[string encoding]]):string
Custom implementations of the function: here, here and here

3. Password-based Key Derivation Function (PBKDF)

A key derivation function (or KDF) derives the encryption key from a master password. Specifications

PBKDF2 applies HMAC to the input password along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching. When the standard was written in 2000, the recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase.
Having a salt added to the password reduces the ability to use precomputed hashes (rainbow tables) for attacks, and means that multiple passwords have to be tested individually, not all at once. The standard recommends a salt length of at least 64 bits.
http://en.wikipedia.org/wiki/PBKDF2

In ColdFusion the PBKDF support was introduced very recently (April 2014) – with ColdFusion 11:
GeneratePBKDFKey(algorithm, inputString, salt, iterations, keysize) (algorithm can be ‘PBKDF2WithHmacSHA1’)

Same story with PHP, only supporting PBKDF starting version 5.5.0:
string hash_pbkdf2 ( string $algo , string $password , string $salt , int $iterations [, int $length = 0 [, bool $raw_output = false ]] )

Use cases

(more…)