P. 1
aix_security

aix_security

|Views: 2,499|Likes:
Published by thomas926

More info:

Published by: thomas926 on Mar 16, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

05/28/2013

pdf

text

original

PGP is based on public key cryptography (see Section 5.1.3, "Key concepts
of SSH" on page 62). In a nutshell, files encrypted with the public key

# /usr/local/bin/john /tmp/password

Loaded 2 passwords with 2 different salts (Standard DES [32/32 BS])

rootroot

(root)

merl1n

(khorck)

guesses: 2 time: 0:00:28:24 100% (3) c/s: 23710 trying: Booms2 - hilsuh

A strong password is a good defense against brute force cracking methods.
However, even the strongest password is vulnerable to network sniffing
with protocols, such as telnet, ftp, rsh, and so on. Refer to Chapter 5,
“Secure remote access” on page 59, for ways to protect against this type of
attack.

Note

Chapter 7. System and data integrity 125

(asymmetric cryptography) can only be decrypted by the matching private key
and vice-versa.

By definition, a public key is “public” and can be freely distributed to the other
individuals you want to communicate with using PGP. The private key is
“private” and should be kept secure and private. The private key can be
further protected with the use of a pass phrase.

Straight public-key encryption is much slower (sometimes by as much as a
factor of 1000) than conventional single-key encryption (symmetric
cryptography). It is for this reason that PGP uses a hybrid of both symmetric
and asymmetric cryptography.

With PGP, messages are encrypted using conventional symmetric
cryptography (the same key is used to encrypt and decrypt the message).
However, this key is a random one-time key (session key) that is used for this
session only. Now, the main weakness of symmetric cryptography is in how to
share the same key securely. PGP overcomes this weakness by using
asymmetric cryptography.

Here is how PGP does it:

1. Jack wants to communicate securely with Jill using PGP.

2. Jill sends Jack her public key.

3. Jack encrypts the data with the session key (symmetric cryptography),
then uses Jill’s public key to encrypt the session key (asymmetric
cryptography). Once encrypted, Jack sends both the session key and the
data to Jill.

4. Jill uses her private key to decrypt the session key (asymmetric
cryptography) and then uses the session key to decrypt the data
(symmetric cryptography).

5. From now on, Jack and Jill will just use the session key to encrypt and
decrypt the data flowing back and forth between them.

In this case, both symmetric and asymmetric algorithms are used, the
symmetric algorithm used to encrypt the data itself and the asymmetric
algorithm used to securely transfer the encryption key. With this hybrid
method, both speed and security are achieved.

PGP supports three symmetric ciphers: CAST (default), Triple DES, and
IDEA. It also supports either DSS/DH keys or RSA (IDEA only) keys. A
comparison of each can be found in the PGP man pages (man pgp-intro).

126 Additional Security Tools for AIX Systems

PGP also uses digital signatures for message authentication. Digital
signatures serve the same function as that of real signatures, but in the digital
world. A digital signature is created by encrypting the message digest (a
strong one-way hash function of the message) with the sender’s private key.
The digital signature is sent together with the message. To verify the digital
signature, the recipient uses the sender’s public key to decrypt and obtain the
message digest. Then, the recipient executes a one-way hash function on the
message to obtain a message digest and compares this output with that sent
by the sender (the output decrypted with the senders’ public key). Both must
be the same to ensure data integrity. At the same time, the author of the
message is verified because the message was signed with the private key of
the sender (thus the importance of protecting the private key). For more
information on this process, see the PGP man pages (man pgp-intro).

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->