Password Encryption:
We use passwords everywhere these days. From your run-of-the-mill desktop login to Facebook and beyond, we just can’t get away from passwords (or so it seems).
Try working at any business with any level of security control and you understand just how complex our passwords have must be to provide any level of security.
Linux primarily uses the DES encryption algorithm to encrypt your passwords which are stored in the /etc/shadow file. When logging into your system, the password you’ve typed is encrypted on the fly and compared against the one stored in your system’s /etc/shadow file. If they match, you’re allowed to login. The advantage of this encrypted one-way function is it shouldn’t be possible to reverse the encryption and get to the password from the contents of the /etc/shadow file.
Physical access to the system however, can allow an attacker to use one of a multitude of tools like John The Ripper, Brutus, RainbowCrack,etc. to crack your password if it is not sufficiently random. There are great live Linux ISOs with a plethora of attack tools such as these - Kali Linux and Black Arch are but a couple of examples.
Nothing to hide?
Even if you have nothing to hide, having encryption helps protect your privacy and the privacy of other people from bulk surveillance or from rogue software/malware. Even Edward Snowden used GPG to uncover the secrets of the NSA.
PKI:
Public-key Cryptography uses private and public keys for encryption/decryption of messages (via PGP). The Public key can be used by one party to encrypt a message and return it to the owner of the public key (also the private key holder). This message can be decrypted only by the party holding the private key. This common method is used by Governmental agencies and the military to secure messages from enemies or the public with keys stored on a PKI Token or Common Access Smart Card.
PGP and GPG:
Pretty Good Privacy is fully supported on Linux distributions, however some countries (the USA) limit using such methods and have laws against export of the technology.
GNU Privacy Guard (GPG):
Recent Linux distributions come with GnuGPG support built-in. GPG is the completely open and free encryption standard based on the OpenPGP standard & uses algorithms which do not have export restrictions.
gpg2 is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool to provide digital encryption and signing services using the OpenPGP standard. gpg2 features complete key management and all the bells and whistles you would expect from a full OpenPGP implementation -(quoted from gpg2 man page).
Using GPG is a simple matter in Linux and even email clients such as Silpheed-Claws can take advantage and protect your email from prying eyes.
PAM and 2-factor:
With the advent of 2-factor and external authentication programs or services (such as Google Authenticator), additional levels of validation of a user can be applied through PAM. No, not the biscuit pan spray, but Pluggable Authentication Modules. Adding a simple PAM module to your system with a scripted installation of the Google Authenticator program can easily secure your system’s local or remote login (ssh). This additional level of authentication uses PAM libraries and timing to verify the code provided in an app on a phone (or computer system) matches that typed into the authentication dialog.
Part 2 - coming soon:
SSL, TLS and beyond...
No comments:
Post a Comment