Encryption Methods in Linux

Passwords are one of the most main security features used nowadays. It’s very important for you to have secure and un-guessable passwords. Most Linux distributions have passwd programs that won’t allow you to set easily guessable password plus there are many encryption software in the market that can do this. Make sure that your passwd program is always up to date and has such features. An in-depth details of encryption is beyond the scope of this article, so kindly keep reading.

Encryption software is very useful and even necessary in our current time. There’re many methods of encrypting data and each method has its own characteristics. Most Linux distributions mainly use a one-way encryption algorithm, which is called Data Encryption Standard (DES) for encrypting passwords.

These encrypted passwords are then stored typically in /etc/passwd or in /etc/shadow but this is less commonly. When user attempts to login, the password he types in is again encrypted and compared with the entry in the file that stores his passwords. In case they match, it has to be the same password, and user is allowed access. Although Data Encryption Standard is a two-way encryption algorithm as user can code and then decode a message, just by giving the right keys, the variant which most Linux distributions use is one-way, which means that it shouldn’t be possible to reverse this encryption to get passwords from contents of /etc/passwd or /etc/shadow.

Brute force attacks including “John the Ripper” or “Crack” can usually guess passwords unless the password is sufficiently random. PAM modules allow user to use different encryption routines with his passwords (e.g. MD5). User can use “Crack” to his advantage, as well. User should consider periodically running “Crack” against his own password database in order to find insecure passwords. Then he can contact the offending users, and instruct them to change their passwords.

Public-Key Cryptography and PGP

Public-Key Cryptography uses one key for encryption and one key for the decryption. However, the traditional cryptography uses the same key for both encryption and decryption, which has to be known to both parties, and thus transferred somehow securely from one to the other.

To make the need to securely transmit the encryption key fewer, the public-key encryption uses 2 separate keys: a private key and a public key. Public key for each person is available by anyone for doing the encryption, while at the same time, every person keeps his private key for decrypting messages encrypted with the right public key.

Pretty Good Privacy (PGP) is very well-supported on Linux. Just be sure to use a version which is applicable to your country. As due to some export restrictions by the US Government, strong-encryption is not allowed from being transferred in any electronic form outside the country.

SSL, S-HTTP and S/MIME

Users usually ask about the differences between the various encryption and security protocols, and how to use them. That’s why I’m now going to briefly explain what each protocol is:

SSL: This is an abbreviation for Secure Sockets Layer. It is an encryption method that was developed by Netscape for providing security over the Internet. SSL supports various encryption protocols, and also provides server and client authentication. It operates at the transport layer, then creates a secure encrypted channel of the data, and thus can encrypt data of many types seamlessly. It is most commonly seen when you are visiting a secure site to view as example a secure online document with the Communicator, and serves as secure communications basis with the Communicator, as well as other Netscape Communications data encryption software.

S-HTTP: This is another protocol which provides some security services across the Internet. It was primarily designed for providing authentication, confidentiality, integrity, and the non-reputability while supporting the cryptographic algorithms and multiple key-management mechanisms through option negotiation between the parties involved in every transaction. This protocol is limited to the specific encryption software which is implementing it, and encrypts individually every message.

S/MIME: This is abbreviation for Secure Multipurpose Internet Mail Extension. It’s an encryption standard which is used for encrypting electronic mail and other kinds of messages on the Internet. It’s an open standard which was developed by the RSA (This is the initial letters of the surnames of creators of this algorithm: Ron Rivest, Adi Shamir, and Leonard Adleman), so it’s likely we’ll see it on Linux sooner.

Linux IPSEC Implementations

Along with CIPE (Cryptographic IP Encapsulation), and many other data encryption forms, there’re also several implementations of IPSEC for Linux. IPSEC (Internet Protocol Security) is a great effort by the IETF (Internet Engineering Task Force) for creating cryptographically-secure communications at the level of IP network, and for providing integrity, access control, authentication, and confidentiality.

Another example of freely-available IPSEC implementation is the Linux FreeS/WAN IPSEC. Such services allow user to build secure tunnels via untrusted networks. Everything that is passing via the untrusted net is encrypted by IPSEC gateway machine and also decrypted by a gateway at the other end. As a result from this, will be the VPN (Virtual Private Network) which is a network that is effectively private even though it has machines at numerous sites connected by the insecure internet.

Secure Shell (ssh) and stelnet

stelnet and ssh are suites of programs which allow user to login to the remote systems and have an encrypted connection.

openssh is another suite of programs but is used as a secure replacement for rlogin, rsh, and rcp. It uses the public-key cryptography for encrypting the communications between 2 hosts, as well as for authenticating users. It can also be used for securely logging into a remote host or for copying data between hosts, while preventing the man-in-the-middle attacks and/or the DNS spoofing. It’ll perform the data compression on users’ connections, and will secure X11 communications between the hosts.

SSLeay is a free implementation of Netscape’s SSL protocol. It has several applications including Secure telnet, several databases, a module for Apache, as well as various algorithms such as Blowfish, DES, and IDEA.

PAM (Pluggable Authentication Modules)

Newer versions of the Debian Linux and Red Hat Linux distributions ship with unified authentication scheme which is called “PAM”, which allows user to change his authentication requirements and methods on the fly, as well as encapsulates all the local authentication methods without the need to recompile any of his binaries.

Following are some things that user can do with PAM:

  • Allow particular users to login only at particular times from particular places.
  • Set resource limits on all his users so they can’t perform denial-of-service (DoS) attacks.
  • Use encryption other than DES for his passwords to make them harder to brute-force decoding.
  • Enable shadow passwords on the fly.

Within a few hours of user’s system installation and configuration, he can prevent various several attacks before they even occur.

Cryptographic IP Encapsulation (CIPE)

The main goal of this encryption software is providing a facility for secure subnetwork interconnection across insecure packets network such as the internet against eavesdropping, including faked message injection, and traffic analysis.

Cryptographic IP Encapsulation encrypts the data at the network level. Packets that are traveling between hosts on the network are encrypted. The encryption engine is placed near the driver that sends and receives those packets.

This is unlike SSH that encrypts the data by connection, at the socket level, not the network level. The logical connections between programs that are running on different hosts are encrypted.

Cryptographic IP Encapsulation can be used in tunneling for creating a VPN. Low-level encryption has the advantage that it may be made to work transparently between the two networks connected in the Virtual Private Network, without change to the application software.

Shadow Passwords

Shadow passwords are other means of keeping user’s encrypted password information secret from other normal users. Newer versions of both Debian Linux and Red Hat use the shadow passwords by default, but on any other system, encrypted passwords are stored in /etc/passwd file for all users to read. Anyone can then run any password-guesser program on them and try to find out what they are.

Shadow passwords, on the contrary, are stored in /etc/shadow that only privileged users can read. For using shadow passwords, user needs to make sure all his utilities which need an access to the password information are recompiled to support them. PAM that I described above also allows you to just plug-in a shadow module as it doesn’t require any re-compilation of the executables.

“Crack” and “John the Ripper”

If for any reason your passwd program isn’t enforcing hard-to-guess passwords, then user might need to run a password-cracking program and make sure that his users’ passwords are secure and safe.

There is a simple idea behind password cracking programs which is that they try each word in the dictionary, and variations on those words, encrypting every word and checking it against the encrypted password. If they could get any match, then they know what user’s password is.

There’re wide range of programs out there in the market but there’re two most notable which are “Crack” and “John the Ripper”. They’ll take up a lot of user’s CPU time, but user should be able to tell if the attacker could get in via using them by running them first by himself and notifying all users with weak passwords. User also should note that the attacker would have to use any hole first in order to read the /etc/passwd file, but such holes are more common than user might think.

There are also other encryption methods in Linux that I didn’t cover here such as Cryptographic File System, TCFS (Transparent Cryptographic File System), X11, SVGA and display security. I will cover them later in another post with more details that give all our reader fully valuable information which they are always expecting to get here.