Debian & Ubuntu « D-kriptik Blog

Archive for the ‘Debian & Ubuntu’ Category

Quickies: TLS reneg, Karmic, beauty, suggest, TC

Thursday, November 12th, 2009

By now, everyone has heard of the TLS renegotiation vulnerability,

Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities. In particular, practical attacks against HTTPS client certificate authentication have been demonstrated against recent versions of both Microsoft IIS and Apache httpd on a variety of platforms and in conjunction with a variety of client applications. Cases not involving client certificates have been demonstrated as well. Although this research has focused on the implications specifically for HTTP as the application protocol, the research is ongoing and many of these attacks are expected to generalize well to other protocols layered on TLS.

A nice write-up of the issue can be found here,

Marsh Ray has published a new attack on the TLS renegotiation logic. The high level impact of the attack is that an attacker can arrange to inject traffic into a legitimate client-server exchange such that the TLS server will accept it as if it came from the client. This may allow the attacker to execute operations on the server using the client’s credentials (e.g., order a pizza as the client). However, the attacker does not (generally) get to see the response. Obviously this isn’t good, but it’s not the end of the world. More details below.

As for the response of a popular SSL/TLS implementation, the OpenSSL security advisory can be found here,

The workaround in 0.9.8l simply bans all renegotiation. Because of the
nature of the attack, this is only an effective defence when deployed
on servers. Upgraded clients will still be vulnerable.

A TLS extension has been defined which will cryptographically bind the
session before renegotiation to the session after. We are working on
incorporating this into 0.9.8m, which will also incorporate a number
of other security and bug fixes.

Oh, and about Tor,

The Tor protocol isn’t vulnerable here because 1) it doesn’t allow data to be sent before the renegotiation step, and 2) it doesn’t treat a renegotiation as authenticating previously exchanged data (because there isn’t any).

A couple of minor notes when upgrading Ubuntu Jaunty (9.04) to Karmic (9.10)…

Karmic no longer uses event.d.

The version of upstart included in Ubuntu 9.10 no longer uses the configuration files in the /etc/event.d directory, looking to /etc/init instead. No automatic migration of changes to /etc/event.d is possible. If you have modified any settings in this directory, you will need to reapply them to /etc/init in the new configuration format by hand.

I found this page to provide useful addition information.

This specification contains the documentation for the Upstart packaging and upgrade policy.

For example, for the purposes of djbdns, this meant that the “/etc/event.d/svscan” configuration had to be converted to “/etc/init/svscan.conf”. I ended up using the following, which is slightly different than what the Ubuntu djbdns package installs (bullet point 8 of this post is relevant).

# svscan - daemontools -- http://www.froyn.net/blosxom/blosxom.cgi/2007/1/12
#
# This service starts daemontools from the point the system is
# started until it is shut down again.

start on runlevel [2345]
stop on runlevel [!2345]

respawn
exec /usr/bin/svscanboot

And, rsyslog is now in use,

The sysklogd package has been replaced with rsyslog. Configurations in /etc/syslog.conf will be automatically converted to /etc/rsyslog.d/50-default. If you modified the log rotation settings in /etc/cron.daily/sysklogd or /etc/cron.weekly/sysklogd, you will need to change the new configurations in /etc/logrotate.d/rsyslog. Also note that the prior rotation configurations used .0 as the first rotated file extension, and now via logrotate it will be .1.

I played around a little with logging in Ubuntu 8.10 in this post (bullet point 7).

(On a side note, if you are doing more than just simple basics with syslog, it may be time to consider replacements like rsyslog and syslog-ng.)

Didn’t I mention beauty and elections at some point? Yep,

Perhaps a just as simple and maybe better way to pick who will be elected president than answering “who is taller?” is to answer this more general question – who best looks the part? (A little lamination goes a long way. ) And, of course, a consensus answer gives better results than each individual answer here.

Well, this paper fits right in with that post.

Are beautiful politicians more likely to be elected? To test this, we use evidence from Australia, a country in which voting is compulsory, and in which voters are given ‘How to Vote’ cards depicting photos of the major party candidates as they arrive to vote. Using raters chosen to be representative of the electorate, we assess the beauty of political candidates from major political parties, and then estimate the effect of beauty on voteshare for candidates in the 2004 federal election. Beautiful candidates are indeed more likely to be elected, with a one standard deviation increase in beauty associated with a 1½ – 2 percentage point increase in voteshare. Our results are robust to several specification checks: adding party fixed effects, dropping well-known politicians, using a non-Australian beauty rater, omitting candidates of non-Anglo Saxon appearance, controlling for age, and analyzing the ‘beauty gap’ between candidates running in the same electorate. The marginal effect of beauty is larger for male candidates than for female candidates, and appears to be approximately linear. Consistent with the theory that returns to beauty reflect discrimination, we find suggestive evidence that beauty matters more in electorates with a higher share of apathetic voters.

This made me laugh.

[...]But I was most impressed with this anonymous bit of genius dug up by Digg, which uses Google for some armchair sociolinguistic analysis. The graphic compares “less intelligent” queries with “more intelligent” queries, such as “how 2″ with “how might one:”

Lastly, TrueCrypt 6.3 has been with the following new features.

Full support for Windows 7.

Full support for Mac OS X 10.6 Snow Leopard.

The ability to configure selected volumes as ’system favorite volumes’. [...]

Oh, and I should mention… So, we had hotplug and cold boot. And, of course, when your system is up and running and transparently encrypting/decrypting data, a stock exploit of, say, the OS could easily mean game over. Now, people are using bootkit functionality against TrueCrypt.

The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk.

While gaining physical access to a system and tampering with the hardware or popping on a malicious bootloader or what have you, and then the victim using that compromised system, which proceeds to, say, record the TrueCrypt password for the attacker, is outside the protections of the basic TrueCrypt FDE scenario, seeing bootkits demonstrating their capabilities against TrueCrypt and illustrating just what protections tools like TrueCrypt do and do not provide is quite cool. (And, with that horrific sentence, this post draws to its close.)

Posted in Crypto, Debian & Ubuntu, Security | No Comments »

Quickies – FIPS 186-3 etc., other notes, metro, etc.

Thursday, June 11th, 2009

Just a few quick and mostly old notes accumulated over the last few months…

–

FIPS 186-3 has been released, as announced here.

This notice announces the Secretary of Commerce’s approval of Federal Information Processing Standard (FIPS) Publication 186–3, Digital Signature Standard (DSS). FIPS 186–3 is a revision of FIPS 186–2. The FIPS specifies three techniques for the generation and verification of digital signatures that can be used for the protection of data: the Digital Signature Algorithm (DSA), the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Rivest-Shamir-Adelman (RSA) algorithm. Although all three of these algorithms were approved in FIPS 186–2, FIPS 186–3 increases the key sizes allowed for DSA, provides additional requirements for the use of RSA and ECDSA, and includes requirements for obtaining the assurances necessary for valid digital signatures. FIPS 186–2 contained specifications for random number generators (RNGs); this revision does not include such specifications, but refers to NIST Special Publication (SP) 800–90 for obtaining random numbers.

[...]FIPS 186–3 allows the use of 1024, 2048 and 3072-bit keys. Other requirements have also been added concerning the use of ANS X9.31 and ANS X9.62. In addition, the use of the RSA algorithm as specified in Public Key Cryptography Standard (PKCS) #1 (RSA Cryptography Standard) is allowed.

In the announcement, some of the changes between the last draft and the final document are covered in a comments received and NIST response format. I found the most interesting NIST responses to be…

This permits the use of a public key algorithm and key size that is stronger in security than a hash algorithm, so long as both provide sufficient security for the digital signature process. The use of hash algorithms that provide equivalent or stronger security than the public key algorithm and key size is still encouraged as a general practice.

NIST studied the suggestion and decided not to impose further restrictions on the selection of the public exponent e. Such restrictions would negatively impact NIST’s Cryptographic Module Validation Program (CMVP) by precluding the validation of currently accepted implementations without providing a significant increase in security.

NIST reviewed the comments and made the appropriate changes to ensure alignment with respect to the generation and management of ECDSA domain parameters. NIST deleted the statement ‘‘ANSI X9.62 has no restriction on the maximum size of [the cofactor]’’, since the current version of X9.62 imposes limitations on the size of the cofactor. NIST also revised statements regarding elliptic curve domain parameter generation for purposes other than digital signature generation.

I commented on an early draft here and mentioned a later draft here.

Update:Annex A and Annex C of FIPS 140-2 have been updated to reference FIPS 186-3.

The algorithm testing tool has been updated to include testing for FIPS 186-3 algorithms, with some exceptions. As found the announcements,

New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS8.0). This version of the CAVS tool activates the FIPS 186-3 DSA2 validation testing with the exception of generation and validation of provably prime domain parameters p and q and canonical generation and validation of domain parameter g. It also requires the IUT to specify the assurances necessary for valid digital signatures specified in FIPS 186-3.

The exceptions to the algorithm testing tool are vendor affirmed for now, as per an update to the FIPS 140-2 Implementation Guidance.

Validation testing for FIPS 186-3, Digital Signature Standard (DSS) is separated into the three digital signature algorithms. Validation testing is available for FIPS 186-3 DSA, with the exception of the domain parameter generation and validation method listed above. These methods, along with FIPS 186-3 ECDSA and RSA, will require vendor affirmation until validation testing is available in the CAVS tool.

Update: NIST has released a new version of the algorithm testing tool (8.1) that “addresses several minor modifications and enhancements to CAVS including the Addition of a cover letter template, the addition of more efficient elliptic curve routines for NIST binary (e.g.., B-163 and K-571) curves, and the modification of several minor issues.”

Speaking of FIPS, the FIPS 140-2 implementation guidance (IG) has been updated over the last few months. There has been much in the way of important and clarifying guidance, translating both “FIPS lore” and the forward thinking on algorithms/protocols as well as revs to FIPS 140 into the current requirements.

New Guidance
o04/01/09: 3.2 Bypass Capability in Routers
o04/01/09: 9.5 Module Initialization during Power-Up
o03/24/09: 7.9 Procedural CSP Zeroization
o03/10/09: 1.14 Key/IV Pair Uniqueness Requirements from NIST SP 800-38D
o03/10/09: 5.3 Physical Security Assumptions
o03/10/09: 7.8 Key Generation Methods Allowed in FIPS Mode

Modified Guidance
o03/10/09: G.1 Request for Guidance from the CMVP – Updated NIST POC.
o03/10/09: G.5 Maintaining validation compliance of software or firmware cryptographic modules – Updated references to firmware and hybrid modules.
o03/10/09: G.13 Instructions for completing a FIPS 140-2 Validation Certificate – Updated examples.
o03/10/09: 1.9 Definition and Requirements of a Hybrid Cryptographic Module – Updated to include hybrid firmware modules.
o03/10/09: 7.1 Acceptable Key Establishment Protocols – For Key Agreement; added the KDF specified in the SRTP protocol (IETF RFC 3711) is allowed only for use as part of the SRTP key derivation protocol. For Key Transport; wrapping a key using the GDOI Group Key Management Protocol described in the IETF RFC 3547.

I don’t think any of these are a surprise, but reading through it might be useful. Much has been set done cleanly here, with the possible exception of IG 9.5, which seemed more confusing than clarifying to me, but maybe that was a case of my (unfortunately) “knowing” too much about the FIPS world. Anyway, the changes to or additions of IGs 1.9, 7.1, 7.8, and 1.14 are perhaps of the most interest.

Since I have been coming at things from a more deployment side these days, I think IG 5.3 helps to illustrate how to interpret FIPS 140-2 validation results as applied to the selection and deployment of FIPS modules.

The four physical security levels of FIPS 140-2 are focused on the protection of the modules CSPs by the module itself independent of the environment the module is deployed. Therefore selection of a security level is greatly influenced by the environment the module is to be deployed. At a Level 1 security level, which does not itself provide physical security protection, in the right environment, may be an acceptable solution because the environment provides the required physical security protection features.

In this same deployment regard, IG 1.14 makes the following note.

2. The standard sets the minimum security requirements. The buyer is free to demand that the module allows for longer names. Users should be smart enough to name their modules in such a way that name collisions become extremely rare.

Also, for the old timers, the following was an area of debate back in the day. Now it is officially documented in an IG 7.8.

To be used in FIPS mode, a secret value K can be any value of the form:

K = U XOR V, (1)

where the components U and V are of the same length as K14, are “independent” of each other, and U is derived, possibly using a qualified post-processing (see below), from the output of an approved RNG in the module that is generating K. In addition, each component may be a function of other values (e.g., U = F(U’), or V = F(V’)).

The security strength of the generated value K is equal to the larger of the security strengths of U and V. In general, the security strength of K is determined by the security strength of U, and the security strength of U is the minimum of the length of U (and K) and the security strength of the RNG used to generate U. Therefore, the length of U (and K), and the security strength of the RNG used to generate U shall meet or exceed the security strength required for K. However, a vendor can claim that the security strength of the generated value K is determined by the security strength of V if it can be demonstrated that V has a higher security strength than U.

Update: NIST released revised implementation guidance. Besides “certificate annotation examples” added to a few sections, there was the following modification.

08/04/09: 7.1 Acceptable Key Establishment Protocols – For Key Agreement; removed the KDF specified in the SRTP protocol (IETF RFC 3711). For Key Transport; added reference to EAP-FAST and PEAP-TLS.

Since I am on this topic, I guess a quick note that a number of new revs of the CAVS were released in months prior is in order. Most were bugfixes and tweaks, but there were some additions to supported algorithms. E.g.,

[04-15-09] — New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS7.4). This version of the CAVS tool adds the capability to test DRBG (NIST SP 800-90) implementations that do not have the optional reseed function.[...]

[03-12-09] — New release of the CAVS algorithm validation testing tool to the CMT Laboratories (CAVS7.1). In addition to minor modifications to enhance the tool, Version 7.1 of the CAVS tool adds testing for the draft of FIPS 186-3, Digital Signature Standard, Digital Signature Algorithm and file formating changes to the NIST SP 800-90 (DRBG) files to make them more similar to those used for other algorithms. As of the CAVS 7.1 release date, FIPS 186-3 is still in draft. No validations will be processed for this algorithm.

Update: NIST released the CAVS Management Manual. As per the announcements,

[08-17-09] — Posting of the CAVS Management Manual. The purpose of the CAVP Management Manual is to provide effective guidance for the management of the CAVP and other parties in the validation process.[...]

Switching direction, upgrading Gnome from 2.24 to 2.26 on FreeBSD through the ports went mostly smoothly. As always, follow the FAQ. I had been using xulrunner for a while, but I was happy to see this change for the removal for FF2.

A FreeBSD port of libxul-1.9 has been added as an alternative Gecko provider to Firefox 2. This can be used by setting WITH_GECKO=libxul in /etc/make.conf.

And, on Ubuntu, this deadlock hit me after upgrading to Ubuntu Jaunty (2.6.28-11.server). I have been manually loading the padlock drivers for quite some time via /etc/modules. To avoid the issue, I added in manual loading of the generic kernel crypto implementations for aes, sha1, and sha256 prior to loading the padlock drivers.

Moving along, this gives me deja vu, yet made me laugh. (Please consider avoiding that previous link and the first link in the following blockquote’d text if you mind profanity.)

[...]Listen to his comedy bit about the DC metro system, which is he says is “the [...] Tron compared to NYC subways[...]

Having lived both in NYC and DC metro areas and having ridden both the NYC subway and the DC metro quite a bit, I think there are two points to make about the DC Metro system.

The DC Metro is minor in scope compared to the NYC subway. Not only is it a fraction of the size moving a fraction of the people, but it is only part-time.
The DC Metro system is designed like an X, and much of that X only has a single track going in each direction. So, if anything goes wrong in your part of the X or the center of the X, well, lets just say you are out of luck.

Now, because of point 2, even if DC blows up in size and develops a late-night night-life, it would be quite difficult to do away with point 1 in any significant fashion without some fundamental design changes. Even if you could magically do away with unexpected problems in the system (and, yes, that would have to include rainy and snowy days), you are stuck juggling trains between single tracks best case or shutting down parts of the line and running shuttle buses worst case for basically any line maintenance, significantly impacting service on those parts of the system and on the overall system as you move closer to the center of the X. This becomes even more acute due to the increased wear and tear that lovely, underground center of the X suffers, especially as you ramp up service to handle more people or longer hours.

The NYC subway system, by contrast, looks like a bunch of parallel lines that crisscross here and there, and these multitudes of lines generally have multiple tracks supporting each direction. While there may be sparse coverage at some points (e.g., parts of Queens come to mind) and a large concentration of lines at other points (e.g., Manhattan), you still tend to end up with lots of independent enough ways to route around much of the maintenance work and unexpected problems such that the effect on the overall system tends to be quite limited and interruptions to the particular parts undergoing work or suffering issues can be mitigated/minimized (e.g., the handling of maintenance work on the 7 line happening right now), even in spite of 24/7 operation.

Like so much else that varies between NYC and its neighbors, there is a big difference in the scale/scalability and availability requirements of public transportation for an enormous 24/7 city accustomed to public transit and a large 18/7 city accustomed to the beltway. So, when it comes down to how to spend limited resources, one gets beauty sleep, the other keeps on keeping on.

Finally, it has been a while since I have pointed out notably pleasant customer service experiences. So, here is some praise for the LIRR cleaning crew in Penn Station left in a comment.

To Whom It May Concern, I would like to praise all the cleaning men and women who work in the station. They all do a fantastic job on keeping the station clean.

Posted in BSD, Crypto, Customer service, Debian & Ubuntu, Off-topic | No Comments »

Notes – ff3, -n, ps, misc tools, lsof/fstat, etc

Tuesday, March 17th, 2009

Since there was some interest in the previous post, here are a few more notes and tips. Most often I forget to mention those standard tools we all take for granted, so I threw in some of those in as well. Oh, and I won’t be keeping up this extremely rapid posting rate (i.e., 2 in about week). (Note: If I played with any of what is written here, it was on Ubuntu 8.10 or FreeBSD 7.1.)

By default in Firefox 3, when opening Tools->Add-ons, Firefox sends queries to *.mozilla.com in order to populate the “Get Add-ons” pane. This pane and its “paneful” behavior can be disabled by setting the “extensions.getAddons.showPane” preference to “false” through, say, “about:config”.
Using the “-n” option is your friend for listing network address information with utilities like “lsof” (e.g., “lsof -n”), “netstat” (e.g., “netstat -an”), and “iptables” (e.g., “iptables -n –list”), as it prevents the resolving of numeric network addresses, which can be annoying, revealing, and time consuming.
Dislike when ps truncates rather than wraps? The “w” (wide output – 132 columns) or “ww” (unlimited width) option is your friend. If you need finer-grained control than that for some reason, you could try setting a “COLUMNS” environment variable in your shell to override the width determined by ps automatically. Or, in a nod to a later bullet point in this post, you may have additional ps options, like the “–cols” or “–columns” options that can be used to specify these settings in the GNU/Linux ps world.
In much of the *n[iu]x world, if you want to know how many lines, words, or bytes are in a file (or stdin), “wc” is often where its at.
Want to log to syslog using a command from a shell in much of the *n[iu]x world? Try “logger”.
In the much of the *n[iu]x world, ldd can be used to list the shared object (i.e., dynamically linked library) dependencies of a binary. (A question of what stock commands there are available to do this came up on a non-technical mailing list I am on recently.)
On GNU/Linux, lsof can be used to list open files, and it is quite a powerful utility. (A question of what stock commands there are available to do this came up on a non-technical mailing list I am on recently.) For example, “lsof +L 1″ will list all open files that have a zero link count (e.g., open files that are unlinked from the file system – this is useful to play with if you have ever wondered why you can upgrade packages/ports in place that have currently running applications).
Now, on GNU/Linux, you can dig into “/proc”, which contains a wealth of kernel information. Browsing the contents of “/proc/[pid]” can be used to access the process information for a particular process, and, coming back to our example, this includes the contents of files open by that process – e.g., “/proc/[pid]/fd/[fd]” for files open by the process and “/proc/[pid]/exe” for the executable of the process itself, both of which can be used to access the contents of files open by the process with a zero link count.

On FreeBSD, fstat can be used to list open files; however, it does not have quite the same flexibility as lsof. For example, listing open files with a zero link count is not simply a matter of command line options to fstat, although you could hack a script together utilizing fstat with other standard tools available on FreeBSD, hopefully unlike the following.

#!/bin/sh # This is worse than the worst kludge. Do not use it. dofind() { # This find is ugly and potentially huge. Not to mention, pkill could # run amuck. Perhaps you could use info gathered from, say, # "ps wwe -p $pid -o command=" to help refine these searches, # but, like I said, all of this herein is worse than the worst kludge. find -x $mount -inum $inum -exec pkill -SIGINT -f -n -g 0 -s 0 \"find -x $mount -inum $inum -exec pkill\" \; 2>/dev/null return $? } doout() { echo "$cmd $pid $user $fd $szdv $mode $rw $inum $mount$1" `[ $1 ] || ps ww -p $pid -o command= 2>/dev/null` } fstat_unlink() { fstat $* 2>/dev/null | while read user cmd pid fd mount inum mode szdv rw junk; do case $fd in # We have the header "FD") doout " CommandWithArgs" ;; # We have a special [!0-9]*) dofind [ $? -eq 1 ] && doout ;; # We have a standard except non-inodes *[0-9]) dofind [ $? -eq 1 ] && doout ;; esac done } fstat_unlink $*

Now, FreeBSD has variants of /proc (procfs and linprocfs), but these are not quite as free with the information as on Linux. This means our example of extracting information from open but unlinked files may be a bit more involved; however, you can still fall back on standard tools on FreeBSD to do it, such as fsdb and dd. For example, once you have a list of the inodes and devices for unlinked files, then you can access FFS inode data with “fsdb -r” using its “inode” and “blocks” CLI commands to get the disk blocks of the relevant inodes, and then use “dd if= bs= count= skip=” to dump the disk blocks associated with the inode, perhaps into a file.

Or, you could just write some code. However, if you dig into the FreeBSD ports, you will find that lsof is available there. As are tools/toolkits like foremost and sleuthkit. No need to reinvent the wheel.
Little tweaks to common system applications can be tricky business in the *n[iu]x world. For example, take the stock find on Ubuntu GNU/Linux (8.10) and FreeBSD (7.1). In this particular GNU/Linux world, our find comes with a “-quit” action that can be used to exit find after it has found particular results; however, in this particular BSD Unix world, we find that our find does not support “-quit”, yet we can combine pkill with the “-exec” primary/action of find to have a “find” process kill itself after it has found particular results. A form of this use is illustrated by the kludge script above. Also, being specifically tied to this particular BSD Unix world, that same kludge script uses “-x” over the equivalent “-xdev”, but, in this particular GNU/Linux world, find provides solely “-xdev”. Yet another example, the find in this particular BSD Unix world has the “-X” option to allow for safe use with xargs, but the find in this particular GNU/Linux world sticks with the good old “-print0″ and “xargs -0″ technique.
With all this lovely variation, it is often good practice to at least know if not use the more standard, common, portable variants of commands and their options, as you never know where you may find yourself or your scripts ending up.
Having worked with iptables quite a bit of late has served to remind me of the elegance of pf.
bangbang, baby. shell-fu.

Posted in BSD, Debian & Ubuntu | No Comments »

Some notes – ff3, gpg, iptables, dhclient, printk, djbdns

Wednesday, March 11th, 2009

I have been lax on my note taking, but here are a few notes and tips that have come up over the last few months. (I think I did better with formatting this time, after some mockery for this post.)

Firefox 3 is configured to download a BBC news feed (Bookmarks->Bookmarks Toolbar->Latest Headlines) by default. You can just remove the offending bookmark to do away with this behavior.
The way import and export of OpenPGP keys with multiple sub-keys works in GnuPG (1.4.9) is a bit counter-intuitive to me. If you generate a new sub-key pair for an OpenPGP key in a GnuPG key ring and then export the public and secret components of that OpenPGP key, and then try importing that OpenPGP key into another GnuPG key ring that already has an older version of that OpenPGP key (i.e., the version prior to the addition of a new sub-key pair), the already existing and unchanged components of the OpenPGP key will remain unchanged (as expected) but only the public component of the new sub-key will be imported (as unexpected). In order to get the complete OpenPGP key imported, you will first have to delete the public and private components of the key from the key ring into which you want to merge this updated key (back up the key ring first), and then import the key. Also, you may want to (re)set the trust of the key after doing so.
On FreeBSD, “pkg_deinstall” is quite helpful in pruning your installed ports tree, especially for the clean up of dependencies for ports that are being, or have been, removed – in particular the “-r” and “-R” options, which have the same meaning as with “pkg_info” (in reverse) or “portupgrade”. Also, I find running “portupgrade -an” useful to see what will be upgraded prior to actually doing the upgrades.
Using a box running Ubuntu (8.10) server (without X and its children) with iptables for IP forwarding with NAT is quite easy. An extremely helpful concept to keep in mind is that, within the “filter” table (the default table), the “INPUT” and “OUTPUT” chains are for packets terminating or originating at the box respectively, while the “FORWARD” chain is for packets flowing through the box. So, say you have a box already configured with “filter” table “INPUT” and “OUTPUT” rules that make you comfortable; adding “filter” table “FORWARD” rules does not generally require modification to these existing “filter” table rules, although you may want/need to tweak things a bit for your new setup. However, you do need to remember to consider which “INPUT” and “OUTPUT” rules you also want applied to “FORWARD” rules and set things up accordingly. Also, the “nat” table is independent of the “filter” table and its rules are used to mangle packets rather than filter them.
With that said, this HOWTO contains a helpful example set of rules for IP forwarding with NAT using iptables.
On Ubuntu (8.10) server (without X and its children), dhclient has the ability to run scripts before (“/etc/dhcp3/dhclient-enter-hooks.d/”) or after (“/etc/dhcp3/dhclient-exit-hooks.d/”) it configures interfaces from the information gathered through DHCP, a nice supplement to the good old “/etc/network/pre-if-up.d/” and “/etc/network/if-up.d/”, and “/etc/network/pre-if-down.d/” and “/etc/network/if-down.d/”. So, for example, you can use this to reload your iptables rules, if, say, you have rules tied to information that was configured via DHCP. Or, to invoke ddclient, if you have a public IP address assigned via DHCP and use a dynamic DNS service.
E.g. a very generic ddclient script,
```
sudo vi /etc/dhcp3/dhclient-exit-hooks.d/ddclient
```
And add something like the following to it,

(Note: This is an illustration and has not been tried by me exactly as it is here. Actually, ddclient seems like a rather poor example for this, but oh well.)

# Note: only really makes a slight bit of sense if an interface # is configured with a DHCP assigned public IP address, and that # is the interface used by ddclient. DDCLIENT_CONF=/etc/ddclient.conf DDCLIENT_CACHE=/var/cache/ddclient/ddclient.cache DDCLIENT_USER=ddclient rerun_ddclient() { [ -e /usr/sbin/ddclient ] || return [ -e $DDCLIENT_CONF ] || return # Note: ddclient performs this sort of check itself as well. if [ -e $DDCLIENT_CACHE ] && [ -n "$old_ip_address" -a "$old_ip_address" = "$new_ip_address" ]; then return fi # (I know, not /bin/sh -e, but habit.) # Runs ddclient as user other than root, but you must have # configured such a user and set ddclient up to work with them. # /usr/bin/sudo -u $DDCLIENT_USER /usr/sbin/ddclient >/dev/null 2>&1 || true # ddclient is run as root here. /usr/sbin/ddclient >/dev/null 2>&1 || true } ddclient_whattodo() { case $reason in BOUND|RENEW|REBIND|REBOOT) rerun_ddclient ;; EXPIRE|FAIL|RELEASE|STOP) ;; *) ;; esac } ddclient_whattodo

The manpage for “dhclient-script” details the various “$reason”’s for why dhclient-script is being invoked as well as the other variables available, such as “$new_ip_address” and “$old_ip_address”, that can be used to determine the actions you want your scripts to take. Also, “/sbin/dhclient-script” uses “run-parts –list” to generate the list of scripts to be invoked, and this list is alphabetical. So, if your scripts need to be invoked in a certain order, keep that in mind.

Note: While outside the scope being discussed here, if you are using the Gnome (2.24) NetworkManager to manage your network interfaces, then dhclient is invoked with the “-sf” option to override the use of the standard “/sbin/dhclient-script” with “/usr/lib/NetworkManager/nm-dhcp-client.action”, which does not run the scripts in “/etc/dhcp3/dhclient-enter-hooks.d/” or “/etc/dhcp3/dhclient-exit-hooks.d/”. You may still make due with using the good old “/etc/network/pre-if-up.d/” and “/etc/network/if-up.d/”, and “/etc/network/pre-if-down.d/” and “/etc/network/if-down.d/”, which have generally been fine for my use cases. Or, perhaps you could probably write a script to monitor D-Bus for a “PropertiesChanged” signal from “org.freedesktop.NetworkManager.DHCP4Config” and then check if a new IP has been assigned. Or, maybe there is a more standard plugin mechanism. Who knows, I haven’t played with it.
On Ubuntu (8.10) server (without X and its children), dhclient has this habit of overwriting “resolv.conf” by default. This is useful in many cases, but, if not, you can override it creating a custom “make_resolv_conf()” function in “/etc/dhcp3/dhclient-enter-hooks.d”.
E.g.,
```
sudo vi /etc/dhcp3/dhclient-enter-hooks.d/donotmodifyresolvconf
```
And add something like the following to it,

make_resolv_conf() { return }

Note: While outside the scope being discussed here, if you are using the Gnome (2.24) NetworkManager to manage your network interfaces, then, as noted previously, dhclient is invoked with the “-sf” option to override the use of the standard “/sbin/dhclient-script”. So, to configure this sort of DHCP settings for a particular interface in Gnome using the NetworkManager, you could instead go to Main Menu->System->Preferences->Network Configuration, select the interface you want to configure and click “Edit”, go to the “IPv4 Settings” tab, and select “Automatic (DHCP) addresses only” along with filling in the static DNS information. Also, see this for underlying details of the settings available.
The Linux kernel “printk” setting determines what kernel messages will be displayed on the console. On a stock Ubuntu (8.10) server install (without X and its children, and using the stock syslog), one can use “sysctl kernel.printk” or “cat /proc/sys/kernel/printk” to display this setting, which will look something like “4 4 1 7″. What these numbers mean is as follows,
include/linux/kernel.h
```
#define	KERN_EMERG	"<0>"	/* system is unusable			*/
#define	KERN_ALERT	"<1>"	/* action must be taken immediately	*/
#define	KERN_CRIT	"<2>"	/* critical conditions			*/
#define	KERN_ERR	"<3>"	/* error conditions			*/
#define	KERN_WARNING	"<4>"	/* warning conditions			*/
#define	KERN_NOTICE	"<5>"	/* normal but significant condition	*/
#define	KERN_INFO	"<6>"	/* informational			*/
#define	KERN_DEBUG	"<7>"	/* debug-level messages			*/
```
kernel/printk.c
```
/* printk's without a loglevel use this.. */
#define DEFAULT_MESSAGE_LOGLEVEL 4 /* KERN_WARNING */

/* We show everything that is MORE important than this.. */
#define MINIMUM_CONSOLE_LOGLEVEL 1 /* Minimum loglevel we let people use */
#define DEFAULT_CONSOLE_LOGLEVEL 7 /* anything MORE serious than KERN_DEBUG */
```
```
int console_printk[4] = {
	DEFAULT_CONSOLE_LOGLEVEL,	/* console_loglevel */
	DEFAULT_MESSAGE_LOGLEVEL,	/* default_message_loglevel */
	MINIMUM_CONSOLE_LOGLEVEL,	/* minimum_console_loglevel */
	DEFAULT_CONSOLE_LOGLEVEL,	/* default_console_loglevel */
};
```
So, at the time of this writing, we see that “kernel.printk=”7 4 1 7″” is the 2.6 Linux kernel default; on Ubuntu (8.10), “kernel.printk” is set to “4 4 1 7″ by default (see “/etc/sysctl.d/10-console-messages.conf”). Let’s say I want “kernel.printk” to be set to “6 4 1 7″.

There are lots of ways to accomplish this. Besides “klogd -c” or the old “echo /proc/sys/kernel/printk”, sysctl can be used to set “/proc/sys” parameters at runtime (e.g., “sudo sysctl kernel.printk=”6 4 1 7″”) on Ubuntu (8.10), but such changes are lost at reboot and let’s say I want this setting applied at each boot. Ordinarily, if you want certain “/proc/sys” parameters to be automatically set at boot and you are not doing so anywhere else (e.g., in some other rc.d script), you either add files in “/etc/sysctl.d” containing the parameter settings, or you add/modify parameters in “/etc/sysctl.conf”.

Now, on Ubuntu (8.10), the settings in “/etc/sysctl.d/*.conf” are applied after those in “/etc/sysctl.conf”, which means “/etc/sysctl.d/*.conf” settings will override “/etc/sysctl.conf” settings. Since Ubuntu (8.10) uses “/etc/sysctl.d/10-console-messages.conf” to set “kernel.printk=”4 4 1 7″”, I need to either edit that conf or add my own that is set after that one. To do things “properly,” I should go with the latter, by, say, copying “10-console-messages.conf” to “60-console-messages.conf” (60 is the standard prefix for user customizations) and then editing “60-messages-console.conf” to contain “kernel.printk=”6 4 1 7″”.

I guess, rather than overriding “printk” defaults, I could instead configure the stock syslog by, say, modifying its default configuration file (“/etc/syslog.conf”) to display log entries to the console, and this could be used to cover both system logs and kernel messages. Leaving alone the Ubuntu “kernel.printk” default of “4 4 1 7″, by adding a line like “kern.info;kern.!err /dev/console”, kernel messages of priority “info” (6) or more critical should be displayed to the console (the “kern.!err” is there because we are already displaying “err” and higher priority messages by virtue of the Ubuntu default “kernel.printk” configuration). Going broader than just the kernel, a line like “*.info /dev/console” would cover all system log entries of priority “info” or more critical. Generally though, if I want kernel messages dumped to the console, I work within the parameters of the kernel itself, namely “kernel.printk”.

Coming back to iptables, the “log-level” option of iptables “LOG” rules can be used to tweak what will hit the console. Now, unless iptables is told to use a specific loglevel, the system default seems to be used. So, with the “4 4 1 7″ setting used by default on Ubuntu (8.10), iptables “LOG” rules without the “–log-level” option will not result in console messages, and only those “LOG” rules with a “–log-level err” or more serious will hit the console. With the “7 4 1 7″ kernel default, iptables “LOG rules” without the “–log-level” option will result in console messages, and only those “LOG” rules with a “–log-level debug” will not hit the console.

Tying this into syslog a bit, if, say, there are quite a bit of kernel log entries generated by iptables and whittling back the “LOG” rules is not satisfactory, syslog rules could be used to split the kernel logs into pieces to help with manual review and remove redundant logging. So, using the “–log-level debug” in “LOG” rules and adding an entry like “kern.=debug -/var/log/kern.debug” in “/etc/syslog.conf” would place all iptables log entries (and other kernel messages with a priority of “debug”) into “/var/log/kern.debug”, while the default “/var/log/kern.log” would still contain all kernel messages (and the default “/var/log/debug” would still contain most debug log entries and the default “var/log/syslog” would still contain most log entries). Or, you could split the kernel logs up into, say, “kern.debug”, “kern.info;kern.!err”, and “kern.err”, and then use “–log-level” rules to determine to which kernel log the iptables “LOG” rules are logged. Combining such a split of the kernel logs with removing kernel messages from the default logs could help reduce redundancy as well, although care should be taken because sometimes applications depend on the default logs being, well, set to the defaults. (On a side note, if you are doing more than just simple basics with syslog, it may be time to consider replacements like rsyslog and syslog-ng.)

(Whew, I hope I typed all that correctly.)

Having had to rebuild djbdns a bit recently and remembering this post, I updated “/etc/event.d/svscan” to handle a system shutdown a bit friendlier.

E.g.,

sudo vi /etc/event.d/svscan

And add something like the following to it,

(Note: The following is an example and has not been tried by me exactly as it is here. FYI, “svscanboot” might be located somewhere other than “/command”.)


# svscan - daemontools -- http://www.froyn.net/blosxom/blosxom.cgi/2007/1/12
#

# This service maintains an svscan process from the point the system is
# started until it is shut down again.

start on runlevel 2
start on runlevel 3
start on runlevel 4
start on runlevel 5

stop on runlevel 0
stop on runlevel 1
stop on runlevel 6

exec /command/svscanboot
respawn

Posted in BSD, Debian & Ubuntu | 1 Comment »

FreeBSD 7.1, etc.

Saturday, January 31st, 2009

Just a few notes:

Upgrading to FreeBSD 7.1 stable from FreeBSD 7.0 stable went smoothly.
Sort of standard steps…
- vi /usr/mykernconf7 and modify to merge in 7.1 changes into my custom kernel config.
  (The generic FreeBSD kernel configuration for the i386 platform as a starting point can be found in “/usr/src/sys/i386/conf/GENERIC”.
  - cp /usr/src/sys/i386/conf/GENERIC /usr/mykernconf7
  - ln -s /usr/mykernconf7 /usr/src/sys/i386/conf/mykernconf7
  - vi /usr/mykernconf7 and modify as desired)
- vi /usr/stable-supfile and update my custom “stable-supfile” to point to “RELENG_7_1″ by changing the relevant line to “*default release=cvs tag=RELENG_7_1″
  (A sample “stable-supfile” as a starting point can be found in “/usr/share/examples/cvsup/stable-supfile”.
  - cp /usr/share/examples/cvsup/stable-supfile /usr/stable-supfile
  - vi /usr/stable-supfile and modify as needed, such as setting the default release to 7.1 and setting the host to one of the FreeBSD cvs server mirrors)
- cd /usr/src
- cvsup -g -L 2 ../stable-supfile
- make buildworld
- make kernel KERNCONF=mykernconf7
- reboot (to single user mode)
- cd /usr/src
- mergemaster -p
- make installworld
- mergemaster
  I found there was a massive version increment of the contents in “/etc” from 7.0, so there was a lot to go through. I had a few mods to configuration and script files that needed merging, but, for the majority, just installing the new version was fine.
- reboot
With the release of FreeBSD 7.1, the FreeBSD ports have undergone a huge burst of activity. Over the course of the last month, perl, X, and Gnome have all been upgraded.

The first step is always the same here, updating the ports tree and grabbing the new index.
- cd /usr/ports
- cvsup -g -L 2 ../ports-supfile
- portsdb -Fu
The second step is always the same here too, examining “/usr/ports/UPDATING” to see if there were any special instructions relevant to upgrading my installed ports, and additionally, browsing “/usr/ports/MOVED” to see what ports have been (re)moved.

Ok, so there have a number of instructions that applied to my installed ports over the last month or so, including those for perl, X server, and Gnome. I updated multiple times and so upgraded many of these components at different intervals, which kept the mixing and matching of these instructions somewhat minimal. (On the flip side, there was a bunch of redundant (re)building of my ports.)

Of the big boys (i.e., perl, X, and Gnome)…

My first upgrade was of perl from 5.8.8 to 5.8.9, and I did this by itself, as the upgrade involved manually using a script and its guidance after installation of the upgrade perl, as per the 20090113 instructions in “/usr/ports/UPDATING” for perl5.8. (If perl troubles crop up after using this script, rebuilding the perl dependents may be best.)

Next came the upgrade of Gnome from 2.22 to 2.24 (and all other updated ports at the time), which went smoothly enough, according to the 20090114 instructions in “/usr/ports/UPDATING” for GNOME and GTK+. (During this upgrade, I discovered some issues with my perl upgrade, so I ended up just rebuilding my perl dependents, but that was not the fault of the GNOME update.)

A few days later followed the upgrade of libxcb by itself along with the rebuilding of all its dependents according to the “/usr/ports/UPDATING” 20090123 instructions for libxcb.

Then, the upgrade of X (and all other updated ports at the time). There were issues here and there after this upgrade, but these seem to have been mostly resolved by subsequent updates, as the port maintainers have been tweaking things.

As mention already, these steps were mostly incremental for me, happening in two primary bursts. If you are upgrading all of that and more at once, it might be easier to just rebuild all ports while taking “/usr/ports/UPDATING” instructions into account.
Tor stable (and development) has been updated to fix a remotely inducible heap corruption issue. Details forthcoming.

This update also fixes an important security-related bug reported by Ilja van Sprundel. You should upgrade. (We’ll send out more details about the bug once people have had some time to upgrade.)

Changes in version 0.2.0.33 – 2009-01-21
o Security fixes:
– Fix a heap-corruption bug that may be remotely triggerable on some platforms. Reported by Ilja van Sprundel.
Truecrypt 6.1a has been available for over a month. The 6.1 changes include support of tokens and smart cards, and trickery to get passed, say, USA customs.
Xen and Ubuntu have gone their separate ways.

Posted in Anonymity & Privacy, BSD, Crypto, Debian & Ubuntu, Security | 2 Comments »

Quickies: headaches, links, stories, crypto stuff, other

Wednesday, May 21st, 2008

So, I recently saw Juno for the first time, and was surprised and happy to hear Kimya Dawson permeate the soundtrack. And, I ate at wd~50, which was, well, an experience – highly recommended if you want to try something truly new.

Anyway, yes, still here. Unfortunately, this rare act of posting will be limited to a quickie – a few miscellaneous items accumulated over a couple of months.

A few headaches…

Wow, just wow.

The result of this is that for the last two years (from Debian’s “Etch” release until now), anyone doing pretty much any crypto on Debian (and hence Ubuntu) has been using easily guessable keys. This includes SSH keys, SSL keys and OpenVPN keys.

Update immediately. And be sure to do things such as regenerate all persistent keys that used random data taken from the vulnerable Debian OpenSSL during their generation – some of this type of work is handled automatically when updating your packages (e.g., OpenSSH server keys), but only you know what you have done outside this automated window.
I booted up a Windows XP box only to find that some resource of the Logitech QuickCam software had become corrupted, and this resulted in a nasty msi installer loop hitting the box as soon as a user logged in. I found this tool extremely useful in cleaning up the mess.

[..]With the Windows Installer CleanUp Utility, you can remove a program’s Windows Installer configuration information. You may want to remove the Windows Installer configuration information for your program if you experience installation (Setup) problems. For example, you may have to remove a program’s Windows Installer configuration information if you have installation problems when you try to add (or remove) a component of your program that was not included when you first installed your program.
Much to my very unpleasant surprise, I upgraded a server over here from Ubuntu Gutsy to Hardy and discovered networking for Xen DomU’s in Ubuntu Hardy 8.04 is somewhat broken. I ended up using the 2.6.24-17-xen kernel from the hardy-proposed repository, but you could also just stick with the Gutsy Xen kernel for DomU’s.
When I upgraded to Gnome 2.22 on a particular FreeBSD 7.0 system, certain things, like the clock applet, did not work. This was due to the dbus daemon not being started. Then, the hal daemon and Gnome did not want to play nice together. This page provided the information necessary to get them playing nice – in this particular instance, not mounting procfs was the problem.

Side note, I was helping someone install Ubuntu recently, and it brought to my attention yet again how much I take what I consider to be basic skills for granted when using *nix. Small things, like running an executable from within your environment path versus by directly specifying the path (the most confusing to many example of this seems to be trying to run an executable in the current working directory), are just not common knowledge. Even the whole command line itself is often scary and bizarre to people. This makes it extremely difficult to provide useful guidance for people to blindly follow (posts on this blog should never be assumed to provide step-by-step instructions – they are just some basic notes at best, as extremely helpful comments like this make obvious). And, even Ubuntu is not as trivial to use as it would appear to many that work in the *nix world.

Three useful Ubuntu and FreeBSD pages…

USN.

These are the Ubuntu security notices that affect the current supported releases of Ubuntu.[...]

FreeBSD VuXML.

Security issues that affect the FreeBSD operating system or applications in the FreeBSD Ports Collection are documented using the Vulnerabilities and Exposures Markup Language (VuXML).[...]

FreeBSD Security Advisories.

This web page contains a list of released FreeBSD Security Advisories.[...]

Story-telling is one of the fundamental tools in a teacher’s toolkit. Having done quite a bit of consulting, I have learned how invaluable a good story is to driving home particular points and building relationships. There is something fundamental about how stories effect us, perhaps stemming from our innate ability to empathesize and our massive pattern recognition horse-power.

Anyway, this site has a useful set of stories. [via exi]

Here are some stories, analogies, research findings and other examples that provide wonderful illustrations for learning, and inspiration for self-development.

In fact, the first story mirrors a recent post.

An old lady had a hearing-aid fitted, discreetly, hidden underneath her hair.

A week later she returned to the doctor for her check-up.

“It’s wonderful – I can hear everything now,” she reported very happily to the doctor.

“And is your family pleased too?” asked the doctor.

“Oh I haven’t told them yet,” said the old lady, “And I’ve changed my will twice already..”

This reminds me of a story I often tell about someone I met a while back, a graduate student in psych. She was studying aspects of the initial meeting/courtship routines of people, and would go out to bars and such and interact with potential suitors. Here these suitors were, following their typical pickup routines and sometimes spilling more than their drinks, and here she was, analyzing their interaction and subsequently writing up notes to be turned into research papers, etc.

NIST draft SP 800-108 has been released.

SP 800-108

DRAFT Recommendation for Key Derivation Using Pseudorandom Functions

NIST announces the release of draft Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions. This Recommendation specifies techniques for key derivation from a secret key using pseudorandom functions (PRF). Please submit comments to draft-SP800-108-comment@nist.gov with “Comments on SP800-108″ in the subject line. The comment period closes on June 28, 2008.

Yet more KDFs.

They just don’t quit, do they?

This is the first article analyzing the security of SHA-256 against fast collision search which considers the recent attacks by Wang et al. We show the limits of applying techniques known so far to SHA-256. Next we introduce a new type of perturbation vector which circumvents the identified limits. This new technique is then applied to the unmodified SHA-256. Exploiting the combination of Boolean functions and modular addition together with the newly developed technique allows us to derive collision-producing characteristics for step-reduced SHA-256, which was not possible before. Although our results do not threaten the security of SHA-256, we show that the low probability of a single local collision may give rise to a false sense of security.

We study the security of step-reduced but otherwise unmodified SHA-256. We show the first collision attacks on SHA-256 reduced to 23 and 24 steps with complexities $2^{18}$ and $2^{50}$, respectively. We give an example colliding message pair for 23-step SHA-256. The best previous, recently obtained result was a collision attack for up to 22 steps. Additionally, we show non-random behaviour of SHA-256 in the form of pseudo-near collisions for up to 31 steps, which is 6 more steps than the recently obtained non-random behaviour in the form of a semi-free start near-collision. Even though this represents a step forwards in terms of cryptanalytic techniques, the results do not threaten the security of applications using SHA-256.

[...]First we describe message modification techniques and use them to obtain an algorithm to generate message pairs which collide for the actual SHA-256 reduced to 18 steps. Our second contribution is to present differential paths for 19, 20, 21, 22 and 23 steps of SHA-256. We construct parity check equations in a novel way to find these characteristics. Further, the 19-step differential path presented here is constructed by using only 15 local collisions, as against the previously known 19-step near collision differential path which consists of interleaving of 23 local collisions. Our 19-step differential path can also be seen as a single local collision at the message word level. We use a linearized local collision in this work. These results do not cause any threat to the security of the SHA-256 hash function.

[...]We build on the work of Nikoli\’{c} and Biryukov and provide a generalized nonlinear local collision which accepts an arbitrary initial message difference. This local collision succeeds with probability 1. Using this local collision we present attacks against 18-step SHA-256 and 18-step SHA-512 with arbitrary initial difference. Both of these attacks succeed with probability 1. We then present special cases of our local collision and show two different differential paths for attacking 20-step SHA-256 and 20-step SHA-512. One of these paths is the same as presented by Nikoli\’{c} and Biryukov while the other one is a new differential path. Messages following both these differential paths can be found with probability 1. This improves on the previous result where the success probability of 20-step attack was 1/3. Finally, we present two differential paths for 21-step collisions for SHA-256 and SHA-512, one of which is a new path. The success probability of these paths for SHA-256 is roughly $2^{-15}$ and $2^{-17}$ which improves on the 21-step attack having probability $2^{-19}$ reported earlier. We show examples of message pairs following all the presented differential paths for up to 21-step collisions in SHA-256. We also show first real examples of colliding message pairs for up to 20-step reduced SHA-512.

Completely academic, but you know what they say – attacks only get better.

Interesting stuff.

NSA/CSS periodically releases declassified documents or indexes to these documents to the public. The documents listed on this page were located in response to numerous requests received by NSA on the various subjects stated and for which there appears to be a general public interest. The date after each entry reflects the most current release date of that material. When additional material for a given subject is updated then a new subject index date is posted. To select a subject index, click on the subject title.

In particular, the Cryptologic Spectrum Articles and Cryptologic Quarterly Articles have some fun reads.

An easy to cut ‘n paste into a blog post set of old web server log entries depicting an instance of Tor being used to proxy/anonymize automated probes of this web site.

anonymizer.blutmagie.de – - [13/Mar/2008:00:59:00 -0700] “GET /forum/phpbb/index.php HTTP/1.0″ 404 285 “http://forum.d-kriptik.com/phpbb/index.php” “Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1)”

tor.anonymous.proxy.quex.org – - [13/Mar/2008:00:59:01 -0700] “GET /forum/phpbb2/index.php HTTP/1.0″ 404 286 “http://forum.d-kriptik.com/phpbb2/index.php” “Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1)”

tor.anonymizer.ccc.de – - [13/Mar/2008:00:59:02 -0700] “GET /forum/forums/index.php HTTP/1.0″ 404 286 “http://forum.d-kriptik.com/forums/index.php” “Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1)”

tor.anonymizer.ccc.de – - [13/Mar/2008:00:59:08 -0700] “GET /forum/board/index.php HTTP/1.0″ 404 285 “http://forum.d-kriptik.com/board/index.php” “Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1)”

Like heat and humidity, free music and Central Park mean summer. The 2008 schedule is up at the Summer Stage web site. And, the opening Saturday looks good to me.

Vampire Weekend
Kid Sister
Ecstatic Sunshine

Saturday, June 14, 2008
From 4:00 PM to 7:30 PM
Central Park SummerStage

Posted in Anonymity & Privacy, Authentication & Identity, BSD, Conferences, Crypto, Debian & Ubuntu, Off-topic, Security | 2 Comments »

gutsy ossl padlock, conversations, truecrypt 5.0

Thursday, February 7th, 2008

So, enabling Via padlock support on my Ubuntu Gutsy system with the default kernel was kind of, well, trivial. I just configured the relevant kernel modules to be loaded at boot, which involved editing “/etc/modules.conf” and inserting “padlock_aes”, “padlock_sha”, and “via_rng” entries.

With that done, I wanted to use the Via hardware RNG as an entropy source to “/dev/random”, so I installed “rng-tools”.

After that, I wanted to get the widest range of apps using OpenSSL to take advantage of the hardware crypto by default as easily as possible, for which I came back to this page a bunch of times. This patched started me off in one direction, and I ended up heading down the path of the “devcrypto” sort of hack already in the OpenSSL code base.

So, I ended up modifying “crypto/engine/eng_all.c” (and “crypto/engine/engine.h” for the prototype) to add a separate setup function (similar to what was there for “devcrypto”) to load padlock and set it as the default engine (BTW, the “set it as default” step should not be necessary – all it does is get padlock cached as the default engine for the supported algorithms now rather than later), and then I changed the “ssl/ssl_algs.c” “SSL_library_init” function and “crypto/evp/c_all.c” “OPENSSL_add_all_algorithms_noconf” function to call this padlock setup function, which should in theory cover the number of applications out there that call “OPENSSL_add_all_algorithms” and “OPENSSL_add_ssl_algorithms.” Also, I inserted a “ENGINE_cleanup” call into the “crypto/evp/names.c” “EVP_cleanup” function, although I am not sure this is necessary (or wise).

About the only thing annoying in the process was warnings of version information not being found in my OpenSSL shared libraries. I found this useful in fixing the issue.

(Oh, and apologies to my Tor server users, as my server was up and down quite a bit while I played with these things.)

A few quickly summarized conversations of possible interest to readers.

I was in a bar talking with a couple of people that were in the USA armed forces and about to go back to deployment in the Middle East. One thing they noted was that the only attack that really scared them when they first deployed over there was IEDs. They said that the fright factor came from the fact that IEDs were something for which they were not trained at the time, IEDs were an unknown. With an outright fire fight, with people firing at them, they knew what to expect; with IEDS, everything could be going as best it can for them over there and then, out of nowhere, boom, they were seriously maimed or dead. Both figuratively and literally, IEDs hit them totally out of the blue. However, with time and experience, IEDs have become a known and expected fact of life over there, something that can be dealt with both strategically and emotionally.

The conversation reminded me of topics like this article (the links I quickly turned up for that article require logins, free or otherwise – an excerpt is here).

Another important dimension of appraisal concerns potential actions: “What can be done about the situation?” Here, controllability and its prerequisite, the stimuli’s predictability, are critical: predictable and controllable adverse stimuli generate less fear, anxiety, and pain than unpredictable and uncontrollable stimuli.

Also, Ekman’s Emotions Revealed came to mind, where there is discussion of fear being influenced by three components – intensity, timing, and coping. Coping seems to be the key being discussed here – e.g., by knowing about the threat, strategies can be developed to reduce the risk posed by the threat, and thus reduce the strength of your fear.

Ok, moving along…

I was speaking with a LEO from the NYPD while waiting for a train. We got onto the topic of PBA cards, where I learned that such PBA cards can be tied to particular officers, which was new to me. The officer informed me that the higher the rank of the officer to which the PBA card is tied, the better the chance you have of getting a reduced charge or just being completely left off the hook when stopped by an officer for some offense. However, someone with me pointed out that this whole situation was not fair, that just knowing someone should not let you off the hook. The officer replied that this was not unfair, you just have to know someone. To this, my acquaintance said that was why it was unfair, because she didn’t known anyone, as was evidenced by her lack of names to drop when getting her second speeding ticket in a roughly two month period recently. The officer’s advice, get to know someone high up in the police force or, better yet, just stop speeding. (Of course, my acquaintance left out that she broke down and cried while getting that latest speeding ticket, and the officer subsequently lowered the speed indicated on the ticket by a number of miles.)

The conversation reminded of another conversation I had a while back with a friend of mine that was an academic. He was complaining that publishing papers in his field was as much about getting the right people to sign up as coauthors (regardless of any actual contribution to the research conducted in the paper) as it was about the research being published. He said the politics degraded the science, which seems similar to my acquaintance above pointing out the politics degrading (the fair application of) the law.

Regardless, the reality is clear – who you know matters. And, as often is the case, these discussions reminded me of Cialdini’s influence, such as the power of reciprocation, social proof, and authority.

The latest release of TrueCrypt 5.0 is available, including the use of the XTS mode of operation and whole disk encryption for Windows.

Ability to encrypt a system partition/drive (i.e. a partition/drive where Windows is installed) with pre-boot authentication (anyone who wants to gain access and use the system, read and write files, etc., needs to enter the correct password each time before the system starts). For more information, see the chapter System Encryption in the documentation. (Windows Vista/XP/2003)

XTS mode of operation, which was designed by Phillip Rogaway in 2003 and which was recently approved as the IEEE 1619 standard for cryptographic protection of data on block-oriented storage devices. XTS is faster and more secure than LRW mode (for more information on XTS mode, see the section Modes of Operation in the documentation).

Speed improvements on Windows, an OSX port, and SHA-512 support are also included in this release. Good stuff.

Most everywhere I tested out this release, it worked well, with one exception – an “Insufficient memory for encryption” error I ran into on one of my somewhat older systems. Looking around at a few forums (e.g., here) and at the TC code (e.g., “BootSector.asm”, “BootMain.cpp”, “BootDefs.h”), I don’t see a workaround for the system without modifying the TC code directly to correct/masked the issue. So, this will wait for a bugfix release.

On some systems, when performing the system encryption pretest, the TrueCrypt Boot Loader reports the following error: Insufficient memory for encryption. This issue will be addressed in the next version of TrueCrypt.

Update: To help with debugging the “Insufficient memory for encryption” bug, the TrueCrypt team is requesting your help.

[...]If you encountered this error, you can help us solve this issue by booting a special test ISO image, which displays the amount of free base memory on your system. To do so, please download this file, unpack it, and burn the extracted ISO image to a CD/DVD. Then restart your computer and boot from the CD/DVD. Write down the amount of free base memory displayed by the program and email it to us or include it in a bug report (in either case, make sure the subject is: ‘Base Memory Test Report‘). Thank you.

Update: TrueCrypt 5.0a was released today (2007-02-12). Among the changes…

The memory requirements for the TrueCrypt Boot Loader have been reduced by 18 KB (eighteen kilobytes). As a result of this improvement, the following problem will no longer occur on most of the affected computers: The memory requirements of the TrueCrypt Boot Loader 5.0 prevented users of some computers from encrypting system partitions/drives (when performing the system encryption pretest, the TrueCrypt Boot Loader displayed the following error message: Insufficient memory for encryption).

I should note that one older system of mine mentioned above still fails to meet the memory requirements. Ah well.

Update: TrueCrypt 5.1 has been released.

What is new in TrueCrypt 5.1 (released March 10, 2008)

Included in the changes,

The minimum memory requirements for the TrueCrypt Boot Loader have been reduced from 42 KB to 27 KB (twenty-seven kilobytes). This allows users to encrypt system partitions/drives on computers where the BIOS reserves a large amount of memory. (Windows Vista/XP/2008/2003)

With that reduction, I can now use FDE on that problem machine noted above.

Also of note,

Increased speed of AES encryption/decryption (depending on the hardware platform, by 30-90%). (Windows)

Nice.

Posted in Code, Crypto, Debian & Ubuntu, Security | No Comments »

Quick notes on Ubuntu Gutsy with Xen and djbdns, phishing lesson, misc

Thursday, November 8th, 2007

Just when you started thinking I was beginning to clean up my messy posting habits, I went and did this…

So, I decided to migrate my Tor server, etc. and thought it would be nice to upgrade to Ubuntu Gutsy in the process. (I also took this as an opportunity to setup disk encryption, which was quick and easy.)

As part of the effort, I rebuilt the Xen guest domains I was using on this server. This part turned out to have some quirkiness, as my Xen dom-0 and dom-Us running Ubuntu Gutsy (7.10) would not place nice under the Xen 3.1 that was installed from the latest Ubuntu Gutsy Xen packages (2.6.22-14-xen kernel). By not place nice, I mean the guests would hang during the boot process and/or not provide a usable console.

So, for my reference and yours, I figured it good to point out where I found fixes/workarounds for these issues with Xen 3.1 (2.6.22-14-xen kernel) and Ubuntu Gutsy (7.10) (used for both the host and guests) – this link is where I found some guidance to help fix the issue.

In particular, I found this, which led me to copy “etc/event.d/tty1″ to “etc/event.d/xvc0″ and then replace all occurences of “tty1″ with “xvc0″ within “etc/event.d/xvc0″, useful and it worked across a couple of running dom-U’s. Alternatively, this seems like it might be a workaround, although I did not use it myself.

I found this, which led me to remove offending “hwclock” entries, took care of some hang time.

Also, I did this, which led me to replace “sda” with “xvda” in my guest’s Xen configuration and its “etc/fstab”, just to continue following the general direction Xen is going, although it did not fix any issues.

I decided to use djbdns on a dns cache server. As I was setting this up in one of my newly create Xen virtual machines, I found these instructions useful (minus the small part about tinydns, as I wanted a dns cache service – dnscache was my concern, e.g., dnscache); however, I did note one issue on my Ubuntu Gutsy install with regards to the contents of “etc/event.d/svscan” conveyed in those instructions – the use of “runlevel-” was incorrect.

In other words, under Ubuntu Gutsy (7.10), the “etc/event.d/svscan” contents should be something like what follows.

# svscan – daemontools — http://www.froyn.net/blosxom/blosxom.cgi/2007/1/12
#

# This service maintains an svscan process from the point the system is
# started until it is shut down again.

start on runlevel 2
start on runlevel 3
start on runlevel 4
start on runlevel 5

respawn
exec /command/svscanboot

I briefly noted this paper on training user’s about phishing.

Our embedded training system works roughly as follows.
People are periodically sent training emails, perhaps from
their system administrator or from a training company.
These training emails look just like phishing emails, urging
people to go to some website and log in. If people fall for
the training email and click on a link in that email, we
provide an intervention that explains that they are at risk for
phishing attacks and gives some tips for protecting
themselves.

Any manager that has ever had to train (or discipline) an employee can probably relate to some of these lessons learned.

· Embed the training into users’ regular activities so they do not have to go to a separate website to learn about phishing attacks.
· Make it clear why users are being warned—for example, what the risks are and what caused the warning.
· Do not delay the warnings; present them immediately after the user clicks on the link.
· Use training messages with the same content that users have just seen, as this helps them concretely relate to what is being discussed in the training message.
· Supplement training text with story-based graphics and annotations.
· Keep the training messages simple and short. One reason the security notices did not work well was too much text.
· Give clear actionable items that participants can easily do to protect themselves.

The “Embed the training into users’ regular activities” reminded me of what I discussed here in quite some length.

Now, lets look at a much better example. In preparation for security training, you have someone sit outside your organization auditing whether people were taking off their ID badges before leaving work, as was mandatory. As part of this audit, the auditor photographs the ID badge of someone leaving the offices still still wearing their ID badge. The next day, that person comes to work to find you sitting at their desk wearing an ID badge with their name but your face. Now, that would make an impact.

However, the actual implementation used in the paper seemed to lack the impact of my example, in that, the people in the study were asked to play someone else, which separated those people from the actions being taken and the consequences of those actions. There was no real world experience here to drive the lessons home.

Oh, and here is our old phishing lesson.

And, what techniques did we employ?

Wariness – Email should not be trusted by default. Examine email messages closely, especially if they request sensitive information, contain attachments, or provide links, and be sure to establish trust before performing any actions requested by the messages. This is just how I think, and it helps in avoiding scams.

Research – When in doubt, do some research. (An easy way to do this for messages claiming to be from a company or person you deal with is just call the company or person.) By looking at the raw message, I could see weird characteristics in the headers and the message body that indicated this was a fraud. I then used information taken from the headers and message body to identify proper abuse contacts at the relevant ISPs.

And the easiest one…

Multiple email accounts with dedicated purposes – By having specialized email accounts that are used only for certain purposes, many scam messages can be quickly identified just by being out of place. (You can also track the dissemination of your email addresses quite well by doing this.) That is how I knew this message was a scam before I even read it its contents.

Finally, UAVs have been getting a little attention in my circles for quite a while. So, this article might interest some of you.

Having evolved from military use, drones, or unmanned aerial vehicles (UAVs), are taking to the air in increasing numbers for public-service and civilian roles. They are being operated by groups as diverse as police, surveyors and archaeologists. A UAV helped firemen track the blaze that recently ravaged southern California. [...]

Reminded me of some of the things we did with model airplanes back in the day.

Posted in Anonymity & Privacy, Debian & Ubuntu, Security | No Comments »

2.6.19 (etc.) Linux kernel SHA384 HMAC update

Monday, January 8th, 2007

Oh yeah, the linux kernel SHA384 HMAC issue was patched very quickly by Herbert Xu.

I’ve put a similar fix into crypto-2.6.

But, I wanted to note the following, which is why this is in a separate post rather than an update to the original post.

Looking in the code… In sha512.c, the sha384 crypto_alg structure has cra_blocksize set to be SHA384_HMAC_BLOCK_SIZE. cra_blocksize is then used in multiple places by the HMAC implementation in the hmac.c, such as for calculating whether a key needs to be hashed because it is longer than the underlying hash’s blocksize or for the lengths of the outer and inner pads. For example, looking at the function hmac_setkey, the variable bs is set to be the result of a call to crypto_hash_blocksize. If you look at crypto_hash_blocksize, the end result of that function is to return the value of cra_blocksize. As such, the key will be hashed if it is greater than 96 bytes in length, rather than 128. opad and ipad will be treated as 96 bytes in length, rather than 128. Etc. This does not follow the HMAC standard.

Because Herbert Xu’s reply interested me.

Yes, you’re quite right. This does break SHA-384-HMAC. What’s worse is that other implementations also have similar bugs with this. Some even use a block size of 64.

Since this occurs elsewhere, perhaps it is more than just a bug. If so, can someone explain to me why this is being done? This “bug” does not shorten the SHA384 HMAC. (If you want a shorter HMAC, you would use a different HMAC or truncate the HMAC or both.) All I can think is that this “bug” may be used to lower memory usage slightly, but SHA384 is still going to pad to its blocksize. What am I missing?

(Oh, and while we are at it, linux kernel tests for SHA384 HMAC and SHA512 HMAC.

This patch adds tests for SHA384 HMAC and SHA512 HMAC to the tcrypt module. Test data was taken from
RFC4231. This patch is a follow-up to the discovery (bug 7646) that the kernel SHA384 HMAC
implementation was not generating proper SHA384 HMACs.

)

Posted in Code, Crypto, Debian & Ubuntu, Security | No Comments »

2.6.19 (etc.) Linux kernel SHA384 HMAC needs slight tweak?

Tuesday, December 5th, 2006

I may be missing something here, but I think that as of today the 2.6.8 and 2.6.18 Debian versions of the Linux kernel as well as the stock 2.6.19 Linux kernel available from kernel.org have a very slightly broken SHA384 HMAC implementation. I do not know if this applies to any other version of the Linux kernel (nor do I care to check).

The fix is just a one line correction to the #defined SHA384_HMAC_BLOCK_SIZE found in crypto/sha512.c. This is incorrectly defined as 96, when it should just be the SHA512_HMAC_BLOCK_SIZE (i.e., 128 bytes). Afterall, SHA384 and SHA512 share everything but the initial values and truncation of the output.

I don’t know if this is new nor do I don’t keep up with whom to notify in the various communities, but, if anyone cares about the one line change, a diff between my corrected version of sha512.c and the current 2.6.18 Debian Linux kernel version (or stock 2.6.19 Linux version) of sha512.c follows.

diff linux-source-2.6.18/crypto/sha512.c /usr/src/linux/crypto/sha512.c

27c27,30
< #define SHA384_HMAC_BLOCK_SIZE 96
---
> // very minor bugfix – 12-04-2006 – Andrew Donofrio
> //#define SHA384_HMAC_BLOCK_SIZE 96
> // SHA384 block size is the same as SHA512 block size
> #define SHA384_HMAC_BLOCK_SIZE SHA512_HMAC_BLOCK_SIZE

Many people said nobody is going to use SHA384 (and, by virtue, SHA384 HMAC). It seems they were right.

Update: Ok, I was bugged by some of you to submit a proper bug report at bugzilla.kernel.org. I did so, and this bug has been assigned bug number 7646.The proposed patch is as follows.

— linux-2.6.19/crypto/sha512.c 2006-11-29 16:57:37.000000000 -0500
+++ linux-2.6.19.ad/crypto/sha512.c 2006-12-06 23:40:25.000000000 -0500
@@ -24,7 +24,7 @@

#define SHA384_DIGEST_SIZE 48
#define SHA512_DIGEST_SIZE 64
-#define SHA384_HMAC_BLOCK_SIZE 96
+#define SHA384_HMAC_BLOCK_SIZE SHA512_HMAC_BLOCK_SIZE
#define SHA512_HMAC_BLOCK_SIZE 128

struct sha512_ctx {

Posted in Code, Crypto, Debian & Ubuntu, Security | 1 Comment »

D-kriptik Blog