Linux Cryptography explained (Symmetric encryption & hashes).

CRYPTOGRAPHY

It is the art of protecting information by transforming it (encrypting it) into an unreadable format, called cipher text. Only those who possess a secret key can decipher (or decrypt) the message into plain text. Encrypted messages can sometimes be broken by cryptanalysis, also called code breaking, although modern cryptography techniques are virtually unbreakable.


Symmetric Encryption:
Encryption algorithms that use the same key for encrypting and for decrypting information are called symmetric-key algorithms. The symmetric key is also called a secret key because it is kept as a shared secret between the sender and receiver of information. Otherwise, the confidentiality of the encrypted information is compromised.

Kerckhoff's principle (also called Kerckhoffs' assumption, axiom or law) was stated by Auguste Kerckhoffs in the 19th century: It states --
“a cryptosystem should be secure even if everything about the system, except the key, is public knowledge”.


Symmetric encryption is of two types:
1> Stream ciphers (encrypt the bits of the message one at a time)
2> Block ciphers (take a number of bits and encrypt them as a single unit)

Examples of Commands for encrypting & decrypting files in Linux:
>openssl enc -des3 -salt -a -in myfile.txt -out encryptedfile.des3
>openssl enc -d -des3 -salt -a -in encryptedfile.des3 -out myfile.txt
OR
>gpg -c --cipher-algo des3 myfile.txt
>gpg -d --cipher-algo des3 myfile.gpg


"openssl enc" & gpg r utilities for encryption.
des3 (block cipher) is an algorithm used for encryption. In place of it, aes (Advanced Encryption Standard algorithm approved by NIST in December 2001 uses 128-bit blocks), blowfish, twofish, CAST5 can be used for gpg. Similarly aes, blowfish, aes256,aes192, rc4 are for openssl enc.
a = armour – convert into ASCII (unicode character must be converted into ascii code before encryption)
salt = salt, to add uniqueness to same text(pc takes arbitrary salt value from the present state of cpu such as cursor position, RAM state etc)
Eg. If two person have the same password, their encrypted password will be different, credit goes to salt value. U can see ur password's salt value in /etc/shadow file. It is a part of the encrypted password text that is between $s, like $12Re.jfhrr343!k$
In gpg --ciper-algo is optional.

Cryptographic Hashes:

A "hash" (also called a "digest", and informally a "checksum") is a kind of "signature" for a stream of data that represents the contents.
A hash function takes a string (or 'message') of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint.

To compute a message digest, issue the command:
>openssl dgst -sha1 /boot/grub/grub.conf

If any one tampers grub, u will be informed (a shell script will do that which will compare previous checksum with present checksum).
openssl dgst is a flexible tool for generating message digest.
In place of grub path, it can be any file.
U may use -md5, -sha, -sha256, -md4, -md2, -ripemd160 algos etc in redhat, in place of -sha1. Of course u have seen -md5 digest, when u r downloading some files, software, OS etc. It is used to confirm that the file downloaded has not been tampered in between while downloading.

Ways of Disabling Linux-ROOT login!!

---

If you wish to disable root login due to some security reasons or you wanna troubleshoot root login problem, here are some methods>>>>>

1.---------->
> Open the file /etc/passwd
> Append the line root:x:0:0:root:/root:/bin/bash to root:x:0:0:root:/root:/sbin/nologin
Root login is disabled now.
[It's self explainatory] Undo it for enabling.

2.----------->
> Change the rwx rights of file /etc/securetty to any value, other than 600(ie. rw-------). This file is tty login file.
Eg. chmod 644 /etc/securetty
Undo it by, chmod 600 /etc/securetty

3.----------->
> Open the file /etc/securetty
> Comment out the terminal using #, in which u wanna deny access to root.
Take a look at my /etc/securetty file
__________________________________________________
#tty1
tty2
tty3
#tty4
tty5
tty6
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
__________________________________________________

There are 6 cli terminals, which r marked as tty1,tty2 ........
You can enter those by pressing combination of Alt+Ctrl+f1, ie. for terminal 1, for terminal 2 replace f1 by f2 & so on for other terminals.
Press Alt+Ctrl+f7, for coming back to the gui.
After you comment out the terminal, u can't login to that terminal, it will display :login incorrect
(Undo by removing the hashes from file)

4.----------->
> Create a file in /etc directory by the name "nologin".
In this method, all users get blocked.
Eg. Execute command --> 'touch nologin' or 'cat nologin'

5.----------->
> Type the command --> 'chage -E 0 root'
This command just expires the root password....
Just try to observe the difference in the 1st line of file /etc/shadow, before & after the execution of the given command.

root:$1$K2oyDN17$GqkZQHsHtnxpwrFCG7AI91:14203:0:99 999:7:::

root:$1$K2oyDN17$GqkZQHsHtnxpwrFCG7AI91:14203:0:99 999:7::0:

Ya, you are right, there is a extra zero at the end. That stands for the days left, for your password expiry.
Undo it by issuing the command --> 'chage -E NEVER root' or 'chage -E 99999 root'
Issuing the last command will replace the 1st line of /etc/shadow to....

root:$1$K2oyDN17$GqkZQHsHtnxpwrFCG7AI91:14203:0:99 999:7::99999:

You can also do this by directly appending the file.

6------------->
Ok first, as root, you need to install sudo. Next, also as root, you need to edit the file /etc/sodoers. Add the following line --

Code:

username ALL=(ALL) ALL

replace username with the user you want to be able to access root permissions.
now to disable the root account --
as root type the following at the command prompt

Code:

passwd -l root

the -l flag will lock the root account. No longer will root logins be possible on your box. It is simple to get them back, you just need to do the following --

Code:

sudo passwd root yourpasswordhere

-------------X------------

Ofcourse, there are some more ways for blocking root login. But I don't wanna risk my PC, trying those now.
These methods works fine in Redhat & Mandriva, so these should work on other Linux OSs.
For troubleshooting, these conditions should be checked for correct settings.
If you get trapped, using these methods, try login at runlevel 1 at grub-menu or use rescue CD, as I suggested in the thread
"Securing ROOT password!!"

*****************************Have A Nice Day !!************************

Securing ROOT password!!

In case, u forget ur root password or u wanna access the system with root privileges without knowing root password, u can easily change it by following these steps >>>

> Boot ur PC.

> Switch to linux OS listed in the Grub menu & press e( in Redhat), if it doesn't works then press f2 (in Mandriva), or try any other option which is listed in the boot screen untill u see the booting parameters for that OS, like...
kernel (hd0,9)/vmlinuz BOOT_IMAGE=linux root=UUID=f39877a0-9a19-11dd-8a61-97b60b6e4958 resume=/dev/sda7 splash=verbose vga=788
(ie. for Mandriva )

>Edit it, press space & 1 at the end of the line, so that it becomes....
kernel (hd0,9)/vmlinuz BOOT_IMAGE=linux root=UUID=f39877a0-9a19-11dd-8a61-97b60b6e4958 resume=/dev/sda7 splash=verbose vga=788 1
now press b for or simply enter key.

>Now the OS boots to runlevel 1 (that is single user mode, only root is logged on & is used for maintenence purposes), & sh prompt appears.

>Type the command passwd & then enter

>Type your new password 2 times, it goes like this..
INIT:entering single user mode
sh3.2-#passwd
Changing password for user root.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

>Type exit & enter.

Now ur root password is changed, so u can see, how easy it is for someone to break ur root password.

So we will now try to block the way through which someone can change the boot parameters
Here r the steps >>

>Open the terminal..
Type command, grub-md5-crypt & press enter, then enter your desired password for grub menu 2 times.. it goes like this...
[root@localhost ~]# grub-md5-crypt
Password:
Retype password:
$1$fEY8n$JcQYHPGCuYkxxKupgaB6c0

> Now u can see that, some junk characters appear on ur terminal. Next u have to edit menu.lst (or grub.conf in Redhat)
Copy the junk characters (which is md5 encryption of ur grub password).
Execute vi /boot/grub/menu.lst
Now observe the file menu.lst if u can see the line "hidden menu" {I'm assuming, u r familiar with vi editor basics}
If it is there, then type below it "password --md5 $1$fEY8n$JcQYHPGCuYkxxKupgaB6c0".
Else type above the line "default i" (i >=0, any integer value, depends on which OS u wanna boot by default, starting from zero)
hiddden menu
password --md5 $1$fEY8n$JcQYHPGCuYkxxKupgaB6c0
**If u wanna lock a particular OS, type "lock" below the OS specification. The OS will be locked & for booting it, u have to enter the grub-password.
Take a look at my menu.lst>>>>
__________________________________________________ __________________________________________________ ___________________________
timeout 10
color black/cyan yellow/cyan
gfxmenu (hd0,9)/gfxmenu
splashimage=(hd0,9)/boot/grub/hubble.xpm.gz
hiddden menu
password --md5 $1$MWiym$3QLabLcVRSyVUYIRa1aKy/
default 0

title MANDRIVA-Linux
kernel (hd0,9)/vmlinuz BOOT_IMAGE=linux root=UUID=f39877a0-9a19-11dd-8a61-97b60b6e4958 resume=/dev/sda7 splash=verbose vga=788
initrd (hd0,9)/initrd.img

title linux-nonfb
kernel (hd0,9)/vmlinuz BOOT_IMAGE=linux-nonfb root=UUID=f39877a0-9a19-11dd-8a61-97b60b6e4958 resume=/dev/sda7
initrd (hd0,9)/initrd.img

title failsafe
kernel (hd0,9)/vmlinuz BOOT_IMAGE=failsafe root=UUID=f39877a0-9a19-11dd-8a61-97b60b6e4958 failsafe
initrd (hd0,9)/initrd.img

title Windows-VISTA
root (hd0,0)
makeactive
chainloader +1
lock

title Windows Recovery
root (hd0,3)
makeactive
chainloader +1
lock
__________________________________________________ __________________________________________________ ___________________________

Save & exit from menu.lst.

Now boot your pc & try to edit the boot parameters as you did in first section, grub-menu displays --enter p to unlock next set of features.
Press p, it will prompt for grub-password, after entering grub-password, u can edit booting parameters & enter the locked OS.
************************MISSION-------ACCOMPLISHED************************

Hey, its not over yet.....................
Your root password is still not safe..................

Insert your bootable linux cd/dvd (or rescue cd)......
Process may be very different for different linux distribution, so I'm just explaining it in a simple way.
Mount ur / drive to /mnt.
Type passwd & change ur root password or Open etc/shadow & delete the Encrypted root password.
Eg. Change the line..........
root:$1$JK9GUDoD$9WXbaXbYRm61C7WdI12KI.:14202:0:99 999:7::: to root::14202:0:99999:7:::
The root password is cleared.
Also delete the line --> password --md5 $1$MWiym$3QLabLcVRSyVUYIRa1aKy/ from menu.lst file for clearing the grub-password.
And reboot.

So a person with some experience in linux (with a rescue cd) can takeover ur less configured system..
So the threat of physical access by a individual can't be ignored....
U can still block him, by enabling BIOS password......(there may be other ways too.)

Moral of the story ------------> A Social Engineering attack may be Lethal.

I think, its quite knowledgeable for Linux-newbies.

Plz post ur suggestion, comments,corrections & feedback............

Thanx for reading such a big thread!!