Abdulrahman AlQallaf

Decluttering my mind into the web ...








Security Summary



Important remarks:

  • I am not a computer security expert.
  • This summary is mainly for me and represents my current understanding.
  • If you are doing something serious then you should consult a computer security expert or at least double check by doing your own research.

Main sources used:




1. Security (theory)


In general, an increase in entropy is equivalent to an increase in password strength. How much entropy needed depends on your threat model (e.g., local vs. server).


Hash functions

  • Turns an input of arbitrary length to a fixed length output (non-invertible).
  • Non-cryptographic hash function is good for non-security related use cases (such as quick data retrieval).
  • Cryptographic hash function is good for security related use cases (such as password encyption with a salt).
  • A good hash function is deterministic and collision resistant.
  • Examples are sha1sum (less secure) and sha512sum (more secure).

Usage example:

$ echo "hello world" | sha1sum
  22596363b3de40b06f981fb85d82312e8c0ed511  -


Key Derivation Functions (KDFs)

  • PBKDF2 (Password-Based Key Derivation Function 2) is an example.
  • Has a computational cost parameter, which makes it deliberately slow (against brute-force attacks).
  • Useful for storing login credentials, combined with a random salt that is different for each user.
    • To verify login attempts, re-compute using the entered password and the stored salt.

For more info on the difference between a cryptographic hash function and a key derivation function, see this thread


Symmetric and Asymmetric key cryptography

  • Symmetric key cryptography: one key is used to both encrypt and decrypt data.
  • Asymmetric key cryptography:
    • public key is used to encypt data (can be shared).
    • private key is used to decrypt data (must remain secret).

Asymmetric cryptosystems provide the following set of functionality, to encrypt/decrypt and to sign/verify:

keygen() -> (public key, private key)  (this function is randomized)

encrypt(plaintext: array<byte>, public key) -> array<byte>  (the ciphertext)
decrypt(ciphertext: array<byte>, private key) -> array<byte>  (the plaintext)

sign(message: array<byte>, private key) -> array<byte>  (the signature)
verify(message: array<byte>, signature: array<byte>, public key) -> bool  (whether or not the signature is valid)




2. Security (practical)


Permissions

# <directory> owner/user permissions, group permissions, other users permissions
# directory example:    drwxr-xr-x
# private key example:  -rw-------


# change permissions template:
$ chmod <-R> <u, g, o><+, -, =><r, w, x> "file name"

Permissions differ betwen files and directories:

Files:

  • r == view
  • w == edit
  • x == execute

Directories:

  • r == view contents
  • w == create or remove files from dir
  • x == step into directory

Important remarks:

  • Write access for a directory allows deleting of files in the directory even if the user does not have write permissions for the file.
  • Directories must have ‘execute’ permissions set (x or 1), or directories will not function as directories and will disappear from view in the file browser.
  • Root user is the admin user (with user id 0). He can do everything, even if no permission is granted.


Generate a strong password

# copy as long of a password as you need
$ openssl genrsa


Single file encryption

# list available ciphers
gpg --version

# restrict permissions and encrypt
$ chmod go-rwx <file name>
$ gpg --verbose --symmetric --cipher-algo AES256 <file name>

# decrypt
$ gpg <file name>


Multiple files encryption

# list available ciphers
gpg --version

# restrict permissions, for the directory and its contents
$ chmod -R go-rwx <folder name>

# compress folder
$ 7z a <archive name> <folder name>

# encrypt archive
$ gpg --verbose --symmetric --cipher-algo AES256 <archive name>

# decrypt archive
$ gpg <archive name>

# decompress archive
$ 7z x <archive name> -o<folder name>


Home directory encryption

Ubuntu installer allows you to encrypt the home directory during the installation process. If you missed that chance, then you can follow this tutorial.


Disk encryption

Documentation link.


SSH

Documentation link.


Backups

Dpcumentation link.