Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I get that cryptography is the practice and study of techniques for secure communication in the presence of 3rd parties. Before reading about algorithm, expressed and well defined instructions for calculating a funtion (computation) when executed number of seccesive states producing output I was unaware of how this worked.
In the future I would want to protect the confidentiality between a client and myself-
But how exactly would I do that with SHA-256?
Does SHA-256 prevent preimage attacks on hash functions?
Perhaps have a look at http://www.openssl.org/ which implements the algorithms for you (with security, it's normally better to use an established implementation).
As far as I can understand http://en.wikipedia.org/wiki/Sha-256...and_validation, the attacks are not yet practical, but might allow the development of more efficient attacks - so the recommendation is to use a different hash in security-concious applications.
SHA-256 is what is known as a hash function. It is used to create a theoretically unique encrypted value from some input. As hash functions are trapdoor or one-way functions, they are not "decryptable". You sue them for example hiding the value of a password/passphrase or key.
An encryption algorithm serves as a two-way function to enable both the encryption and decryption of information. This can be used to store information from others as well as securing communications from third parties.
As indicated, SHA-256 is currently secure. How far into the future it may remain so no one can say. Efficient and currently secure encryption algorithms include AES, Twofish, Blowfish, Serpent as well as some others.
If you are looking to ensure that documents have not been tampered with you can sign them, generate a hash of the document that the other party can verify to detect tampering. If you want to hide the contents altogether then you need to encrypt the document (with or without signing) using something like GPG (GnuPG).
Perhaps have a look at http://www.openssl.org/ which implements the algorithms for you (with security, it's normally better to use an established implementation).
As far as I can understand http://en.wikipedia.org/wiki/Sha-256...and_validation, the attacks are not yet practical, but might allow the development of more efficient attacks - so the recommendation is to use a different hash in security-concious applications.
Hope this helps,
Thanks for the links. I read those 2 pages and I observed the 5 examples of the hash values of empty strings.
I was able to tell where they were different and where they were simular. However; I'm thinking to read and research more. I have a better understanding.
You said; " An encryption algorithm serves as a two-way function to enable both the encryption and decryption of information"
As soon as I read that I remembered; approx. 4 years ago a friend discovered that a keylogger program was on my computer. Someone was tracking everything I was doing. I put that computer in the trash. I was not aware that I could of went to court for that. Had I knew than what I know now I don't think I would have tossed that tower-
I'm a little concered about the bug the documentation speaks of-
NOTE: There is a bug in some source code implementations of Blowfish. Here are the details. The reference implementation does not have this bug.
Do these applications have to come from source and be compliled in order for me to have them on my system?
As soon as I read that I remembered; approx. 4 years ago a friend discovered that a keylogger program was on my computer. Someone was tracking everything I was doing. I put that computer in the trash. I was not aware that I could of went to court for that. Had I knew than what I know now I don't think I would have tossed that tower-
Hm? I don't see the relevance, I don't see why you couldn't have saved the computer, and I don't see how you could have gone to court...
Truecrypt is hard drive encryption, not an encryption library, I believe...
Quote:
Do these applications have to come from source and be compliled in order for me to have them on my system?
I'm not sure I understand your question... Everything you have on your computer will have been compiled at some point (alright, pedants, not interpreted scripts, but the points stands) by someone. Are you asking "Does this bug affect the implementation of blowfish on my system?"? If so, it will depend where you got it from. Are you asking "How can I install a library that implements blowfish?"? If so, I've already linked to OpenSSL, which implements blowfish.
There is an overwhelming amount of distribution tarballs on this page.
So I put my focus on the latest and newest .tar.gz (just as an example)
May 10 17:20:24 2012 openssl-1.0.1c.tar.gz (MD5) (SHA1) (PGP sign) [LATEST]
I only need one of those right? (on that page)
How can I tell which (tar.gz) for my system (Debian)?
It's source code, so any of them. There's probably a README which will tell you how to compile it, or you can just grab the relevant source code (look at the license to check that your usage is allowed first)
I suggest that you simply save yourself a massive amount of time by using an existing, all-inclusive security tool such as:
SSL/TLS
GPG
OpenVPN
Standard e-mail S/MIME encryption
The reason why I say this is that ... the crypto algorithm, whatever it is, is only a small and almost-irrelevant part of the story. It's almost never the thing that anyone tries to break. The weak link in the chain is always key-management, and the people who are using it. Even if you succeed in implementing it all correctly ... you have just "done a thing already done."
You very much want to employ something that is as absolutely standard, as absolutely and completely "what everyone else is using for the same purpose," as you can. In this way, you push the responsibility for cryptographic security to people whose work is trusted around the world "and deservedly so." You also maximize the ease with which the recipient of your information can decipher it ... probably without needing to be explicitly aware that it is enciphered. As the SSL/TLS protocols now do for any "https" web-page or frame that you may ever use. (There is, BTW, a lot more to even that protocol than most sites make use of.) As S/MIME can do for e-mail.
Don't overlook VPN. Secure the tunnel strongly, using digital certificates per recipient site, and push any-old-thing through that tunnel. You know who you're talking to, you know the traffic is arriving as-tendered, and you know that it's secure.
Last edited by sundialsvcs; 09-25-2012 at 02:57 PM.
There should be a Read Me file like you said to help me.
I've never done this (compiled) before so I hope it's clear.
I won't overlook VPN, GPG or S/MIMI.
I will have to study, read and learn more about 'using digital certificates'I don't much about them.
Or how to obtain one for each recepient as you've mentioned.
Digital certificates are quite an easy idea, actually ... and you don't have to pay for them.
Without going into all the gory details, let me just say: "they are 'a badge,' and they've got the company's logo printed on them."
When you hire-on with a company of any size, they issue you a badge which you have to "swipe" or "wave" to get through most doors. That badge is issued to you by the security department, and it is issued specifically to you. You can't forge the badge, duplicate it, or change its assigned access-privileges. If you quit or get fired or die or get laid-off, your badge becomes useless even if you keep it. If you lose it, you call the security department and within two minutes that badge (wherever it now is) just turned into a useless bookmark ... and if in the meantime anyone just used that badge to get inside the building, they know.
Sometimes, to get through a really secure door, you must combine "what you have" with "what you know." You must swipe your badge then enter a secret code. The badge without the code is useless, as is the code without the badge.
What you never see in an office-building is someone standing next to a door saying, "Say the magic-word, please ..." You'd probably have slammed the book shut on Harry Potter if one of the kids had had a dictionary shoved into their hands and they started reading it page-by-page at one of the secret-passages that led into the various houses, but this is literally what a password is susceptible to. A badge never is. Either you've got one or you don't, and you can't fake it. Either the badge is acceptable to whoever's on the other side of that door, or it's not.
Last edited by sundialsvcs; 09-26-2012 at 01:36 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.