Linux Encryption

					Linux Encryption
Encrypting data files and email
Several encryption programs are also available to encrypt your data, some at the file level (PGP,
GnuPG, etc.) and some at the drive level (Cryptographic File System for example). These systems are
very appropriate for the storage of secure data, and to some degree for the transmission of secure data.
However both ends will require the correct software, compatible versions, and an exchange of public
keys will somehow have to take place, which is unfortunately, an onerous task for most people. In
addition to this you have no easy way of trusting someone's public key unless you receive it directly from
them (such as at a key signing party), or unless it is signed by someone else you trust (but how do you get
the trusted signer's key securely?). Systems for drive encryption such as CFS (Cryptographic
FileSystem) are typically easy to implement, and only require the user to provide a password or key of
some form to access their files. There is a really good article on choosing key sizes
at http://www.cryptosavvy.com/ which raises some issues you probably hadn't considered. I would
recomend reading it.


GnuPG (Gnu Privacy Guard)
GnuPG is covered in the filesystem section at Linux File System and File Security


pgp4pine
pgp4pine is a PGP shell for pine that allows easy usage of PGP/GnuPG from within pine. Signing /
encrypting and so on is made easier. You can get it from: http://pgp4pine.flatline.de/


Netscape Messenger
Netscape Messenger supports X.509 certificates, as do most Windows mailer programs.


Sources of random data
In order for encryption to be effective, especially on a large scale such as IPSec across many hosts, good
sources of random, cryptographically secure data are needed. In Linux we have /dev/random and
/dev/urandom which are good but not always great. Part of the equation is measuring 'random' events,
manipulating that data and then making it available (via (u)random). These random events include:
keyboard and mouse input, interrupts, drive reads, etc.

However, as many servers have no keyboard/mouse, and new "blackbox" products often contain no
harddrive, sources of random data become harder to find. Some sources, like network activity, are not
entirely appropriate because the attacks may be able to measure it as well (granted this would be a very
exotic attack, but enough to worry people nonetheless). There are several sources of random data that
can be used (or at least they appear random), radioactive decay and radio frequency manipulations are
two popular ones. Unfortunately the idea of sticking a radioactive device in a computer makes most
people nervous. And using manipulated radio frequencies is prone to error, and the possibility of outside
manipulation. For most of us, this isn't a real concern, however for IPSec gateway servers handling
many connections it can be a problem. One potential solution is the PIII, which has a built in random
number generator that measures thermal variance in the CPU, I think as we progress, solutions like this
will become more common.

				
DOCUMENT INFO
Shared By:
Stats:
views:5
posted:11/12/2011
language:English
pages:2
Description: All about Encryption in Linux.