Password Encryption and salt

Encrypting Passwords

It is quite obvious that the passwords need to be stored in a encrypted format. One of the following methods could be used to encrypt the passwords

1. Password based encryption or two-way technique
2. Digests or one-way technique

In the first approach, passwords are encrypted using a pass phrase and then stored. This is using symmetric algorithm i.e. using the same pass phrase password could be decrypted. This is generally considered to be a bad practice because you never really have to decrypt any password. In a good system user's password shouldn't be readable to any one including the system administrator. It is violation of the user's privacy. Above all in a worst case scenario, if an attacker gains access to the encrypted password database and the pass phrase, it is relatively easy to read all the passwords.

In the second approach, we can "hash" the password and create a message digest and store the digest. It is impossible to derive the input password from the digest i.e. one way conversion only. When the user enters the password, we can apply the same hashing algorithm to obtain the message digest and then compare the digests to verify the password. There are many hashing algorithms, and they are designed to generate different digests for different input strings i.e. for 2 different input strings/passwords it will not generate same message digest. And also same digest for a single input when hashing is applied. This will make the life of the attacker bit difficult to crack the password once after they have gained access to the password database. But it is still not impossible. Attackers can use brute force or if they already have the digest for dictionary for various hashing algorithms they might be able to crack the simple passwords first which will reveal the algorithm. Later it is a matter of time before they can crack the rest of the passwords.

The concepts "salt" and "iteration" comes into picture here. These techniques make it even more difficult, if not impossible, for an attacker to crack the passwords.

The salt

Salt is nothing but sequence of bytes (typically 6 to 16 bytes) of random data. This data is added to the passwords and hashed together to be converted into a digest. There are 2 types of salts

1. Fixed salt --> Same sequence of bytes will be used for encrypting all passwords
2. Variable salt --> Random sequence of bytes will be generated for each password. In this case the salt will usually be stored along with the digest in plain format (i.e un-encrypted). The attacker can easily find the salt. But he will have to attack each password separately. We are making his life more more difficult and the next technique will deliver the ultimate punch.

Iteration

Iteration applies to the number of times the hashing is applied on passwords. The input password is hashed and the resultant digest is hashes again, resultant digest is hashes again, and this cycle continues. An iteration count of 1000 is a good level. When verifying the user password 1000 iterators might take few milliseconds. But imagine the case of an attacker who has managed to access the password database. Even if he manages to know the algorithm  and found out the salt, for each guess it will take few milliseconds and for an eternity to crack few passwords.

iptables Basics

iptables Basics

iptables is a linux utility for packet filtering. In a nutshell it examines each network packet based on some rules defined in the table and then decides the action to be taken on that packet. 

There are mutiple levels in iptables to deal with different scenarios. The highest level is tables, followed by chains and then rules. There are some predefined tables and the user can also setup their own tables. But for a basic usage, the predefined tables are more than enough. Following are the tables

1. filter ( the default table ), as the name suggests used to filter out packets
2. nat
3. mangle
4. raw
5. security

As can be seen from the name, different tables are needed for different purpose. In this tutorial we are only going to lean about the table filter. 

The next level is chains. Each of the above tables contains multiple chains. There are some built-in chains and there can also be user-defined chains. The filter tables contains the following built-in chains

1. INPUT --> Rules under this chain will be applied to the incoming packets
2. OUTPUT --> Rules under this chain will be applied to the outgoing packets
3. FORWARD --> For packets being routed through this box

Each of this chains contain set of rules. And each rule specification a "target", which is the action to be performed on each packet that matches the given rule. The target can be a user defined chain or the following pre-defined values

1. ACCEPT
2. QUEUE
3. DROP
4. RETURN

When a packet is received, the kernel determines the appropriate table and the chain. Then the kernel checks the packet against each rule in the chain. If a match is found then the target is executed and the check stops here unless the target is another chain. 
Now, lets look at some example commands.

•  sudo /sbin/iptables --line-number --list

Lists the currently defined tables, their chains and rules under them

•  sudo /sbin/iptables -A INPUT -j REJECT

Adds a rule to the chain INPUT on default table filter, to reject all the incoming packets. -j options stands for jump to target. Print the list using the previous command and note down the rule number.

• sudo /sbin/iptables -D INPUT  1

Deletes the above rule number 1 on INPUT chain on default table filter.

• sudo /sbin/iptables -I OUTPUT 1 -p tcp --dport 80 -j ACCEPT

Above command inserts a rule on chain OUTPUT, table filter on position 1, to allow all outgoing http connection requests.


Following table summarises some of the frequently used options

iptables command Switch	Desciption
-t <-table->	If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle
-j <target>	Jump to the specified target chain when the packet matches the current rule.
-A	Append rule to end of a chain
-F	Flush. Deletes all the rules in the selected table
-p <protocol-type>	Match protocol. Types include, icmp, tcp, udp, and all
-s <ip-address>	Match source IP address
-d <ip-address>	Match destination IP address
-i <interface-name>	Match "input" interface on which the packet enters.
-o <interface-name>	Match "output" interface on which the packet exits

Common TCP and UDP Match Criteria

Switch	Desciption
-p tcp --sport <port>	TCP source port. Can be a single value or a range in the format: start-port-number:end-port-number
-p tcp --dport <port>	TCP destination port. Can be a single value or a range in the format: starting-port:ending-port
-p tcp --syn	Used to identify a new TCP connection request. ! --syn means, not a new connection request
-p udp --sport <port>	UDP source port. Can be a single value or a range in the format: starting-port:ending-port
-p udp --dport <port>	UDP destination port. Can be a single value or a range in the format: starting-port:ending-port

Security and Encryption Buzz words

Encryption systems generally belong to one of the below 2 categories.

Symmetric-key encryption

Same key is used for encryption and decryption

Public-key encryption

Also called as Asymmetric-key encryption. Public and private key pairs are used for encryption and decryption. As the name implies public key is shared and private key is kept as a secret. 

Data Encryption Standard (DES)

First major/popular symmetric key algorithm. Uses 56 bit key. This is too week for modern computer systems. So it is no longer considered secure.

Advanced Encryption Standard (AES)

Replacement for DES as it uses upto 256 bit keys. It is generally believed that this is a secure enough system for near future.

Pretty Good Privacy (PGP)

Very popular encryption program that implements public-key encryption

GNU Privacy Guard (GPG)

Another popular encryption program that implements public-key encryption. Both PGP and GPG are interchangeable i.e. the text that is encrypted in PGP can be decrypted using GPG with correct key and vice versa. Only licencing terms seems to be difference between PGP and GPG.

Secured Socket Layer (SSL)

Cryptographic protocol that provides secure communication between computers, typically a client and server.

Secure Shell (SSH)

A standard to connect to the remote computer over a network in a secured way. There are multiple implementations with openssh being the most popular one.

Transport Layer Security (TLS)

Successor of SSL.

Wired Equivalent Privacy (WEP)

Security algorithm for wireless networks. This is now considered to be weak and since been replaced by WPA.

Wi-Fi Protected Access (WPA)

WPA and WPA2 are two security protocols developed to secure wireless computer networks. This is considered to be strong and recommended for personal/home networks