Author: Benjamin D. Thomas
released for mplayer, vixie-cron, openssl, kernel, openssh, mysql, SANE, perl,
and pine. The distributors include Conectiva, Guardian Digital’s EnGarde Linux,
FreeBSD, Red Hat, and TurboLinux.
This week, I’m going to
give a very brief introduction to cryptography. I realize that there are some
readers that already have a firm understanding, but there are others who need
a little explanation. It would be best to begin with the definition. Dictionary.com
describes it as “The process or skill of communicating in or deciphering secret
writings or ciphers.” Cryptography is used to provide several things: confidentiality,
data integrity, user verification, and privacy. Cryptography is used to secure
network traffic, storage, and improve authentication.
Basic cryptography can
be classified into two categories: symmetric, and asymmetric. Symmetric cryptography
requires that both the sender and receiver of the message shares the same secret
key. With a symmetric key, anyone who can encrypt can decrypt. Conversely, with
asymmetric cryptography, it is nearly impossible to determine a decryption key
from an encryption key. An attacker is not helped by the knowledge of an encryption
key. Asymmetric cryptography can be compared to a bevelled sprung lock; anyone
has the ability to lock it, but only those with the key can unlock it. Public
key cryptography is asymmetric.
Strength of cryptography
is usually measured by the length of the key. Cryptography can only be used
to delay an attack. When implementing encryption, it is necessary to determine
the length of time that protection is required and choose a key length that
can not be broken by brute force techniques during that time period. Longer
and longer key lengths are required due to advancement in processing power.
Often attacks choose other methods to intercept data. For example, data may
be encrypted while on the HD, but in plaintext while in memory. The attacker
will simply attempt to capture the values stored in memory.
From this, we can conclude
that encryption does not solve all security problems. Like anything, it is only
a tool that can be used to improve the process.
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity Feature
Extras:
EnGarde
GDSN Subscription Price Reduction – Guardian
Digital, the world’s premier open source security company, announced today
that they will be reducing the annual subscription cost of the Guardian Digital
Secure Network for EnGarde Community users from $229 to $60 for a limited
time.R00ting
The Hacker
– Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]
Distribution: | Conectiva |
10/06/2003 | mplayer | ||
Buffer This advisory is an update for the CLSA-2003:628[] one. http://www.linuxsecurity.com/advisories/connectiva_advisory-3722.html |
10/3/2003 | vixie-cron | ||
local This advisory is an update for the CLSA-2003:628[] one. http://www.linuxsecurity.com/advisories/connectiva_advisory-3711.html |
10/3/2003 | openssl | ||
denial This advisory is an update for the CLSA-2003:628[] one. http://www.linuxsecurity.com/advisories/connectiva_advisory-3713.html |
Distribution: | EnGarde |
10/3/2003 | openssl | ||
potential “Shawn” discovered and reported an SSH http://www.linuxsecurity.com/advisories/engarde_advisory-3709.html |
Distribution: | FreeBSD |
10/3/2003 | kernel | ||
memory A bug has been found in OpenSSH’s buffer handling where a buffer http://www.linuxsecurity.com/advisories/freebsd_advisory-3714.html |
10/3/2003 | openssl | ||
ASN.1 A bug has been found in OpenSSH’s buffer handling where a buffer http://www.linuxsecurity.com/advisories/freebsd_advisory-3720.html |
10/3/2003 | openssh | ||
Multiple Multiple PAM vulnerabilities have been fixed. http://www.linuxsecurity.com/advisories/freebsd_advisory-3721.html |
Distribution: | Red Hat |
10/9/2003 | mysql | ||
buffer There are several buffer overruns in the mars_nwe package. http://www.linuxsecurity.com/advisories/redhat_advisory-3726.html |
10/8/2003 | SANE | ||
remote There are several buffer overruns in the mars_nwe package. http://www.linuxsecurity.com/advisories/redhat_advisory-3724.html |
10/3/2003 | perl | ||
XSS There are several buffer overruns in the mars_nwe package. http://www.linuxsecurity.com/advisories/redhat_advisory-3715.html |
Distribution: | TurboLinux |
10/8/2003 | pine | ||
buffer An integer overflow exists in the Pine MIME header parsing. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3725.html |
10/8/2003 | mysql | ||
buffer Older versions of mtr did not properly drop root privileges. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3723.html |
Category:
- Security