Author: Preston St. Pierre
for qt, krb5, kdelibs, zlib,kernel, acrobat, gaim, and the Linux kernel. The
distributors include Debain, Fedora, Gentoo, Mandrake, OpenBSD, Red Hat, Slackware,
SuSE, Trustix, and TurboLinux.Introduction to Cryptography
Implementing any large security
project on the Linux operating system requires the use of cryptography. Several
weeks ago, I wrote about a book by Fred Piper and Sean Murphy titled, “Cryptography:
A Very Short Introduction.” It offers a very good introduction to the subject,
but those wishing to implement cryptography in an open source projects need
a more in-depth understanding of the area. Another excellent resource is the
“Handbook of Applied Cryptography,” by Menezes, Oorschot, and Vanstone. It has
often been considered “the bible of cryptography” and offers a detailed and
The first several chapters of the
book focus on the basics. It gives an overview and history of cryptography and
follows with an explanation of the mathematics necessary to understand the algorithms.
Midway through the book, it gives detailed information to help the reader understand
stream ciphers, block ciphers, and finally public key encryption. After the
reader has an understanding of the algorithms, the book moves to explain how
they can be used in key establishment protocols. It also offers chapters on
key management and tips for efficient implementation.
For the long time manager, this
book may be slightly on the technical side. However, there are clear benefits
for management having an understanding of technical subjects. Cryptography today
offers a very strong level of protection. It only fails in implementation. For
example, keys are not properly protected or managed. For those of you wishing
to learn a little more about the fascinating subject of cryptography, I highly
recommend this book.
Hard-copies of the book can also
be purchased through Amazon or any other large bookseller.
When any company decides to take
on a in-house software development project, it is essential to include cryptographic
mechanisms. Books such as this, can give programmers the proper knowledge necessary
to understand how cryptography works and how to avoid problems.
Until next time, cheers!
Benjamin D. Thomas
Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code
– Gary McGraw is perhaps best known for his groundbreaking work on securing software,
having co-authored the classic Building Secure Software (Addison-Wesley, 2002).
More recently, he has co-written with Greg Hoglund a companion volume, Exploiting
Software, which details software security from the vantage point of the other
side, the attacker. He has graciously agreed to share some of his insights with
all of us at LinuxSecurity.com.
Expert Dave Wreski Discusses Open Source Security – Dave Wreski,
CEO of Guardian Digital, Inc. and respected author of various hardened security
and Linux publications, talks about how Guardian Digital is changing the face
of IT security today. Guardian Digital is perhaps best known for their hardened
Linux solution EnGarde Secure Linux, touted as the premier secure, open-source
platform for its comprehensive array of general purpose services, such as web,
FTP, email, DNS, IDS, routing, VPN, firewalling, and much more.
Linux Advisory Watch is
a comprehensive newsletter that outlines the security vulnerabilities that have
been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.[
cross site scripting vulnerability
Markus W?rle discovered a cross site scripting problem in status-display
code execution and DoS
Several vulnerabilities were discovered in recent versions of Qt, a commonly
really fix buffer overflow
code execution and DoS
This security advisory corrects DSA 458-1 which caused some segmentation
The MIT Kerberos Development Team has discovered a number of vulnerabilities
bugs (Core 1)
Several double-free bugs were found in the Kerberos 5 KDC and libraries
bugs (Core 2)
Several double-free bugs were found in the Kerberos 5 KDC and libraries.
Firefox, Thunderbird New releases fix vulnerabilities
bugs (Core 2)
New releases of Mozilla, Mozilla Thunderbird, and Mozilla Firefox fix several
cookie injection vulnerability
The cookie manager component in kdelibs contains a vulnerability allowing
of service vulnerabilit
The zlib library contains a Denial of Service vulnerability.
| New vulnerabilities
Gaim contains several security issues that might allow an attacker to execute
A race condition was discovered in the 64bit file offset handling by Paul
A double-free vulnerability exists in the MIT Kerberos 5’s KDC program that
A bug has been found in the version of zlib included in OpenBSD 3.5 (and
An updated Adobe Acrobat Reader package that fixes multiple security issues
Updated Kerberos (krb5) packages that correct double-free and ASN.1 parsing
Updated krb5 packages that improve client responsiveness and fix several
A couple of bugs were found in the gaim 0.82 release, and gaim-0.82.1 was
Various signedness issues and integer overflows have been fixed within kNFSd
samba, zlib Multiple vulnerabilities
Security roll-up for 31/Aug/2004.