February 22, 2008 in the wee hours
· Filed under VPS, information security, infosec, vmware, xen
Yesterday I worked on a Xen-based CentOS 5 VPS server. Out of curiosity how Xen stacks up against VMWare, I sniffed TCP traffic on the Xen virtual server, since I noticed VMWare guests can see the host’s traffic and vice versa. (More details can be found in my early post: Security Alert : bridged vmware guest can sniff host, guest peers, and vice versa)
I chose to sniff TCP/80 traffic this time, using tcpdump Read the rest of this entry »
Permalink
January 7, 2008 in the late evening
· Filed under information security, networking, vmware
On a CentOS 5/i386 server, I set up an Asterisk server recently in a VMWARE guest running CentOS 4.4/i386. The VMWare guest is set to use bridged networking and to obtain its TCP/IP settings from the same DHCP server used by the host server. I installed X-lite softphone from Counterpath on the host server, and configured it as a SIP extension to talk to another SIP extension on my wife’s Windows XP laptop.
Read the rest of this entry »
Permalink
May 4, 2007 in the late evening
· Filed under ATM, information security, windows
Last night I went to a SunTrust bank branch in the neighborhood to drop off a deposit envelope. Even though I didn’t look at the direction of the ATM screen, I realized what in display was NOT its usual screen. Looking up, I was surprised to see a familiar Internet Explorer window under a pop-up window. The IE pop-up window stated that there was some error processing the script(s), and prompted to continue or not. I wished I had a digital camera with me! Read the rest of this entry »
Permalink
April 11, 2007 late at night
· Filed under GnuPG, digital signature, information security
In his comment on my recent post asking why wordpress.org dev team didn’t opt to sign their popular blog server software package, Barry said it might be cool to actually spell out how to sign a file digitally. With my tax mailed out this afternoon (Yeah, don’t have to wait in line with all other last-minute losers this year!), I have some breathing time to actually take a stab using GnuPG as an example. GnuPG is an open-source counterpart of the PGP.
- To sign a file digitally, you first need to have a pair of keys. If you don’t have one yet, read my earlier post on how to generate one along with best practice recommendations.
- Quite a few ways to sign a file. A file named ‘digital.signature.testfile’ has been created for illustration.
- sign the file to generate a new file containing only its digital signature. The new file is known as the (detached) signature file.
- in armor text. The signature file’s name is the original file name appended with a .asc extension. It is reable by human.
gpg –detach-sign -a digital.signature.testfile
- not in armor text. The signature file’s name is the original file name appended with a .gpg extension. It is NOT readable by human.
gpg –detach-sign digital.signature.testfile
- sign it to generate a new file containing the original content as well as digital signature. This is known as the signed file.
- clear-text signing, meaning the the original content can be read as clear text inside the new file. The signed file’s name is the original file name appended with a .asc extension. It is readable by human.
gpg -s –clearsign digital.signature.testfile
- non-clear-text signing, meaning the the original content can NOT be read as clear text inside the new file. The signed file’s name is the original file name appended with a .gpg extension. It is NOT readable by human.
gpg -s digital.signature.testfile
- Most software packages need to be unpacked using unzip, tar, 7z, rar or alike, it is obvious the preferred way is not to touch the software packages, but to provide detached signature files in armor text. As a result, you often see on the download page, listed side by side are a package file named popular.package-1.1.3.tar.gz and its signature file popular.package-1.1.3.tar.gz.asc.
- The contents of the original file, the signed file by clear-sign, the detached signature file via clear-sign are all appended below for your reference.
/home/experts8$ cat digital.signature.testfile # the original file
Wed Apr 11 23:46:07 EDT 2007
/home/experts8$ cat digital.signature.testfile.asc # the signed file by clear-sign
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Wed Apr 11 23:46:07 EDT 2007
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.1 (Cygwin)
iD8DBQFGHau1qVSbap/EkWYRAkQhAJ98vWY/peeVYW+sQ0JLXm1DWQuB+ACfXHoo
NGV2PrjRiyKJSN5mmmKm3IE=
=Axe4
—–END PGP SIGNATURE—–
/home/experts8$ cat digital.signature.testfile.asc #detached signature file in armor text
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.1
iD8DBQBGHbBUqVSbap/EkWYRAtH/AJ9cPHrnz7s1HFIyiJrzxzEPuuPTAwCaAkyi
jvSor1JP4ODC5RW59Hue1f8=
=8+4g
—–END PGP SIGNATURE—–
Permalink
April 11, 2007 in the late evening
· Filed under CLI, GnuPG, command line, digital signature, information security
A pair of GnuPG keys are needed to sign files digitally. Below, I’ll highlight the choices you made when generating a pair of GnuPG keys only to sign and not to encrypt, using the cygwin port of GnuPG. The entire key-generation session will be appended at the end(Appendix A). A list of best practice recommendations for digital signature security are provided as well.
A GnuPG key pair has two keys, one private and the other public. They are mathematically related, just like asymmetric keys used in other PKI programs. The two keys in a GnuPG key pair are born equal, however. The only difference between a public key and a private key is the designation of purpose and the resultant protection scheme or lack of. It’s like you have a newborn twin. For no good reason, you name one of the twin brothers Jerry and the other Tom, instead of the other way around. From that point on, you feed and treat them according to their names. Late comers may come to believe that Tom was born a Tom and Jerry was born a Jerry. That is simply not true. Read the rest of this entry »
Permalink
