Apache2 Encryption and Certs On Raspberry Pi

HOLD THE PRESS! Don't buy until Feb 11th 2015 - Upgraded to 900Mhz Quad Core and 1GB RAM

Looking back to my (very) old pages on this topic, I'm going to try installing just the certificate side of the process, as there would be no point using the username listing and password file method for a public server, though these following lines can be added to /etc/apache2/sites-enabled/000-default to achieve that:

AuthType Basic

AuthName "uname"

AuthUserFile /etc/apache2/pwd

Require user uname pwxxxxxx

If you needed to host a web server yourself then that may be worth knowing, but nowadays, for security, backup and redundancy purposes, it is best to use a professional service provider such as Packet3, and use services like WordPress and Cpanel for ease of use and extended functionality. If you added this form of password access protection you would get a familiar login box like:

image1.png

To add a password for a user to a specific pword file to be created with -c, or not it it exists , follow the prompts e.g.:

sudo htpasswd -c /etc/apache2/users.basic stevee

It may be necessary for technicians or managers to have a basic insight into what is involved in server SSL security and certification, and personally, I think anyone who uses ANY "secure" web service, such as Internet Banking should have at least a basic appreciation of the mechanisms involved - after all - it's your money and inconvenience at risk if you don't understand what dangers are possible, likely or improbable due to the technology, or in the light of the Snowden revelations, what data can be collected by corporate or workplace proxy servers that fake or hijack server certificates etc. or dangers via phishing, social engineering or other criminal means.

So, what is involved in getting your server access "secured" by encryption and giving a certification "assurance"?

First, from my old page, I'll look at the docs this time, in:

vi /usr/share/doc/apache2/README.Debian.gz

There is a summary of the security aspects in the first section:

SSL
Enabling SSL
Creating self-signed certificates
SSL workaround for MSIE
ECC keys and ECDH ciphers
Session ticket key life-time and forward secrecy

First then, is enabling Secure Sockets Layer.

To enable SSL, type (as user root):

a2ensite default-ssl

Enabling site default-ssl.
To activate the new configuration, you need to run:
service apache2 reload

[....] Reloading web server config: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
. ok

So, what has happened to the web site access now? Well, nothing it seems. Access is just the same and no change in port services from before:

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds

So running:

a2enmod ssl

Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart

Now there is port 443 available from nmap but access to the page is still the same without telling the browser to change "channels" to port 443:

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds

If HTTPS is added to the address bar, now the connection is made with a warning:

HTTPS.jpg

 

To enable/disable modules or whole sites, read the man pages for:

man a2dismod
man a2dissite
man a2enmod
man a2ensite

So proceeding, without a verified certificate, but with 128 bit encryption as declared when clicking the address bar cert icon:

HTTPSEnc.jpg

 

You also get the browser permissions settings:

HTTPSPerms.jpg

 

All that is required now is to get self-certification applied.

Obviously, for a trusted, encrypted, certified public web server such as a bank, the certification would have to be registered with a trusted Certification Authority, for example:

HXTrusted.jpg

The Halifax explains its Extended Verification - EVSSL here:

http://www.halifax.co.uk/aboutonline/security/protecting-you/

So, how is self-certification done?

The next section of the documentation states:

Creating self-signed certificates
---------------------------------

If you install the ssl-cert package, a self-signed certificate will be
automatically created using the hostname currently configured on your computer.
You can recreate that certificate (e.g. after you have changed /etc/hosts or
DNS to give the correct hostname) as user root with:

make-ssl-cert generate-default-snakeoil --force-overwrite

First, see what certificate files and folders already exist. The doc states that certs should be placed in /etc/ssl/private, and there are already other folders in /etc/ssl containing files such as all the different .pem type Trusted Certs keys that are already registered, from Authorities like Verisign etc.

CertAuths.jpg A total in the /etc/ssl/certs file of 520:

root@raspberrypi:/home/stevee# ls -a /etc/ssl/certs/ | wc -l
520

These files contain the hashed encryption sum data of a legitimate certificate such as:

cat /etc/ssl/certs/XRamp_Global_CA_Root.pem

-----BEGIN CERTIFICATE-----
MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB
gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk
MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY
UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx
NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3
dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy
dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6
38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP
KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q
DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4
qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa
JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi
PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs
jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0
eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD
ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR
vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt
qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa
IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy
i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ
O+7ETPTsJ3xCwnR8gooJybQDJbw=
-----END CERTIFICATE-----

So, where did the self cert key I created earlier go? As the doc suggests /etc/ssl/private/ then looking in here, there is only one key, created at the right time, so it must be this one:

root@raspberrypi:/home/stevee# ls -al /etc/ssl/private/ssl-cert-snakeoil.key
-rw-r----- 1 root ssl-cert 1704 Jan 26 22:07 /etc/ssl/private/ssl-cert-snakeoil.key

How does this affect the browser page now after an F5 refresh? The address bar warning is still there of course, because the cert is not legally registered, but its details show that the server has issued it with the time and date stamp:

PiCert.jpg

Remember, if you want a better understanding of how the cryptography behind encrypted connections works, see the Post videos and Powerpoint file here:

http://www.stevepedwards.com/DebianAdmin/cryptography/

If you want to generate your own SHA sums of documents, there are many programs available in Linux for both MD5 and SHA sums calculators found by typing sha then hit the TAB completion key:

stevee@raspberrypi ~ $ sha (TAB)
sha1sum sha256sum sha512sum shasum
sha224sum sha384sum shadowconfig

To generate a key for a specific document, just follow the program with the path, for example the Encryption Powerpoint linked below:

ISCW_Cryptography_and_VPNs_OU_template_v1.ppt

has a SHA sum of:

stevee@raspberrypi ~ $ shasum /SB/www/ISCW_Cryptography_and_VPNs_OU_template_v1.ppt
fd35a8bb72c3de697f0f0c151c57e3b16862b3b9 /SB/www/ISCW_Cryptography_and_VPNs_OU_template_v1.ppt

If you download this document and run the same program against this file, you should get EXACTLY the same hex number output. If not, it may indicate corruption or tampering.

Also, I have some old college "partly outdated" info on Java applet certs that will suffice to give an overview of the mechanisms involved:

-------------------------------------------------------------------------------------------

Java Security

Downloadable, executable code such as Java (Sun), DirectX (Microsoft), Flash (Adobe) Applets that can be “pop-ups” or “animations” can be given “trustworthy” status and verified as such by the use of Security Certificates which are granted to legitimate organizations or individuals that apply for them and are issued by various worldwide recognized Security Certification organizations such as Thawte and VeriSign.

HXold.jpg

A webpage’s certification details can be examined by right clicking it and viewing its properties:

HXold2.jpg

As seen above, the certificate is based on the RSA algorithm - Ron Rivest, Adi Shamir and Len Adleman (1977)

Public Key Encryption using the RSA algorithm was originally secretly invented by GCHQ's Ellis, Cocks and Williamson in 1973

http://www.gchq.gov.uk/

http://www.cs.bris.ac.uk/Research/CryptographySecurity/Info/clifford_cocks.html

It should be noted here that the MD5 algorithm as it pertains to certificate generation is regarded as inherently insecure (“broken”) due to research done by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger as there is the possibility to create two different certificates that have the same MD5 hash value, so generate false certification.

http://www.cs.pitt.edu/~adamlee/courses/2009sp/cs2530/lectures/md5.pdf

Date Accessed 19/12/09

http://www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html

Date Accessed 19/12/09

A Department of Homeland Security Risk Assessment paper states:

“In theory, a CA could fail if the organization that ran it neglected to update, secure, or maintain its infrastructure. For example, security researchers have recently demonstrated flaws in the Message-Digest algorithm 5 (MD5)36 hashing algorithm that could be exploited to create different PKI certificates that have identical checksums.”

“MD5 is a “one-way” 128-bit hash function developed by RSA (http://www.rsa.com/rsalabs/node.asp?id=2253). A hash function is a cryptographic algorithm that generates a fixed string of numbers from a text message. The "oneway" means that it is extremely difficult to turn the fixed string back into the text message. “One-way” hash functions are used for creating digital signatures for message authentication.”

http://www.dhs.gov/xlibrary/assets/nipp_it_baseline_risk_assessment.pdf

A webpage’ s certificate details

HXold3.jpg

Similar methods can authenticate downloadable code by its “digital signature” and MD5 hash key values.

So how does a Certification scheme work? In Networking terminology a “socket” is network connection comprising of an IP address and port number e.g. 10.0.0.1: 22.

A socket would therefore be deemed “secure” when the data sent over that connection is encrypted. TLS or Transport Layer Security is a modification of SSL and is now commonly used when sending emails, in conjunction with an authentication scheme such as password identification.

The Verisign website gives a brief SSL overview:

“Secure Sockets Layer (SSL): How It Works

Secure Sockets Layer (SSL) technology protects your Web site and makes it easy for your Web site visitors to trust you in three essential ways:

  1. An SSL Certificate enables encryption of sensitive information during online transactions.
  2. Each SSL Certificate contains unique, authenticated information about the certificate owner.
  3. A Certificate Authority verifies the identity of the certificate owner when it is issued.”

[online] http://www.verisign.co.uk/  Date Accessed 19/12/09

The Java API incorporates an “access control” system that keeps unknown code – code that is downloaded over the network - contained in a restricted environment (the “Sandbox”) that does not allow access to the core Application Programming Interface program that links closely to the host system when the Java environment is installed locally.

Should unknown code try to access the host system in any way, a Security Manager object that sets the restrictions to code that is running in the Sandbox, prevents it by “throwing” a “Security Exception”. [Flanagan (1996)]

Should code have a digital signature from a trusted source (i.e. is certified) then the browser can be configured to treat the downloaded code as if it was installed locally and given full access to the Java API.

This may include the control of read, write or execute permissions on the applet code being set so it cannot access the host Operating System via the JRE, and sets controls on network access to servers other than the one from which the code was called. This prevents the functioning of altered code from sending host system (Trojan Horse behaviour) information to other websites, or from opening other host ports to allow access to other malicious code, or starting similar detrimental processes.

Authentication modules are included in the Java Virtual Machine libraries as added protection for checking that code has been unaltered by utilising the “Message Digest” (MD5) algorithm method that basically uses mathematical encryption  techniques (which utilise prime numbers) on the downloadable file that produces a sum value that results from a calculation for the correct original code, which can then be checked upon receipt of the code after the code has been sent to a host, so if the MD5 sum is unchanged from the original sum, then code cannot have been altered else the sum of the calculation would be different.

Bibliography

  • David Flanagan (1996) Java in a Nutshell, USA: O’Reilly
  • Girdley, Jones et al (1996) Web Programming with Java 1st Ed, Indianapolis, IN : Samms.net
  • Barnes, Kolling (2003) Objects First with BlueJ, Harlow: Pearson

References

[online] http://www.halifax.co.uk/SecurityandPrivacy/securitycertificates.asp  

Date Accessed 18/12/09

[online] http://www.verisign.co.uk/

Date Accessed 19/12/09

[online] http://www.di-mgt.com.au/rsa_alg.html 

Date Accessed 18/12/09

[online] http://www.gchq.gov.uk/history/pke.html

Date Accessed 19/12/09

[online] http://www.cs.pitt.edu/~adamlee/courses/2009sp/cs2530/lectures/md5.pdf

Date Accessed 19/12/09

[online]

http://www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html

Date Accessed 19/12/09

[online]

http://www.dhs.gov/xlibrary/assets/nipp_it_baseline_risk_assessment.pdf

Date Accessed 19/12/09

Comments are closed.

Post Navigation