(1) (a) ( ) (b) ( ) (c) ( ) (2) (CPU ) (3) 1
1. 2. ( ) 3. 4. Secure 5. (xinetd TCP wrappers) 6. (IPsec) 7. Firewall (e.g., socks) 8. 2
( ) 1. - 2. (/etc/passwd) - Shadow Password File /etc/master.passwd 3. (OTP One Time Password) - Challenge & Response with 4. ssh Secure Shell - Remote Login with + 5. RADIUS (Remote Authentication Dial In User Services) - 3
OTP Challenge & Response ftp://ftp.nrl.navy.mil/pub/security/opie/opie-2.3.tar.gz Windows95 19462 28472 JOB ARTS WERE FEAT TITLE f(19462,28472) = JOB ARTS WERE FEAT TITLE 19462 OK 4
OTP 1.! $ opiepasswd -c Using MD5 to compute response: Enter old secret pass phrase: 3J5Wd6PaWP Enter new secret pass phrase: 9WA11WSfW95/NT Again new secret pass phrase: 9WA11WSfW95/NT ID tyler OPIE key is 498 wi01309 CITE JAN GORY BELA GET ABED 2. OPIE Key $ opiekey -n 5 495 wi01309 Enter secret pass phase: 9WA11WSfW95/NT 491: HOST VET FOWL SEEK IOWA YAP 492: JOB ARTS WERE FEAT TILE IBIS 5
3. Login OTP $ telnet sh.wide.ad.jp login: tyler otp-md5 492 wi01309 response or password: JOB ARTS WERE FEAT TILE IBIS OTP OTP login 6
Remote Shell -ssh secure shell - RSA IDEA DES http://www.cs.hut.fi/ssh Windows (Teraterm) sshd (secure shell daemon) ssh (rlogin) scp (rcp) ssh-keygen.ssh/identity.ssh/identity.pub (client) =>.ssh/authorized_keys (server).ssh/ssh_known_hosts, /etc/ssh_known_hosts 7
Remote Shell -ssh secure shell - 1. (Public key) /etc/ssh_known_hosts..ssh/known_hosts 2. Session Key (*) Session key 3. Session Key 4. Session Key A A f ( B) with A B 8 A
RADIUS Dial-Up User NAS Port Master (RADIUS Client) RADIUS Server Security System Dial-up User /Passwd 9
1. 2. ( ) 3. (i) (ii) Free 4. Secure 5. (xinetd TCP wrappers) 6. (IPsec) 7. Firewall 10
(1) Global Group(SGID) User(SUID) (2) Readable Writable ; chavez.login Group(chem) writable /etc Group Owner writable (root&sysem) login chevaz.l rm -f /etc/passwd cp /tmp/data526 /etc/passwd 11
(1) (e.g., root) (2) (3) Archive unpack tar tf file 4 unpack 5 file 6 12
7 8 9 10 11 13
1. 2. ( ) 3. 4. Secure Secure Shell ssh ; DNS 5. (xinetd TCP wrappers) 6. (IPsec) 7. Firewall 14
DNS Message Exchange - client verification - root NS root NS = PTR = NS = A = NS Rlogin server TCP connection Rlogin client = PTR = A? = PTR? = A = A? = A Server s NS Client s NS 15
1. 2. ( ) 3. 4. Secure 5. (xinetd TCP wrappers) (i) (ii) ( ) (iii) 6. (IPsec) 7. Firewall 16
1 / 1 ; 2 ; 3 ; 17
2 tcp_wrapper http://csrc/nist.gov/tools/tools.htm (1) /etc/inetd.conf Before; #service socket protocol wait? User program arguments ftp stream tcp nowait root /usr/sbin/ftpd ftpd telnet stream tcp nowait root /usr/sbin/telnetd telnetd shell stream tcp nowait root /usr/sbin/rshd rshd login stream tcp nowait root /usr/sbin/logind logind After; #service socket protocol wait? User program arguments ftp stream tcp nowait root /usr/sbin/tcps ftpd telnet stream tcp nowait root /usr/sbin/tcpd telnetd shell stream tcp nowait root /usr/sbin/tcpd rshd login stream tcp nowait root /usr/sbin/tcpdd logind (2) reread - pid-of-inetd-process 18
3. (1) /etc/hosts.allow fingerd : ophelia hamlet laertes rshd,rlogind: LOCAL EXCEPT hamlet telnetd,ftpd: LOCAL,.expcons.com, 192.1.4 (2) /etc/host.deny ALL (/usr/sbin/safe_finger -l @%h /usr/sbin/mail -s %d-%h root) & ALL : ALL 19
1. 2. ( ) 3. 4. Secure 5. (xinetd TCP wrappers) 6. (IPsec) (1) (2) (3) IPsec 7. Firewall 20
1. - PEM, MOSS -S/MIME - PGP (Pretty Good Privacy) 2. - SOCKS (http://www.socks.nec.com/) 3. IPsec - (AH: Authentication Header) - (Encapsulating Security Payload) - (Internet Key Exchange) 21
1. (AH: Authentication Header) - - (HMAC-MD5, HMAC-SHA-1) IP AH Payload Next Header Payload Len. Reserved Security Parameters Index (SPI) Sequence Number Authentication Data (ICV) 22
2. (Encapsulating Security Payload) IP -DES-CBC (3DES-CBC) HMAC-MD5 HMAC-SHA-1 NULL-Auth NULL-Enc IP ESP Security Parameters Index (SPI) Sequence Number Payload Data padding Pad Length Authentication Data (ICV) Next Header 23
AH ESP 2 (1) End-to-End IP Payload IP ESP (2) ; Gateway-to-Gateway IP1 Payload IP2 ESP 24
- - Internet IP Payload IP Payload IP ESP IP ESP 25
- - IPsec-GW Internet IPsec-GW IP1 Payload IP1 Payload IP2 IP1 ESP IP2 IP1 ESP 26
3. (Internet Key Exchange) IKE - ISAKMP/Oakley - - - Deffie-Hellman 27
[1] ( N bits( ) m bits( ), N>m) (1) ( ) - MD5 (Message Digest 5); RFC1321, RCC1828 POP3 (2) HMAC (Keyed-Hashing for Authentication); RFC2104 - RFC1826(AH) [2] (3) DES(Data Encryption Standard) ; RSA(Rivest, Shamir, Adleman) ; 28
DES (56bit ) DES (112bits ) RC2, RC4 (1024bits ) IDEA (128bits ) ; PGP : http://www.psn.or.jp/trouble/security.html 29
ssh (Secured Shelll) : http://www.psn.or.jp/trouble/security.html 30
MD5 (128 bits) SHA (160 bits) : http://www.psn.or.jp/trouble/security.html 31
PGP [ ] [ ] -----BEGIN PGP SIGNED MESSAGE----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iqcvawubmey8r6utc+xzfetzaqenuap+n30di02sly+rrya2gbj2u2imwofjeyks 1AkvsN9errDk4N/VcFmc3d6F4heDkiy87u3XAVoulz2orb9xZ3qFveoEZp3QLLa6 Pkzs6/N1nmJZFZFlf1M8yUR5WZTbyaVHQmC1AuSZhJsM8+8S/+IbpXVPJJ68M4JE cdybt86eekm= =UE6f -----END PGP SIGNATURE----- : http://www.psn.or.jp/trouble/security.html 32
PGP : http://www.psn.or.jp/trouble/security.html 33
Netscape Web : http://www.psn.or.jp/trouble/security.html 34
PGP ( RSA+IDEA) : http://www.psn.or.jp/trouble/security.html 35
PGP [ ] [ ] -----BEGIN PGP MESSAGE----- Version: 2.6.3ia hiwdps0l7hmurnkba/4qk4bdxailag9tos8srdd09ip4pbocw8ernyzkc8bjzhrq bmeposnrpv8qwrpttwb3pkuhph9et5bbgiyuw36hlviet5z5ot3rs+xnfsz1tyxw xkxt+nndce6gntb6jqbuym2/frowwmnoc1bnkd6eiqzfekduwbuhksrduh6bfqya AAA3YBJcBDcrQtcIuA5R+bvivZ8gc8Fx3JCcUtW4yH+embVTTSUw+xTt0JSUoo93 u5+lhgrrzbessg== =00WV -----END PGP MESSAGE----- : http://www.psn.or.jp/trouble/security.html 36
1. 2. ( ) 3. 4. Secure Secure Shell ssh 5. (xinetd TCP wrappers) 6. (IPsec) 7. Firewall 37
4 Levels of Firewall Configurations Intranet Internet Intranet (1) Simple gateway Choke Internet Proxy Proxy (2) Belt and Suspender 38
4 Levels of Firewall Configurations Intranet Internet Proxy (3) TIP Intranet Internet (4) Disconnect 39
1. FW ( ) Source routing 2. socket{src_ip, src_port, dsrt_ip, dst_port} ( ) - ftp (a) WWW, anonymous-ftp, IRC (b) NIS, NFS, PRC, TFTP, SNMP (c) SMTP, NNTP, HTTP, FTP 40
3. ; Proxy Proxy e.g., SOCKS ftp://ftp.nec.com/pub/security/socks.cstc/socks.cstc.4.2.tar.gz 41
www.b.com DNS www.b.com : A2.1.1.3 SOCKS Internet SOCKS Router DNS mail.a.com : A1.1.1.3 www.a.com : A1.1.1.4 ftp.a.com : A1.1.1.5 A1.1.1.1 Application Gateway socks.a.com A1.1.1.2 Mail.A.com A1.1.1.3 www.a.com A1.1.1.4 ftp.a.com A1.1.1.5 DNS socks.a.com : A1.1.1.2 Intranet 42
Firewall System Configuration Internet External Router Proxy Proxy ( ) Proxy Intranet Proxy 43
; APOP ; SMTP ; SPAM 44
; APOP(qpoper) ; SMTP ; SPAM 45
46
; APOP(qpoper) ; SMTP ; SPAM 47
APOP POP3 telnet(1 / ) (OTP) MD5(PROCESS_ID TIME_STAMP HOSTNAME APOP_PASSWORD) 48
APOP ; qpopper2.2 APOP (1) # mkdir /usr/local/bin/etc/popper # chown pop.bin /usr/local/bin/etc/popper # chmod 700 /usr/local/etc/popper (2) APOP DB # /usr/local/bin/popauth -init /usr/local/etc/popper/pop.auth.db 49
APOP ; qpopper2.2 APOP (3) APOP # /usr/local/bin/popauth -usr hiroshi Changing POP password for hiroshi New password: ******* Retype new password: ******** (4) APOP # /usr/local/bin/popauth -delete hiroshi APOP POP APOP APOP 50
APOP; Authenticated POP IP address of esaki.nc.u-tokyo.ac.jp is 130.69.251.25 Socket 140 connection with port number 110 established S: +OK QPOP (version 2.2-krb-IV) at esaki.nc.u-tokyo.ac.jp starting. <8315.909875232@esaki.nc.u-tokyo.ac.jp> C: APOP hiroshi dda5d5b82f4f6ac1d25adea125e170fa S: +OK hiroshi has 2 message(s) (4553 octets). C: LIST S: +OK 2 messages (4553 octets) S: 1 4553 S:. C: RETR 1 S: +OK 4553 octets Receiving #1... C: DELE 1 S: +OK Message 1 has been deleted. C: QUIT Remote host closed socket S: +OK Pop server at esaki.nc.u-tokyo.ac.jp signing off. Socket closed successfully 51
; APOP(qpoper) ; SMTP ; SPAM 52
SMTP SMTP (/etc/sendmail.cf) IP (Source address) IP IP From (From ) 53
SMTP in /etc/sendmail.cf MAIL_RELAY_RESTRICTION MAIL_RELAY_RESTRICTION=yes REJECT_SOURCE_ROUTE_RELAY=yes IP LOCAT_HOST_IPADDR=/etc/sendmail.localip LOCAL_HOST_DOMAIN=/etc/sendmail.localdomain 54
; APOP(qpoper) ; SMTP ; SPAM 55
PGP S/MIME PEM MOSS KPS (End-to-End) (GW) Received Message-Id 56
; APOP(qpoper) ; SMTP ; SPAM 57
SPAM SPAM ; TV SPAM SPAM SPAM SPAM 58
SPAM IP DNS ML ML ML 59
SPAM IP SPAM (/etc/sendmail.cf) (1) SPAM USE_MAPS_RBL=yes USE_ORBS=yes (2) IP / LOCAT_HOST_IPADDR=/etc/sendmail.localip LOCAL_HOST_DOMAIN=/etc/sendmail.localdomain 60