Network System Security

I've dealt with public/private key and certificate issues since 2000 and have always had to go back to the openssl documentation when I needed to set things up again. The commands just don't seem to stay in my head after I need to use them. In the last two years alone I've had to set up more than 3 certificate issuing/signing systems for labs and then integrate the production systems with real PKI systems.

So, I thought I'd take my notes from these and put them here for future reference. I call it "Notes on Using Openssl"

Formatting notes:

Certificates can come in three formats:

PEM
DER
PKCS12

These have the same underlying structure, but are presented in different ways. PEM is the default openssl format. It starts with this:

-----BEGIN CERTIFICATE-----

and ends with this:

-----END CERTIFICATE-----

In between is a lot of ASCII characters. These are the actual certificate with the public key embedded, private key, or both. If the key is there, you have the option to protect it with a password or not. The stuff in the middle is in BASE64 encoded DER format.

A DER file doesn't have the ASCII headers, but also stores the same things as the PEM, only it is ASN1 DER encoded.

PKCS12 is also known as PFX. It can also contain the same information as the PEM/DER, but it is in a binary format. Browsers use PKCS12 for their certificate/key import/export needs. It will actually encrypt the key part with a password, so the key can be sent over the network to the user without having to build a separate secure channel for transport (a good FAQ on the PKCS12 format is here).

If you want to use a certificate/key for a program, PEM or DER are your formats. If you want to use it in a browser, then PKCS12 is your go-to guy.

Creating your own CA:

Sometimes, particularly for development, one will want to create one's own RootCA. No one else will ever trust your CA, but you can trust yourself and learn how to deal with certificates.

Openssl has a good FAQ on key generation and certificates, but here's mine anyway.

First, you have to create your new root public/private key set. The key can be generated alone:
openssl genrsa -des3 -out key-srv.pem 1024

and if you are hard-core testing and want no security, move the key to non-password-protected file:
openssl rsa -in ca.key -out ca.key.unsecure

This key will always stay with you. Put it in a sub-folder so it never gets confused with new keys. However, to be useful you need a public counterpart to distribute to the world. No one will trust you unless that public key is signed by a reputable authority (who will, in theory, verify you are who you say you are and have secured your key; in theory...). For now, we want to be our own root CA, so we modify the command

openssl req <-config if-using-your-own-conf> -new -x509 -key <path-to-the-key-we-made>.pem -out cacert.pem -days 3650

Now we have a root key and certificate, trusted by no one!

Now we can create CSRs and keys to our heart's content and sign them using our own rootCA. You can either do this with the default information which you then change at the prompt or you can use your own configuration file (that's another story in itself).

openssl req -new -key <you have a new key for this, right?> -out lab.csr

Or you can create both the key and the CSR in one command:

openssl req -new -nodes -keyout <path-to-new-key>.key -out lab.csr

Using a custom config:

openssl req -config <path-to>/openssl.cnf -new -out <path-to>.csr

So, now we sign the request:

openssl ca (-config <if-custom>) -keyfile <path-to-root-CA-key> -cert <path-to-root-CA>cacert.pem -out <path-to-client-certs-dir>.pem -infiles <path-to-csr-files>.csr 

Now, it's easy to just send it as is (browsers can import PEM formats), or you can convert it to DER for use in programs:

openssl x509 -in client01.pem -out client01.der -outform DER

PKCS12 has it's own set of commands if you want/need that format (IE documentation seems to prefer it for some reason):

You can either generate a new one:
openssl pkcs12 -export -out cacert.p12 -inkey ./private/cakey.pem -in ./cacert.pem 

Occasionally I've had to extract a key and certificate from PKCS12:

openssl pkcs12 -export -out <path-to>.p12 -in <path-to>.pem -inkey <path-to>.key

Finally, if you are ever in doubt you can verify a certificate:

look at it in plain text:
openssl x509 -in <cert-path>.pem -noout -text

Verify that the cert is valid according to your root chain:
openssl verify <-CAfile if verifying against a non-trusted CA>

As part of my building and securing the next generation of wireless technologies I'm putting together aFreeRADIUS authentication system for all WiMAX devices. This is a big deal on many levels and for many reasons. Most importantly, it is a result of our campaign with other WiMAX Forum people to get a private key and certificate installed on all WiMAX devices. From a security perspective, this is one of the most important things to happen in wireless technologies since the SIM card and HLR in GSM.

Well, as I was building this lab FreeRADIUS I ran into a problem. Frustrated and unable to find the solution, I turned to the email group that the developer of FreeRADIUS has. The conversation went like this:

Me: My installation seems to be missing a file. That file is in other installations that are done this other way, but not mine. Where is the file supposed to come from?

Person A: Why are you so stupid as to not know where that file is? Why are you bugging me with this stupid thing? Don't you know how to read the "./configure" output? I suppose I could bring myself to tell you that you are going to need software X in order for it to work.

Me: Of course I know about the "./configure" and all it told me was that the file wasn't made. My question is "where is the file *supposed* to be?" Fine, software X needs to be there.

(not stated: why the hell don't you tell us that software X is a requirement in the first place?)

Person B: Don't be mean to person A, he's a god, you are shit. You asked your question in a stupid way. 

(not stated: Person A, I'm your bitch, please love me)

Me:<;no reply--I've got work to do>

When I ran into another issue with this software, I didn't even bother asking. I found another deficiency in his package and fixed it myself.

What caught my mind about this, besides general annoyance, is a memory of the 80's movie "Revenge of the Nerds." It's a classic tale of the nerdy underdogs beating the big, bad, and dumb jocks. What makes the nerds appealing is a combination of their cleverness and their willingness to embrace outsiders. The sad reality, as illustrated in the modern nerd-world of "open source" software is that these people are more arrogant and exclusionary than any hollywood jock could be. The nerds got revenge, then went on a rampage and are now the very establishment they hate.

My encounter with the FreeRADIUS people is not unique. All around the world business-types are demanding that their technology departments reduce costs, so technologists turn to free software, built on this ideal of "by the people, for the people, and *not* Microsoft." But their software is as buggy as anything made by the Gates crew and their support is every bit as un-helpful while being rude to boot. 

With Vista soon to be unleashed on we poor consumers (even my Mac needs Parallels) I thought I'd offer my thoughts on a talk on Vista Security, given by Michael Howard (the self-proclaimed God of code security at Microsoft) at the OWASP conference in Seattle back in September. His book has a good reputation and a place on my bookshelf (a dusty place--I fell asleep trying to read it) and he has a good reputation in the industry for knowing code security. It didn't make much sense, though, that he was speaking at OWASP, because Vista is not a Web Application server. His talk bore that out: he was on and on about low-level programming issues, not web application security. But it was about security and I guess OWASP was just happy to have him there

Listening to him was a painful "return-to-Mormonism" hour for me. Working at Microsoft must be a lot like working for the LDS church. He never presented any external data about Vista or security issues in general, he went on and on about how silly and uneducated those "open source" idiots are, and how Microsoft is taking security seriously (he himself is exibit A: look at how smart he is!).

In typical, "brainwashed-institution" fashion, he framed the debate in the way that only his side made any sense. Come to think of it, that was the advice my law school professor had for legal arguments... At least in Law, the other side can make their own case. No apple/Linux/BSD representatives here...

Howard framed the debate like this:

Problem: Software development has security flaws. They are not discovered before launch because: 

1-Developers aren't security minded
2-QA people are stupid
3-There are no external people looking at the software
4-No tools can find them

Solution (as brilliantly worked out by himself):

1-We have smart security developers who review code ("look at me--I wrote books, sing with Homer Simpson: I am so smart, S M R T")
2-Microsoft has required annual security training for developers ("my book is part of the curriculum!")
3-We have crash files that report why systems crashed--we give those to our non-Microsoft beta users ("see, we have a 'user community'--just like Open Source!")
4-We have internally developed tools

Most of what he said was so painfully self-serving and contradictory I thought I was at a Mormon General Conference: 

--He tells the epic tale of how he found a security flaw in XP and, as our hero--the valiant security guy--he defended his requirement that some component be deactivated in the face of the evil corporate types who wanted him to surrender his principles to the God of Money. Eventually, he surrendered because the Evil Corporate Types pointed out that no one would use Windows if this component were not activated. Next, he tells a story of how security people are useless because all *they* do is criticize and tear down, but never offer solutions and build. Was it a coming of age tale where our hero learns that people only pay you to write code if other people can *use* that code? No, he was right both when he fought and when he caved.

--He says that having many eyes on your code helps find bugs (example: Microsoft uses consultants to review their code! Consultants are *never* beholden to their client). However, when he, in his brilliance, found one bug in an Apache 1.3 security patch, he reported it to the open source developer who wrote the patch. That developer got mad because a Microsoftie (himself) had found something. It offended his open source sensibilities. Those silly open source people.

Oh, and wasn't I smart because I found that Apache flaw?

--Tools are, according to him, all but useless. They can't solve "human" problems. Oh, but Microsoft uses SAL. A debugging tool.

--"'Browser' and 'secure' should never be used in the same sentence." Then he goes on to except IE7 from that list. It's the shit--no security bugs there! 

Besides the rampant internal contradictions, the general information about Vista is that they are fighting last year's fight. He went on and on about how he's comparing/evaluating Vista against XP and how much better Vista is. For example, Vista now has service-specific wrappers! Something that sounds familiar to the Unix world, but is lacking in Windows, until now! It doesn't actually bind services to interfaces, but hey--it's a start.

He then went on to show us a table about all the things that Vista does that Mac OS X doesn't (I don't think he saw how many glowing apples were in the audience, staring up at him). Not sure why he decided to pick on Mac (those "I'm a Mac/I'm a PC" ad had just come out...) but he did. It's a bit technical, but on three code security topics, he said this:

For images:

Mac doesn't have Section reordering (well, ok neither does Vista)
Mac doesn't have EXE randomization (well, neither does Vista)
But Vista does have DLL randomization! (which Mac doesn't have, because Mac doesn't use DLLs...)

On the stack:
Vista has Frame protection, exception protection, local variable protection, randomization, and it is non-executable.

Granted, those are nifty unless someone turns them off (read on...).

For the Heap
Vista offers metadata protection, randomization, and it is also non-executable

Mac... well not so much of any of those. Alas.

But then the finale! This just blew my mind. He talks about how Vista has all these things turned off by default, but that a program can turn them on! That Law School class taught me a few things about how lawyers think. This is a law-talking-guy thing to do. It provides Microsoft with plausible deniability! They are saying, in essence, "we turned everything off by default, so if it's insecure, it's because you turned the insecurity back on!"

So what exactly is the value of Windows now? It's no longer "easy to use" because you have to go in and enable things in order to allow your program to work. It's no longer "interoperable" because what works on my system may not work on yours because services are not enabled. And most of all--if you get hacked, it's not Microsoft's fault!

Vista--use at your own risk.

Some final, random notes:

look--we have Blue Hat (a "hacker" conference)! Don't mention that it's invitation only.

"Non-Windows people are in denial about their own security issues"

"I wish other people would admit that they have security problems"