Linux Cryptography: SSH, the International Kernel Patch, & StegFS Presented at LUGoD on 2 May 2000 Henry House This document may be freely copied under the terms of the GNU Free Documentation Licence; see . I. OpenSSH A. Background You should all be using SSH instead of telnet, authenticated ftp, or (worst of all) r{login,cp,sh}. All of these protocols are vulnerable to address spoofing (in which your enemies set up a pirate server with your ip address so that you will connect to their server instead of your own and give them your password when you try to log in) and to interception of the information in transit -- inculding your password as well as the actual data that your password is supposed to keep private. SSH solves these problems by (1) using a system of known hosts and issuing challenges and responses based on the public keys of those know hosts to prevent spoofing, (2) using public keys again to negotiate an initial secure channel, (3) using a one-time symmetric cipher to encrypt the data stream for extra security, and (4) optionally using a challenge-and-response system with public-key cryptography for user authentication instead of passwords. There are at least four distributions of SSH: the original SSH, which was free (BSD-style license) and developed in Norway; the commercial SSH2 (low- or no-cost licenses available for certain non-business uses), OSSH (covered by various free licenses, further details unknown, e-mail me if you have information), and OpenSSH, which is based on the original SSH but has many improvements: patent-encumbered algorithms has been removed to a seperate library (openssl) all known security problem with SSH are fixed the SSH2 protocol is supported (though not in the present stable release) Non-restrictive BSD-style license it was developed as one of the crown jewels of OpenBSD (it was released as an integral conponent of OpenBSD 2.6), whose record speaks for itself I prefer OpenSSH. B. Getting OpenSSH Unfortunately, most distributions offer the unmaintained original SSH or, worse yet, do not offer an implementation of SSH at all. (The only major distribution that I know of that offers OpenSSH is LinuxPPC.) Mandrakesoft offers rpms of OpenSSH for download and possibly on its CDs. I suggest that you get OpenSSH from Mandrakesoft (http://www.linux-mandrake.com/en/fcrypto.php3) or from the d evelopers' site (openssh.com). (Makdrakesoft also has some other crypto software available together with their OpenSSH: lynx-ssl, Netscape-128, mod_ssl for apache, pgp, etc.) You can also get third-part RPMS designed for Red Hat Linux from ZedZ in Holland: http://www.zedz.net/redhat/ C. Usage The program ssh replaces telnet; its basic syntax is: ssh [-l remote_username] host You only need to supply your remote username on the command line if it differs from your local username. SSH has many more options, including selection of a cipher and arbitrary port forwarding (useful for X11). After OpenSSH connects, it will prompt you to save the remote host's public key if it is an unknown host, authenticate the host if it is known, and authenticate you as a user on the remote host, either by prompting for your password or by exchanging challenges and responses using public-key cryptography. The program scp replace rcp; its basic syntax is: scp local_file remote_username@remote_host:remote_file You may omit remote_file (but not the colon) to copy to your home directory on the remote host, using the same name as locally. There is also two programs available, hsftp and psftp (not part of the OpenSSH distribution), that provide ftp-like services over ssh. D. Notes on ciphers OpenSSH provides a choice of two ciphers for encrypting its traffic: 3des and blowfish. While both are considered secure, blowfish runs considerably faster and so is the better choice. You will often find that you need to fall back on 3des for interoperability with other SSH distributions, however. For negotiating the initial secure channel, the SSH1 protocol employs RSA, which is patented until September 2000 in the USA. The SSH2 protocol (supported by the commercial SSH2 and the forthcoming release of OpenSSH) employs DSA, which may be used without restriction in the USA and elsewhere. II. The International Kernel Patch (www.kerneli.org) Because of export restrictions the official Linux kernel sources have historically contained no strong cryptography. (Whether this will change now that the export restrictions have been reduced remains to be seen.) For this reason, a project called the International Kernel Patch exists to provide a central source for most of the crypto and crypto-dependent kernel code that is available. The International Kernel Patch is distributed as a single patch (!) against a stable version of the official kernel source (which is also mirrored at their ftp site). Pre-patched kernel source trees are not available. To apply the patch: /usr/src/linux# zcat ../patch-int-.gz | patch -p1 /usr/src/linux# make oldconfig Then compile and install as usual. I could not get the md5 facility to compile on my PowerPC; I did not try it on an i386 machine. All the others compiled fine. The International Kernel Patch provides: A cipher api (which StegFS will use if it is available) Many symmetric ciphers for that api, including blowfish, des, serpent, idea Digest algorithms: sha1 and md5 Encryption support for loopback filesystems (i.e., you can have a filesystem inside an encrypted regular file) ENSkip for secure network tunnels Be aware that several of the ciphers in the kerneli patch are patented in many parts of the word. In particular, idea is patented in most developed contries. Also des is weak and slow; I recommend avoiding those two ciphers unless you have special needs. Serpent is a good choice for the really paranoid among you and it is also quite fast. III. StegFS A. Background Now for the really cool stuff: steganography. First the definition: when I talk about steganography I mean concealing sensitive information inside apparently innocuous files so as to render the existance of the sensitive information impossible for others to determine. I will definately not be talking about Steno pads or legal transcription. ;-) There seem to be three filesystems that go by SFS (two of which are steganographically oriented): StegFS, the Steganographic File System, and the Self-certifying File System. I will not discuss the last two. There are also many steganography programs that hide individual files but do not hide a complete filesystem. StegFS is distributed as a kernel patch (against a particular stable kernel version) and a set of user-space utilities. If you apply the International Kernel Patch as well and compile in its ciphers, StegFS will use them. StegFS also provides its own ciphers, which it can use instead. StegFS only works on top of ext2 at present. B. Cautions To provide plausible deniability, it is essential that there be no mechanism to prevent accidental over-writing or deletion of the files containing the steganographed data, since such a mechanism would reveal the existance and location of the data. StegFS keeps several backup copies of each file in its filesystems to lessen the chances of data loss, but this protection is far from absolute and it results in unthrifty use of disk storage. This is the price you pay for security. If you don't want this risk and don't need plausible. deniability, you should use a loopback encrypted filsystem instead. The usual precautions against forgetting your passphrase apply, of course. In the authors words (from the FAQ): "'I've forgotten my passphrase, can you get my files back for me?' No. I suggest you just try all 2^128 possible keys." C. Obtaining and compiling StegFS To compile the StegFS utilities, you need the ext2 userspace development files. These are often found in a package called e2fsprogs-devel. The relevant header files are /usr/include/{ext2fs,et,ss,uuid}; you also need some libraries and utilities that come with the ext2fsprogs. The StegFS patch and StegFS utilities are available from the author's webpage, which is http://ban.joh.cam.ac.uk/~adm36/StegFS/. The ext2fsprogs should be available from your distribution.