Use the encrypted command to ensure the security of the Solaris Server

The security of the Solaris server is closely related to its encryption system. The Solaris encryption system (Cryptographic Framework) provides users with encryption services for applications and kernel modules in a seamless and transparent manner. users' applications are rarely noticed and rarely disturbed. The password system includes commands, user program programming interfaces, kernel programming interfaces, and programs that optimize encryption algorithms.

The management command in the Solaris encryption framework: the cryptoadm command. This command manages the running encryption framework. This command is part of the encryption management permission configuration file. You can specify this configuration file to the role used for security management encryption framework. Use the cryptoadm list-1 command.

　　

Figure-1 view available encryption services of the system

Figure-1 shows that the Solaris encryption system provides the following types of encryption algorithms: user-level providers, kernel software providers, and kernel hardware providers. For general users, only user-level encryption mechanisms can be used.

If you want to list the encryption mechanisms that can be applied in the system. Run cryptoadm list-p 2.

　　

Figure 2 list the encryption mechanisms that can be applied in the system

View All encryption mechanisms. Use the cryptoadm list-m command.

1. Steps for adding the software's encryption service

Add the PKCS #11 encrypted library.

(1) install the software package:

# Pkgadd-d/path/to/package pkginst

(2) refresh the system encryption service:

# Svcadm refresh system/cryptosvc

(3) Check the encryption list. The PKCS #11 encryption library is already in the list:

# Cryptoadm list

How to disable the encryption service

For software, hardware, and kernel encryption services, the command to disable is the same. Let's just give an example.

Disable DES encryption in the kernel.

(1) check whether the des encryption service is available:

$ Cryptoadm list-m provider = des

(2) check whether the aes encryption service is enabled:

$ Cryptoadm list-p provider = des

(3) disable the encryption service using disable:

$ Cryptoadm disable provider = aes mechanic = CKM_DES_ECB

(4) check whether the des Service is Disabled:

$ Cryptoadm list-p provider = des

Step 3.

　　

2. Steps to protect system files using encryption methods

Users can store their files in an encrypted manner. Although these files are readable to super users, the content is not recognized by Super Users. Because, at this time the file content has been disrupted by the encryption algorithm, only users can use the decryption algorithm to restore the file content. Can a file be consistent with the content of the original file during transmission? How do we notice that the file has been modified by others? There are two ways to verify file consistency: Digital Signature and message authentication code.

1. Generate symmetric keys

A key is the key information used to control encryption algorithms and decryption algorithms. The generation, transmission, and storage of keys are very important. A symmetric key uses a key for both encryption and decryption. It is best to generate a random key. The following describes how to use the dd command and the random key generated by the/dev/urandom device.

(1) Before generating a key, you must understand the length of the key supported by the encryption algorithm in the system.

First, display the digital signature algorithm,-4.

　　

Figure 4 show the digital signature algorithm first

Display MAC Mechanism:

Command: mac-l

We only need to take a length value between the maximum and minimum values. For example, for sha1_hmac and md5_hmac, the key length can be 8, 16, or 64.

(2) create a key for the DES algorithm

In the following example, a key is created for the DES algorithm. This key will also be stored for future decryption. The DES mechanism uses a 64-bit key. The key is expressed as 8 bytes in the dd command.

# Dd if =/dev/urandom of = $ HOME/keyf/05.07.des8 bs = 8 count = 1

(3) Save the key and modify the permission to prevent other users from reading it.

% Chmod 400 ~ /Keyf/05.07.des8

2. Steps for checking file integrity

There are two methods to check file integrity.

(1) Compare the digital signature of a file to see if the file has been changed.

For example, when downloading many Linux and UNIX software, we will always see a file with the same file name but with a. md5 extension. In this file, there is usually only one line of text. The structure is roughly as follows:

Md5 (dcghj.tar.gz) = 85c0a53d1a5cc71ea34d9ee7b1b28

Check the digital signature of the file:

% Digest-v-a md5 dcghj.tar.gz> $ HOME/digest. duanf00005.07

% Cat ~ /Digest. dcghj.05.07

Md5 (dcghj.tar.gz) = 85c0a53d1a5cc71ea34d9ee7b1b28

The downloaded file is consistent with the original file on the website.

3. Steps to ensure confidentiality of Files

The purpose of file encryption and decryption is to ensure the confidentiality of the file. We can use the encrypt command to encrypt the file and use the decrypt command to decrypt the file.

In the following example, the 3DES algorithm is used to encrypt the file. The 3DES algorithm requires a 192-bit (24-byte) Key.

% Encrypt-a 3des-k ~ /Keyf/05.07.des24-I ~ /Personal2.txt-o ~ /Enc/e.personal2.txt

To decrypt an output file, you should use the same key and encryption mechanism to encrypt the file.

% Decrypt-a 3des-k ~ /Keyf/05.07.des24-I ~ /Enc/e.personal2.txt-o ~ /Personal2.txt

Note: 3DES: namely, Triple DES. It only uses two keys to execute three DES in a special order. You can also use three separate keys.

4. System Password Encryption Algorithm

Powerful cryptographic algorithms provide more security protection for the system. The encryption algorithm provided by Solaris is shown in table-1.

　　

 

Table-1 cryptographic algorithms

The configuration file for changing the default encryption algorithm is the/etc/security/policy. conf file. In this file, there is a CRYPT_DEFAULT field. Assign the value to the identifiers of different encryption algorithms to change the system default encryption algorithm.

Change the system's default encryption algorithm to the Blowfish algorithm.

Modify/etc/security/policy. conf to have the following content:

CRYPT_ALGORITHMS_ALLOW = 1, 2a, md5

# CRYPT_ALGORITHMS_DEPRECATE =__ unix __

CRYPT_DEFAULT = 2a

Summary: This article describes how to use the Solaris 10 encryption command to ensure the security of the Solaris server, the version used here is Solaris 10 5/08, of course, in addition to the commands provided by Solaris itself, you can also use third-party software such as gunpg (http://www.gnupg.org/) Tools for encryption and decryption.