Protocols, Standards, and Applications

Many types of cryptographic solutions can be applied from the Application layer all the way down to the Physical layer. Often, a pen test will uncover the use of protocols that are blatantly insecure. Examples include File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP), and Telnet. All these applications pass information in cleartext. The applications and protocols discussed here are all solutions that the ethical hacker can recommend to clients to help them build a more secure infrastructure.

• Secure MIME (S/MIME) S/MIME adds two valuable components to standard email, digital signatures, and public key encryption. S/MIME supports X.509 digital certificates and RSA encryption.
• Pretty Good Privacy (PGP) PGP is similar to PKI but does not have a CA. PGP builds a web of trust because the users must determine who they trust. Users sign and issue their own keys. PGP stores the public key in a file named pubring.pkr; keys located here can be shared with anyone. The user's secret key is in the file named secring.skr. Loss of this file exposes the secret key and allows a hacker to gain access or spoof the user. PGP can be used to secure email and to encrypt data. It was developed to provide high level encryption to the average user.

  Banks Need Encryption Too! The use of cryptography is no longer a privilege reserved for governments and highly skilled specialists, as it is becoming available for everyone. For hundred of years, secrets have been kept in many forms. For electronic information, math is the underlying tool to keep a secret. People use secrets for privacy, trust, access control, electronic payments, corporate security, and countless other items. The bottom line is that, everyone, everyday, needs a way to securely communicate over open hostile channels with the use of plaintext. Secrets make up a large part of our daily activity. For example, I work online with my banker. Recently, she sent me a plaintext email message over a clear, hostile, open channel on the Internet. My bank balance was in the message. Not a huge security risk, but a risk nonetheless. It was information I intended to keep secret, and she made my private information public. I helped myself and her when I asked if she could make our correspondence a secret. She said she had never had that requested before, which was unusual because she works for a well-known bank. I explained how we could use a shared secret password to encrypt the information, and she agreed; now she has a way to keep private client information secret. Solutions such as PGP and password-protected documents are easy to use and implement. Take time to share your security knowledge. Help those without the benefits of computer security exposure and experience. This "in the field" segment was contributed by Sondra Schneider. She is an 18-year security industry veteran and the CEO and founder of Security University.

• Secure Shell (SSH) A protocol that permits secure remote access over a network from one computer to another. SSH negotiates and establishes an encrypted connection between an SSH client and an SSH server on port 22 by default. The steps needed to set up an SSH session are shown in Figure 12.12.

  Figure 12.12. SSH Handshake.

• Secure Sockets Layer (SSL) Netscape Communications Corp. initially developed SSL to provide security and privacy between clients and servers over the Internet. It's considered application independent and can be used with Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Telnet to run on top of it transparently. SSL uses RSA public key cryptography. It is capable of client authentication, server authentication, and encrypted SSL connection.
• IPSec The most widely used standard for protecting IP datagrams is IPSec. Because IPSec can be applied below the Application layer, it can be used by any or all applications and is transparent to end users. It can be used in tunnel and transport mode.
• Point-to-point tunneling protocol (PPTP) Developed by a group of vendors that included: Microsoft, 3Com, and Ascend. PPTP is composed of two components: the transport, which maintains the virtual connection, and the encryption, which ensures confidentiality. It is widely used for virtual private networks (VPNs).
• Encrypted File System (EFS) Microsoft developed EFS as a built-in encryption system. EFS allows users to encrypt NTFS files, folders, and directories. These files remain encrypted if moved or renamed. EFS does have a backdoor, as it allows a person designated as the recovery agent to unencrypt or recover the information. This backdoor can be useful because it enables access to the data without having to go through any type of password cracking process. On Windows 2000, the administrator was the recovery agent by default; in Windows 2003, you must define a recovery agent. There's another great method to bypass EFS if files are encrypted while not residing within an encrypted folder. When a standalone file is encrypted with EFS, the file is not encrypted directly. A backup copy of the file is created and moved into the temp directory. It is named efs0.tmp. Next, the data in the temp file is encrypted and moved back into the original file. Finally, the temporary file is deleted just as a normal file is. This means that the entry is removed from the FAT and the clusters on the disk are marked available for use. Unless the clusters have been wiped or overwritten, you could take a hex editor or a tool, such as Diskprobe, and search for efs0.tmp. From there, you can easily view any remaining data that hasn't been overwritten.

Note

Enabling EFS file system encryption at the folder level will prevent attacks against the efs0.tmp file. A good place to start would be the MyDocuments folder, as it would encrypt documents on-the-fly when they are saved to the folder.