12/20/2023 0 Comments Secure password repository linuxThat’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part. In 2012, after an exponential rise of OS X malware (such as MacDefender and Flashback), Apple decided to change its homepage by removing sentences like “ It doesn’t get PC viruses.”Ī Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. Just as some people believe Macs are immune to viruses, some Linux users have the same misconception – and who can blame them? After all, vendors have been telling them that for years. Specifically, Chapter 10 of part 3.We are well into the 21st century, but it is astonishing how people can still believe that Linux-based operating systems are completely secure. Indeed, “Linux” and “security” are two words that you rarely see together. It may be helpful to also review NIST's many guidelines for key management: If, for example, these devices are used to control a safety-critical feature of an airplane or car, you may not tolerate even one-time, physical attacks. Of course, you really need to tune your risk model / tolerance to your organization and application. Given this our risk is likelihood x impact = low/medium x low = ~ low risk Since we have a unique key pair assigned to each device, an attacker who does any amount of work to crack or change the key pair for a target device will NOT be able to reuse the work on other targets. Option 3 is perhaps the most likely, but hard to avoid unless disabling SSH is allowable. Option 2 is possible, albeit somewhat time consuming and not scalable. Likelihood: An attacker can not log in without presenting a proper private certificate (which amounts to guessing a sufficiently long key: impractical) OR by tampering with the device's memory to replace the public certificate OR due to a software implementation bug in the login procedure. Goal: Prevent malicious attacker from logging into to device over SSH. Now let's look at the likelihood and impact of an attack: The device verifies it using the stored (unique) public key. To login, you essentially "sign" some piece of data (using the private key) and send this to the device. Generate a private/public key pair in your back office for each device, place the public key on the device file system and the private key in some back office "key management system". You can mitigate most of the above issues by relying on public-key cryptography. At which point, every device is again vulnerable. Doing so provides some window of opportunity for an attacker to dump memory and get the password before first boot. This means you shouldn't "change the password " as suggested. Using a unique salt per device is a definite improvement assuming you don't store the actual password anywhere (only store the salted hash). If the salt is shared across all devices, you have a problem very similar to what I previously described: an attacker simply needs to do a memory dump one time and all devices become vulnerable (a serial number is obviously not cryptographically strong) so best practice is to assume an attacker will be able to take the (shared) password and the (shared) salt, guess the serial number and compute the correct password per target device with little effort. This makes things slightly better, but not by much. Should I write code that on the first boot changes the password to salted hash of the device serial number the work effort for the attacker is constant, rather than linear w.r.t targets). However, if only one secret is used, then every device can be compromised with no extra effort (i.e. If you used a different secret per device, an attacker would have to do an eMMC dump (for example) for each device, which is extraordinarily hard to scale. For example, it is simple enough to dump the contents of eMMC using physical means. It is nearly impossible to do so in the field. The first is that you are likely underestimating likelihood: It is very hard to keep something a secret in your own company.There are two primary problems which make the risk (likelihood x impact) of an attack high: Should we generate a strong password offline, keep it closely guarded secret, and use the same one across all copies of the device?Ībsolutely not.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |