Author: Preston St. Pierre
for qt, krb5, kdelibs, zlib,kernel, acrobat, gaim, and the Linux kernel. The
distributors include Debain, Fedora, Gentoo, Mandrake, OpenBSD, Red Hat, Slackware,
SuSE, Trustix, and TurboLinux.Introduction to Cryptography
Implementing any large security
project on the Linux operating system requires the use of cryptography. Several
weeks ago, I wrote about a book by Fred Piper and Sean Murphy titled, “Cryptography:
A Very Short Introduction.” It offers a very good introduction to the subject,
but those wishing to implement cryptography in an open source projects need
a more in-depth understanding of the area. Another excellent resource is the
“Handbook of Applied Cryptography,” by Menezes, Oorschot, and Vanstone. It has
often been considered “the bible of cryptography” and offers a detailed and
technical view.
The first several chapters of the
book focus on the basics. It gives an overview and history of cryptography and
follows with an explanation of the mathematics necessary to understand the algorithms.
Midway through the book, it gives detailed information to help the reader understand
stream ciphers, block ciphers, and finally public key encryption. After the
reader has an understanding of the algorithms, the book moves to explain how
they can be used in key establishment protocols. It also offers chapters on
key management and tips for efficient implementation.
For the long time manager, this
book may be slightly on the technical side. However, there are clear benefits
for management having an understanding of technical subjects. Cryptography today
offers a very strong level of protection. It only fails in implementation. For
example, keys are not properly protected or managed. For those of you wishing
to learn a little more about the fascinating subject of cryptography, I highly
recommend this book.
Perhaps the best part is
that the book is available fully for free on the Web:
http://www.cacr.math.uwaterloo.ca/hac/
Hard-copies of the book can also
be purchased through Amazon or any other large bookseller.
When any company decides to take
on a in-house software development project, it is essential to include cryptographic
mechanisms. Books such as this, can give programmers the proper knowledge necessary
to understand how cryptography works and how to avoid problems.
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity
Feature Extras:
An
Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code
– Gary McGraw is perhaps best known for his groundbreaking work on securing software,
having co-authored the classic Building Secure Software (Addison-Wesley, 2002).
More recently, he has co-written with Greg Hoglund a companion volume, Exploiting
Software, which details software security from the vantage point of the other
side, the attacker. He has graciously agreed to share some of his insights with
all of us at LinuxSecurity.com.
Security
Expert Dave Wreski Discusses Open Source Security – Dave Wreski,
CEO of Guardian Digital, Inc. and respected author of various hardened security
and Linux publications, talks about how Guardian Digital is changing the face
of IT security today. Guardian Digital is perhaps best known for their hardened
Linux solution EnGarde Secure Linux, touted as the premier secure, open-source
platform for its comprehensive array of general purpose services, such as web,
FTP, email, DNS, IDS, routing, VPN, firewalling, and much more.
[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch is
a comprehensive newsletter that outlines the security vulnerabilities that have
been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.[
Subscribe
]
| Distribution: | Debian | ||
| 8/27/2004 | icecast-server cross site scripting vulnerability |
||
|
Markus W?rle discovered a cross site scripting problem in status-display |
|||
| 8/30/2004 | qt | ||
| arbitrary code execution and DoS Several vulnerabilities were discovered in recent versions of Qt, a commonly |
|||
| 8/31/2004 | python2.2 really fix buffer overflow |
||
| arbitrary code execution and DoS This security advisory corrects DSA 458-1 which caused some segmentation |
|||
| 8/31/2004 | krb5 | ||
| several vulnerabilities The MIT Kerberos Development Team has discovered a number of vulnerabilities |
|||
| Distribution: | Fedora | ||
| 8/31/2004 | krb5 | ||
| double-free bugs (Core 1) Several double-free bugs were found in the Kerberos 5 KDC and libraries |
|||
| 8/31/2004 | krb5 | ||
| double-free bugs (Core 2) Several double-free bugs were found in the Kerberos 5 KDC and libraries. |
|||
| Distribution: | Gentoo | ||
| 8/27/2004 | Mozilla, Firefox, Thunderbird New releases fix vulnerabilities |
||
| double-free bugs (Core 2) New releases of Mozilla, Mozilla Thunderbird, and Mozilla Firefox fix several |
|||
| 8/27/2004 | kdelibs | ||
| Cross-domain cookie injection vulnerability The cookie manager component in kdelibs contains a vulnerability allowing |
|||
| 8/27/2004 | zlib | ||
| enial of service vulnerabilit The zlib library contains a Denial of Service vulnerability. |
|||
| 8/27/2004 | gaim | ||
| New vulnerabilities
Gaim contains several security issues that might allow an attacker to execute |
|||
| Distribution: | Mandrake | ||
| 8/27/2004 | kernel | ||
| multiple vulnerabilities A race condition was discovered in the 64bit file offset handling by Paul |
|||
| 9/1/2004 | krb5 | ||
| multiple vulnerabilities A double-free vulnerability exists in the MIT Kerberos 5’s KDC program that |
|||
| Distribution: | OpenBSD | ||
| 8/31/2004 | zlib | ||
| reliabilty fix A bug has been found in the version of zlib included in OpenBSD 3.5 (and |
|||
| Distribution: | Red Hat |
||
| 8/27/2004 | acrobat | ||
| security issues An updated Adobe Acrobat Reader package that fixes multiple security issues |
|||
| 8/31/2004 | krb5 | ||
| security vulnerabilities Updated Kerberos (krb5) packages that correct double-free and ASN.1 parsing |
|||
| 8/31/2004 | krb5 | ||
| security issues Updated krb5 packages that improve client responsiveness and fix several |
|||
| Distribution: | Slackware | ||
| 8/27/2004 | gaim | ||
| updated again A couple of bugs were found in the gaim 0.82 release, and gaim-0.82.1 was |
|||
| Distribution: | Suse | ||
| 9/1/2004 | kernel | ||
| vulnerabilities
Various signedness issues and integer overflows have been fixed within kNFSd |
|||
| Distribution: | Trustix | ||
| 8/27/2004 | courier-imap, samba, zlib Multiple vulnerabilities |
||
| vulnerabilities
Security roll-up. |
|||
| Distribution: | Turbolinux | ||
| 8/31/2004 | rsync, qt vulnerabilities |
||
| vulnerabilities
Security roll-up for 31/Aug/2004. |
|||
