Home arrow Apache arrow Page 2 - Secure Installation and Configuration

Asymmetric Encryption and GnuPG - Apache

This chapter provides Apache downloading steps and cautionary tips. Mobily recommends compiling most of the modules dynamically, and leaving the main server stripped to the bones. He covers the free tool Nikto and how to use it. Also see why he says to disable the TRACE method. (From the book Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)

  1. Secure Installation and Configuration
  2. Asymmetric Encryption and GnuPG
  3. GnuPG and Apache Signatures
  4. Checking and Installing Apache
  5. Running Apache and Testing it with Nikto
  6. Secure Configuration
  7. File Permissions
  8. Don’t Give Extra Information Away
  9. Apache and SSL
  10. Generate Certificates
  11. Configuration
By: Apress Publishing
Rating: starstarstarstarstar / 31
August 17, 2004

print this article



A Short Introduction to Asymmetric Encryption and GnuPG

Encryption is the conversion of data into a form (called a cipher text) that can only be decoded by authorized people. The decoding process commonly needs a key—this means that only the people with the right key will be able to decrypt the information and have the original data available again.

The most basic encryption technique is one where the same secret word is used to both cipher and decipher the information. This is called symmetric encryption (or secret key encryption). Let’s suppose that Adam wants to communicate with Betty. Adam will have to encrypt the data he wants to send using his key. The information will be safe while in transit. Then, Betty will have to use Adam’s key to decode the information. The problem with this scheme is: how does Adam deliver his private key to Betty? There is no easy solution to this problem.

An alternative approach is asymmetric encryption, where Adam would have two related keys: a private key and a public key. If a piece of information is encrypted using a private key, the only way to decrypt it is by using the right public key (the two keys are generated at the same time). Adam’s and Betty’s public keys would be widely available through as many means as possible (such as through the Web). When Adam wants to send a message to Betty, he encrypts the message with Betty’s public key. From that moment on, no one except Betty will be able to decrypt the message—not even Adam, who encrypted it in the first place!

NOTE Using a metaphor, the public key is a padlock, and the private key is the key for that particular padlock. It is in your best interest to give away as many padlocks as possible (your public key), and at the same time keep your padlock’s key very secret (your private key).

After you’ve used encryption for a while, you will have several people’s public keys stored somewhere in your computer (the key’s exact location in the file system depends on the program you use). In GnuPG terminology, other people’s public keys would be placed in your public key ring.

Another important application of asymmetric encryption is the ability to sign a block of data (a document, for example). If Adam wants to send a message to Betty, and wants her to be absolutely sure that the communication came from Adam and no one else, all Adam has to do is create a digital signature for that message. A digital signature is the hash value of the message, encrypted with Adam’s private key. A hash value is a string generated using the message as the source of information, with the guarantee that two different messages will have two different hash values. All Betty has to do is to calculate the hash value of the received communication, decrypt the received hash value (that is, the signature) using Adam’s public key, and compare the two.

Setting Up GnuPG

Most Linux distributions provide GnuPG, so I will assume that you have GnuPG installed on your system. The first time you run it, some basic configuration files will be created:

[merc@merc merc]$ gpg
gpg: /home/merc/.gnupg: directory created gpg: /home/merc/.gnupg/options: new options file created
gpg: you have to start GnuPG again, so it can read the new options file
[merc@localhost merc]$

You can now create your own public and private keys using the option --gen-key:

[merc@merc merc]$ gpg --gen-key
Please select what kind of key you want:
    (1) DSA and ElGamal (default)
    (2) DSA (sign only)
    (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
                        minimum keysize is 768 bits
                        default keysize is 1024 bits
         highest suggested keysize is 2048 bits
What keysize do you want? (1024) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
             0 = key does not expire
       <n>   = key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years

Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)?

You need a User-ID to identify your key; the software constructs
the user id from Real Name, Comment and Email Address in this form:
      "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Tony Mobily
Email address:
Comment: Myself
You selected this USER-ID:
      "Tony Mobily (Myself)
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
You need a Passphrase to protect your secret key.
key marked as ultimately trusted.
pub 1024D/B763CD69 2003-08-03 Tony Mobily (Myself)
     Key fingerprint = A524 518E 9487 F66F C613 A506 0D8F C15F B763 CD69
sub 1024g/0C1049EE 2003-08-03
[merc@merc merc]$

Notice how I have chosen all the default options: “DSA and ElGamal” for my private key, 1024 bits for the encryption, and no expiration date. Also, I have entered all my personal details: name, surname, comments, and e-mail address. My ID will be “Tony Mobily (Myself ) merc@mobily.com”.  

This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.

>>> More Apache Articles          >>> More By Apress Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates


Dev Shed Tutorial Topics: