HomeApache Page 2 - Secure Installation and Configuration
Asymmetric Encryption and GnuPG - Apache
This chapter provides Apache downloading steps and cautionary tips. Mobily recommends compiling most of the modules dynamically, and leaving the main server stripped to the bones. He covers the free tool Nikto and how to use it. Also see why he says to disable the TRACE method. (From the book Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)
A Short Introduction to Asymmetric Encryption and GnuPG
Encryption is the conversion of data into a form (called a cipher text) that can only be decoded by authorized people. The decoding process commonly needs a key—this means that only the people with the right key will be able to decrypt the information and have the original data available again.
The most basic encryption technique is one where the same secret word is used to both cipher and decipher the information. This is called symmetric encryption (or secret key encryption). Let’s suppose that Adam wants to communicate with Betty. Adam will have to encrypt the data he wants to send using his key. The information will be safe while in transit. Then, Betty will have to use Adam’s key to decode the information. The problem with this scheme is: how does Adam deliver his private key to Betty? There is no easy solution to this problem.
An alternative approach is asymmetric encryption, where Adam would have two related keys: a private key and a public key. If a piece of information is encrypted using a private key, the only way to decrypt it is by using the right public key (the two keys are generated at the same time). Adam’s and Betty’s public keys would be widely available through as many means as possible (such as through the Web). When Adam wants to send a message to Betty, he encrypts the message with Betty’s public key. From that moment on, no one except Betty will be able to decrypt the message—not even Adam, who encrypted it in the first place!
NOTE Using a metaphor, the public key is a padlock, and the private key is the key for that particular padlock. It is in your best interest to give away as many padlocks as possible (your public key), and at the same time keep your padlock’s key very secret (your private key).
After you’ve used encryption for a while, you will have several people’s public keys stored somewhere in your computer (the key’s exact location in the file system depends on the program you use). In GnuPG terminology, other people’s public keys would be placed in your public key ring.
Another important application of asymmetric encryption is the ability to sign a block of data (a document, for example). If Adam wants to send a message to Betty, and wants her to be absolutely sure that the communication came from Adam and no one else, all Adam has to do is create a digital signature for that message. A digital signature is the hash value of the message, encrypted with Adam’s private key. A hash value is a string generated using the message as the source of information, with the guarantee that two different messages will have two different hash values. All Betty has to do is to calculate the hash value of the received communication, decrypt the received hash value (that is, the signature) using Adam’s public key, and compare the two.
Setting Up GnuPG
Most Linux distributions provide GnuPG, so I will assume that you have GnuPG installed on your system. The first time you run it, some basic configuration files will be created:
[merc@merc merc]$ gpg gpg: /home/merc/.gnupg: directory created gpg: /home/merc/.gnupg/options: new options file created gpg: you have to start GnuPG again, so it can read the new options file [merc@localhost merc]$
You can now create your own public and private keys using the option --gen-key:
[merc@merc merc]$ gpg --gen-key [...] Please select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. About to generate a new ELG-E keypair. minimum keysize is 768 bits default keysize is 1024 bits highest suggested keysize is 2048 bits What keysize do you want? (1024) 1024 Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years
Key is valid for? (0) 0 Key does not expire at all Is this correct (y/n)? y
You need a User-ID to identify your key; the software constructs the user id from Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <firstname.lastname@example.org>"
Real name: Tony Mobily Email address: email@example.com Comment: Myself You selected this USER-ID: "Tony Mobily (Myself) <firstname.lastname@example.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. [...] key marked as ultimately trusted. pub 1024D/B763CD69 2003-08-03 Tony Mobily (Myself)<email@example.com> Key fingerprint = A524 518E 9487 F66F C613 A506 0D8F C15F B763 CD69 sub 1024g/0C1049EE 2003-08-03 [merc@merc merc]$
Notice how I have chosen all the default options: “DSA and ElGamal” for my private key, 1024 bits for the encryption, and no expiration date. Also, I have entered all my personal details: name, surname, comments, and e-mail address. My ID will be “Tony Mobily (Myself ) firstname.lastname@example.org”.
This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.