Recently in Cryptography Category

On the last day of the year my email stopped coming in. You may have read about my approach to fetch my email using a secure tunnel that uses SSL certificates in addition to a password to access my email. Well, on the last day of the year my ROOT CERTIFICATE, which I use for Kerry Linux, had expired after five years. Time flies by.

As I had other plans for the days ahead I thought just to renew the root certificate to buy time, but it seemed that my attempts to renew my root certificate did not result in a new usable certificate to replace the old one. My user certs, which are not up for expiration yet could not be reanimated with a quick fix like that.

After a while I thought, there is a reason for that and I began to think about root certificates more thoroughly. In the past five years we've definitively seen the crackdown of MD5 and SHA-1 is not invincible, too. Would it not be prudent to increase the key length and to use a more secure (i.e longer) hash and go through the trouble of creating a new root key and issue new user certs? I decided to go along that route and created a fresh new CA root key with 4096 bits for the Kerry Linux Certification Center. Although my openssl software does only permit using SHA-1, which is a pity, I felt content and everything was up and running for me in an hour or so.

Re-Animation of the old ROOT KEY

After a while I began to wonder if it was possible to reanimate the old key and out of curiosity tried to explore the way to do it in more detail. I googled and found this nice posting from Arsen Hayrapetyan which led me to success. My former attempts to recreate the old certificate always led me to the following error message when I tried to verify a user's certificate::

Unable to get the issuer certificate? I supplied it in the command, but it didn't work out as planned.

So I followed Arsen's hints and created a testbed for an experiment, where I set the serial number back to 00 and emptied the file "index.txt" so that my new certificate could inherit the properties of the old one including its serial number. Then I created a new certificate request based on the old root certificate "cacert.cert" and used this new request to sign it with the old key.

The result was a new root certificate "cacert_renewed.pem" that verified my old user certs perfectly.

It's good to have an alternative, isn't it?

The Final Nail in WEP's Coffin

I have to admit it, this is old news, very old news. WEP is dead, and the final nail had been driven into WEP's coffin some three years ago. But many WiFi networks still use WEP today, although a much more secure alternative, WPA-2, has been available for a long time.

People tend to believe that any encryption is better than none and don't bother to use high-grade security methods instead of broken ones like WEP. Obviously the publication of research papers does have a limited effect on the ordinary user's willingness to change habits or consciousness of the problem. Unless the weak methods disappear from the router's firmware menu, we'll see people using it.

Switching Over to WPA

It's fairly easy to dump WEP and to use WPA-2 instead, because WPA-2 can use a pre-shared key, a secret that must be available both in the router or access point and in the client machine that is about to establish a secure wireless connection. There is clearly no need to add further complexity (like Radius servers and the like) just to replace WEP for a simple wireless link.

In a first step you have to change the security settings of the access point / router to WPA2-PSK and select a new long secret key for encryption. As WEP-2 uses the advanced encryption standard (AES) with a 256 bit key, the new secret key ought to have as much entropy as possible. You can use the following command to get a reasonably long random secret (of 160 bit entropy) for use by the router and the client.

After that your wireless client is cut off, as the router makes use of a different, and more secure, access method. It's prudent to use a new secret key as your encryption has been weak in the past and the old one might have been compromised long ago, you'll never know for sure.

In order to re-establish the wireless link the client machine will use a daemon software called wpa_supplicant that has to be started just before the wireless network adapter starts to reach out for the access point or router. Of course the wpa_supplicant will need at least two pieces of information, the name of the wireless network (its SSID) and the secret encryption key, we've already stored in the router. Please double-check that the daemon's config file has minimal permissions (root read access only) to protect the wireless secret key and add something like the following lines to your config file "/etc/wpa_supplicant/wpa_supplicant.conf":

The only thing you need to ensure is, that the daemon is started whenever you use your wireless adapter, and that the firewall recognizes your new link. Yes, it's that easy to dump WEP for good. Finally.