Does anyone know how to transition authentications on NTP? I've done copious amounts of research, none being fruitful. For example, NTP currently using MD5, how do you move over to SHA1?
NTP if compiled along with OPENSSL libraries, then NTP uses OPENSSL libraries for cryptographic operations.
Then you can use different types of message digest algorithms supported by OPENSSL. This is a link which explains configuring ntp key file.
The key file where the keys will be present should be added to the /etc/ntp.conf file.
The keys to be used for generating the digest will be present under
/etc/ntp/keys . This path should be added to /etc/ntp.conf file to specify that this is the keys file.
The structure of the entry in the file will be
This is an example of the keys file
You can mention the keytype as "SHA1" to use SHA1 authentication.
Further details about the length of the digest and keys can be found here:
https://www.eecis.udel.edu/~mills/ntp/html/authentic.html
You can have multiple keys one next to the other.
SO:
first add the new key everywhere
delete the old key once it's added everywhere.
Related
My web application is now running on multiple Unix containers (pods), so I had to add a centralized place to share the keys between all pods using AddDataProtection(),
I'm using PersistKeysToDbContext(), but this problem is even worse when saving to a file share,
Without ProtectKeysWithCertificate() the keys are unprotected - nobody wants that
<!-- Warning: the key below is in an unencrypted form. -->
If I use a certificate it gets encrypted just fine, but I prefer not to have to depend on another certificate,
services.AddDataProtection()
.SetApplicationName(dataProtectionSettings.ApplicationName)
.PersistKeysToDbContext<DataProtectionContext>()
.ProtectKeysWithCertificate(serviceCertificate)
.UnprotectKeysWithAnyCertificate(serviceCertificate);
I wonder why the key is not just AES encrypted using a password (why does it require certificate)
Is there an alternative? or, what would it take to override this process and implement AES encrypt/decrypt based on a password?
I am using gSOAP and it was compiled WITH_OPENSSL. I have found that there is only an API soap_ssl_server_context which takes as PEM file.
Is it possible to provide the private key to gSOAP layer without passing through the PEM files? i want to use HSM
Typically for key management, an HSM e.g. a Thales Payshield 9000, will provide a public key in DER binary format (which can be converted to PEM format using binary->base64 conversion).
However, it is not really intended to provide you with the Private key in DER or PEM format. The private key will be encrypted with the HSM LMK (Local Machine Key).
This means that only HSM can translate the encrypted value (often a pin verification key) to another encryption key. This really is the point of having an HSM e.g. PCI compliance for Visa or MasterCard. You are not meant to get the clear data in software.
If you need to decrypt the data yourself, perhaps just use a software solution like .net RSA or BouncyCastle.
I am trying to install Apache Lucene 5.3.0 (from source). The mirror sites provide lucene-5.3.0-src.tgz and lucene-5.3.0-src.tgz.asc (the signature file), however the latter is using RSA key ID 3FCFDB3E which is not contained in the KEYS file (which is also provided).
$ gpg --verify ./lucene-5.3.0-src.tgz.asc
gpg: assuming signed data in `./lucene-5.3.0-src.tgz'
gpg: Signature made 2015-08-17T13:35:34 CEST using RSA key ID 3FCFDB3E
gpg: Can't check signature: public key not found
The issue seems to be affecting multiple sites. What should the fingerprint be? Why is the key not included in the KEYS file?
It seems that the key of Paul Noble is what you're looking for, having fingerprint
CFCE 5FBB 920C 3C74 5CEE E084 C38F F5EC 3FCF DB3E
The key is rather new (a bunch of weeks old).
You cannot be really sure whether he's permitted to release for Apache Lucene, nor that the key actually belongs to him.
A short Google survey at least indicates several contributions to free software, and also the Linux kernel, but this should not be considered trustworthy without further analysis. There are also no incoming certifications that could be used to verify the key through the web of trust.
I'd recommend to get in touch with Apache, possibly on the Lucene mailing list, and query the developers how to verify the release based on what trust assumptions. And indicate there's something wrong which they should change (eg., include the key in the KEYS file).
the policies around where KEYS files are "published" for the lucene project is kind of confusing, compounded by the use of id.apache.org -> people.apache.org and it's automatic generation of a KEYS file for each project committee based on their current keys. some backstory here...
https://issues.apache.org/jira/browse/LUCENE-5143
The current policy is that each new Lucene/Solr release publishes a snapshot of all the current keys, so for 5.3.0 that would be here...
https://www.apache.org/dist/lucene/java/5.3.0/KEYS
...but the older "non version specific" keys files are still available - notably for verifying older versions of software in the archives that may predate the current policy.
You can always see the list of all "active" keys for a given apache project/user using http://people.apache.org/keys/
http://people.apache.org/keys/group/lucene.asc
Recently, I have to convert an java project related to rsa/des encryption into an iOS project. The provided rsa key strings are from x.509 and PKCS8, however, security.framework only support PKCS12. I've been searching for libraries a long time, but it seems that currently there are not any objective-c libraries that support PKCS8. (I don't want to use Chilkat for some reasons)
The origin version of the project was written in C# which uses an XML string to generate RSA public/private key pair. I guess that generate rsa key pair by myself might be a better solution. Thus, my question is, are there any methods to convert rsa xml data to standard pem key format? Or there are other existing libraries that supports PKCS8?
Hubert
If you can convert the keys at compile time, you can use OpenSSL to do so that it can convert between virtually any certificate / private key formats. Then you embed the certificates in the application bundle in PKCS12.
I am using dozens of different web services, and I keep a password file in a remote Linux machine. The file contains my usernames, passwords and answers for security question.
This server happens to be offline to often, and I'm looking for a way to keep the password file on my own computer, or on a service like DropBox. Obviously, I want to keep the file encrypted, but handy - I want to be able to print its contents using one shell (or cygwin) command, perhaps using a passphrase.
Any good ideas how to do it?
You can use GPG's symmetric option to encrypt files with pass-phrases.
gpg --symmetric filename
That will result in an encrypted file named filename.gpg. To redirect the output to STDOUT instead of a .gpg file:
gpg --symmetric -o - filename
You can later decrypt the file with:
gpg --decrypt filename.gpg
I use PasswordSafe encrypted files in exactly this configuration. GUIs are available for Windows/Mac/Unix/Java. cliPSafe gives it a command line interface.
THe original code was written by Bruce Schneier, well known in the security world, but I've never used cliPSafe.
As already noted GPG solves the problem. Using the gpg command directly for encrypting text files may be a bit cumbersome though, especially as you would often decrypt the file to a seperate file, add some text (passwords in this case) and the reencrypt it (which will possibly expose your unencrypted data).
Vim has a very good plugin called gnupg for trasparently handling encrypted files using GPG. Using this plugin the unencrypted data will never be written to disc and you can just treat it as any other file (except for the passphrase question popping up of course).