Wednesday, 26 December 2012

Implementing your own CA server on a IOS Router

Why is this useful ?

  • It can help you practice PKI in a lab environment . Ex : VPNs (Ipsec or SSL)
  • You can use it on a small Intranet to secure your network

Studying for the CCNA Security Certification there are labs for VPNs that a CA server was required
for authentication with rsa digital certificates. When you want to practice at home you will need a CA Server to practice your skills.
To do that you can use various ways , in a lab the best way is to use an IOS router for the CA Server role .

What do you need :

  • GNS 3
  • IOS Image
  • a brain

Lets put all the pieces together

You will need to create 1 router : You can name it CA or anything you like.

First we need to configure the CA Router to actually act as a CA Server:

! Make sure you configure the time before proceeding if not the CA
! server will not work. On a production environment NTP is prefered.
CA#clock set 20:09:9 26 DEC 2012

CA#configure terminal
 ! Enable http server
CA(config)#ip http server
 ! Setup the PKI service , the MY-CA it is a name
CA(config)#crypto pki server MY-CA
! set your lifetime values for the CA and the certificate it self
! the value for your lifetime is in days . 
CA(cs-server)#lifetime ca-certificate 600
CA(cs-server)#lifetime certificate 600
! Available options include :
! CN=Common Name,L=Location,C=Country
CA(cs-server)#issuer-name CN=LOCAL C=LAB
! the command above may be different depending on the IOS used
! specify where the database will be located
CA(cs-server)#database url pem flash:/MY-CA
! enable automatic certificate enrollment 
CA(cs-server)#grant auto
! Activate the PKI Server
CA(cs-server)#no shutdown
% Please enter a passphrase to protect the private key
% or type Return to exit
Re-enter password:
CA#copy run start

 Now you have a CA Server to use for your labs !

Here is an example how to use your New CA services on a router :

R1#clock set 20:09:9 26 DEC 2012
R1#configure terminal
R1(config)#ip domain-name
R1(config)#crypto key generate rsa
The name for the keys will be:
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#crypto ca trustpoint MY-CA
R1(ca-trustpoint)#subject-name CN=LOCAL C=LAB
R1(ca-trustpoint)#enrollment url
R1(config)#crypto ca authenticate MY-CA
Certificate has the following attributes:
Fingerprint MD5: 57B7D70D 1092F7F2 B690B0D8 B03DC946
Fingerprint SHA1: 41CA2E7C D5B8112F 39287279 EDC06E73 FB0C010B

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R1(config)#crypto ca enroll MY-CA
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Re-enter password:

% The subject name in the certificate will include: CN=LOCAL C=LAB
% The subject name in the certificate will include:
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate MY-CA verbose' commandwill show the fingerprint.

Dec 26 20:59:19.095: CRYPTO_PKI: Certificate Request Fingerprint MD5: 6BA37CCE 404F5058 CB41348C 2201AF76
Dec 26 20:59:19.095: CRYPTO_PKI: Certificate Request Fingerprint SHA1: B71A47B3 865E327C 8835EE1A 4FEED9E2 AA61EB17

If you wish to know more visit this link

Sunday, 9 December 2012

Password management

Nowadays we use many kind of accounts for many uses : e-mail , social networks, Paypal, e-commerce... and for other uses as well.
Many people use simple and predictable passwords(ex: birthdays) for their accounts and on top of that it is common to use similar (if not the same password) for their accounts.

While it is convenient to have short easy to remember passwords, it is really a bad choice to secure your accounts.

Why is it a problem ?

Here are some common uses for e-mail accounts that have been compromised :

  • the attacker can use your e-mail account to send spam messages with malicious intent
  • using the account to perform social engineering attacks.
  • to glean information using the e-mails you get or send, using it for other attacks in the future.
So , why do we use weak passwords ?

First , with many accounts we have many usernames and passwords. People have trouble to memorize many long complex passwords, so they use passwords that are easy to remember and type.

How to create a password ?

Step 1:

A password should :

  • have more than 8 characters in length
  • not be a word found in a dictionary
  • have special characters
  • have Capital letters
  • have Lower case letters
  • have numbers
  • Change every 3 months at least
A password that do not have the attributes above is weak.

                                       Step 2:
To create passwords long enough yet memorable you can use a phrase or a song.

You replace some letters with special symbols, numbers , other letters etc...

 ex 1: Sun sea and sand --> 5uN_S3@_@nD_S@nd
 ex 2: Sun sea and sand --> $_n*$34*4Nd_$4nd

 create something that you can remember with ease.


Now we can create complex P@SsW0rDz there is another problem: where to store them ? 

Never do the following : write down the passwords in a file stored in the computer(usually in .txt,doc,xls files in an easy accessible location : on desktop or in my documents), in a text book on the desk or even on sticky notes pasted on the screen !!!

Here is where we can use a password manager , like keepass .
Why ?
  • The passwords are stored in an encrypted database
  • You only need to remember one password
  • You can manage easily your passwords
  • With the auto type feature you wont need to type usernames and passwords.
Some may argue and say : we can store our passwords in the browser as well right ?

NO don’t do that , there are tools that can recover your credentials from the browser and plus you won’t have mobility : with keepass you can install it in a usb stick with a copy of your password database to securely access your accounts.

There is no such thing as 100% security , but with right password management you made one step more to secure your privacy.

Note: I do not own the images used in this post !!!!