ITR3 lecture 5: Free software, Cryptogaphy, Linux Thomas Krichel 2002-10-16.

ITR3 lecture 5: Free software, Cryptogaphy,

LinuxThomas Krichel

2002-10-16

Structure

• Principles of cryptography– ssh– putty

• Playing around with Linux

• Free Software

Cryptography

Introduction• A subject with a very colorful history. • In the past cryptography mainly used by military, diplomatic corps,

diarists and lovers.• For the military, difficulty of encryption in the battlefield was main

problem.• Original data, called “plaintext” is transformed by a function

parameterized by a “key”, to get “cyphertext”.• The art of finding the way to get from the cyphertext to the plain text

is called cryptanalysis. We assume that the cryptanalyst knows the general method, but does not know the key.

• Cryptanalysts one of three types of problems– cyphertext only– known plaintext– chosen plaintext

Tradition methods

• Substitution ciphers keep letters in the same position but replace each letter of the alphabet with another.

• Transposition ciphers keep each letter as it is but shovels the letters around.

• We need some redundant data in the ciphertext in order to deter active intruders from generating bogus message

• but the more redundant data in the plain text makes it easier for passive intruders.

• Main problem: keeping the key secret.

Diffie and Hellman (1978)

• Let P be the plaintext, C be the cyphertext. E() is the encryption key and D() is the decryption key.

• Then we have public key cryptography if– 1. D(E(P))=P– 2. E() can not be broken by chosen plaintext attack– 3. Knowing E() will give you no clue about D().

• E can then be made public and is referred to as the public key, D() is the private key.

• It is possible to find key pairs that have these properties.

Authentication

• I want to securely login to a host machine. • I send the hast an encrypted message ``hey, I

am Thomas, my public key is blahblahblah.''• Machine then knows how to send me messages

that other people can not decode.• But it can not be sure that it was me who sent

the message. Lynn may have done that since me public key is public.

• It therefore encodes a random number, and challenges me to decode that number.

• This is a challenge-response system.

After challenge/response

• My software and the host will agree on a session key to use to encrypt all communication.

• Thus the communication is encoded using simple cryptography because that is less intensive.

If Lynn is really evil

• Then she operates a clone of the host I want to talk to, and redirects my communication to the clone, rather than to the host that I want to talk to.

• This is called a “man-in-the-middle” attack.• Therefore hosts issues a key, too. I can compare

the host key issued with a list of keys that I already know, and challenge any host.

• But on first connection, I do not know the host key, so I have to take it on trust.

Ssh, an implementation

• The secure shell ssh is an implementation of public-key cryptography mainly on UNIX and Co systems.

• Version 1 and 2 exist.• ssh-keygen –t rsa generate a public and private key in .ssh/• .ssh/authorized_keys is a list of keys that

are allowed to login to the account without password

putty

• Is a free ssh client for windows machines.

• Get it and install it.

Why is buying software different than buying a car?

Software anatomy

• Software can be distributed in two ways– Binary code– Source code

• Sometimes both are available

Binary code

• Looks like this• ^?

ELF^A^A^A^@^@^@^@^@^@^@^@^@^B^@^C^@^A^@^@^@p<9A>^4^@^@^@X=^G^@^@^@^@^@4^@@^F^@(^@^_^@^\^@^F^@^@^@4^@^@^@4<80>^4<80>^À^@^@^@À^@^@^@^E^@^@^@^D^@^@^@^C^@^@^@ô^@^@^@ô<80>^ô<80>^^S^@^@^@^S^@^@^@^D^@^@^@^A^@^@^@^A^@^@^@^@^@^@^@^@<80>^^@<80>^òÞ^B^@òÞ^B^@^E^@^@^@^@^P^@^@^A^@^@^@øÞ^B^@øn^øn^¨^K^@^@ìÈ^@^@^F^@^@^@^@^P^@^@^B^@^@^@$è^B^@$x^$x^Ð^@^@^@Ð^@^@^@^F^@^@^@^D

Binary code

• It will run on a compute with one operating system, may not run on a computer with another.

• It can not be modified.

• It is difficult to find out what it does.

Source code

/* For now, don't try to include termcap.h. On some systems, configure finds a non-standard termcap.h that the main build won't find. */

#if defined HAVE_TERMCAP_H && 0#include <termcap.h>#elseextern void tputs P_ ((const char *, int, int (*)(int)));extern int tgetent P_ ((char *, const char *));extern int tgetflag P_ ((char *id));extern int tgetnum P_ ((char *id));#endif

Source code

• This is human (geek) readable code.

• May be understood by humans.

• Can be changed.

• Needs a compiler software to translate it to translate it to binary code, for every type of machine where it needs to run.

One upon a time

• Early 80s, MIT lab get a printer as a shared resource, but with faulty driver software that leads the printer to be jammed.

• Richard Stallman tries to get the source code to change the driver software, but can not get it.

• Decides to work for software freedom. Founds Free Software Foundation FSF.

• Resigns from MIT AI lab to work on a free replacement of UNIX.

• Wrote important parts of UNIX replacement

Stallman’s theory of 4 freedoms• Free software is a matter of the users' freedom to run,

copy, distribute, study, change and improve the software.

• It implies– The freedom to run the program, for any purpose (freedom 0).– The freedom to study how the program works, and adapt it to

your needs (freedom 1).– The freedom to redistribute copies so you can help your

neighbor (freedom 2).– The freedom to improve the program, and release your

improvements to the public, so that the whole community benefits. (freedom 3).

• Access to the source code is a precondition for freedom 1 and 3. For that reason, some people refer to free software as open source software.

GNU public license

• GNU is not UNIX• Its license is the most famous among a group of

licenses for free software.• License to implement the four freedoms.• Key idea: The licensee is not allowed to impose

restrictions on the code that (s)he has developed from the code that she received.

• Such software is know as “copylefted” software.

Free speech and free beer• “Public domain software”, not copyrighted, but modified copies may

not be free.• “Copy-lefted free software”, comes with the permission to use and

modify, but prohibits adding further restrictions to the distribution.• “Non-copylefted free software”, comes with the permission to use,

modify and add restrictions of distribution.• “Semi-free software” comes with permission for individuals to use,

copy, distribute, and modify (including distribution of modified versions) for non-profit purposes.

• “Proprietary software”, is not free or semi-free.• “Shareware”, comes with a permission to distribute but users have

to pay a fee.• “Freeware” has no agreed meaning.• “Commercial software” is software written to make a profit from its

use. There is such a thing as commercial free software.

Debian

• Is a distribution of free software that provides an operating system and application programs

• Named after Deborah and Ian Jackson

• Uses the Linux kernel, but could run with other kernels

• Uses mainly GNU software

• Therefore also called Debian GNU/Linux

Debian social contact

• Debian Will Remain 100% Free Software • We Will Give Back to the Free Software

Community• We Won't Hide Problems • Our Priorities are Our Users and Free

Software • Programs That Don't Meet Our Free-

Software Standards – Are distributed as well

Debian free software license• Free Redistribution

– The license of a Debian component may not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources.

– The license may not require a royalty or other fee for such sale.• Source Code

– The program must include source code, and must allow distribution in source code as well as compiled form.

• Derived Works – The license must allow modifications and derived works, and must allow

them to be distributed under the same terms as the license of the original software.

• Integrity of The Author's Source Code – The license may restrict source-code from being distributed in modified

form _only_ if the license allows the distribution of "patch files" with the source code for the purpose of modifying the program at build time.

– The license must explicitly permit distribution of software built from modified source code.

– The license may require derived works to carry a different name or version number from the original software.

Debian free software guidelines• No Discrimination Against Persons or Groups

– The license must not discriminate against any person or group of persons.• No Discrimination Against Fields of Endeavor

– The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

• Distribution of License – The rights attached to the program must apply to all to whom the program is

redistributed without the need for execution of an additional license by those parties.

• License Must Not Be Specific to Debian – The rights attached to the program must not depend on the program's being part

of a Debian system. If the program is extracted from Debian and used or distributed without Debian but otherwise within the terms of the program's license, all parties to whom the program is redistributed should have the same rights as those that are granted in conjunction with the Debian system.

• License Must Not Contaminate Other Software – The license must not place restrictions on other software that is distributed along

with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be free software.

• Example Licenses – The "GPL", "BSD", and "Artistic" licenses are examples of licenses that we

consider "free".

Debian releasesDebian always has at least three releases in active maintenance: “stable”,

“testing” and ``unstable”. • stable

– The “stable” distribution contains the latest officially released distribution of Debian. This is the production release of Debian, the one which we primarily recommend using.

• testing – The “testing” distribution contains packages that haven't been accepted into a

``stable'' release yet, but they are in the queue for that. The main advantage of using this distribution is that it has more recent versions of software, and the main disadvantage is that it's not completely tested and has no official support from Debian security team. See the Debian FAQ for more information on what is ``testing'' and how it becomes ``stable''.

• unstable – The ``unstable'' distribution is where active development of Debian occurs.

Generally, this distribution is run by developers and those who like to live on the edge.

• Each release has a name, usually from the toy story, an animation movie picture.

http://openlib.org/home/krichel

Thank you for your attention!