Battery power bank, WiFi USB stick, and thumb drive

I then turn away to motor-less small storage, a 32 Gigs USB thumb drive so I can move on to other concern: on-the-fly encryption. Hence, I follow instructions to install True Crypt on Raspberry Pi. After unpacking of wxWidgets-2.8.12.tar.gz and TrueCrypt 7.1a Source.tar.gz in place, putting header files from pkcs-11-cryptoki2.20, and then install libfuse-dev, the following make will require long time:

$ export PKCS11_INC=/usr/local/src/truecrypt/pkcs/
 
$ make NOGUI=1 WX_ROOT=/usr/src/wxWidgets wxbuild
Configuring wxWidgets library...
Building wxWidgets library...
/usr/src/wxWidgets/src/common/string.cpp:84:39: warning: ‘wxEmptyString’ initialized and declared ‘extern’ [enabled by default]

$ make NOGUI=1 WX_ROOT=/usr/src/wxWidgets wxbuild
Compiling Buffer.cpp
Compiling Exception.cpp
Compiling Event.cpp
...
../Crypto/Aeskey.c:527:25: warning: operation on ‘ss[7]’ may be undefined [-Wsequence-point]
../Crypto/Aeskey.c:527:25: warning: operation on ‘ss[7]’ may be undefined [-Wsequence-point]
../Crypto/Aeskey.c:527:25: warning: operation on ‘ss[7]’ may be undefined [-Wsequence-point]
...
Converting Language.xml
Compiling Resources.cpp
Linking truecrypt

I created the TrueCrypt volume separately via its desktop GUI with ext3 file system to then mount it in Pi to a configured Samba share. As pointed out in a post, the following changes are added to smb.conf

...
wins support = yes
...
[pitruecrypt]
   comment= Pi Truecrypt Volume
   path=<the mount path of the USB thumb drive TrueCrypt volume>
   browseable=Yes
   writeable=Yes
   only guest=no
   create mask=0777
   directory mask=0777
   public=no

and then user-password are entered via interactive command.

For mobility, I already had the Pi as WiFi access point using hostapd (check these steps) and power bank, so it’s now matter of performance. In the case of rsync, initial sync of some 1,500 items totaling in 1 Gig size elapses in approximately the same 12 minutes of time compared to one bulk file of the same size. Of course, over the next incremental sync, it only takes less than a minute for the thousand items to just update slight differences.

Security

Back to security, there surely risk by opening Samba share to mounted TrueCrypt volume. But, for me it would be practically manageable (cross my finger). There is more concern to the fate of TrueCrypt after it is being closed in such a weird way, given that last audit finds nothing severe. Anyway, I found brute force tool, but no critical attack exists currently, unless e.g. it stays powered on and mounted, the person gain physical access. Beats me again.

Background:
I need to setup an HTTPS site with not just server certificate to secure it, but requiring also client side certificate. The site will only show the content to authorized users with the correct pair of server-client certificate. It will also expire after a certain date. The certificates are self-signed as they’re for closed environment usage.

This post covers two general processes: generating and signing.

How to generate SSL certificate using openssl is a straightforward process of:

1. generate its key
2. create certificate request with that key
3. generate certificate from request and key

Hence, in any type of the certificate I have a general <some-cert-key>.key, <some-cert-request>.csr, and <some-cert>.crt. When I mean “type”, they are CA (Certificate Authority), one/more server certificate, and one/more client certificate.

Generating Pairs of Key-Certificate with openSSL: CA, server, & client

In terms of signing the certificates, all of them are signed using the CA. Which files to be used in the server will become the subject of the next post.

openssl will run interactively. To go through all the recurring questions using prepared default answers, we need to create a config file first. I created caconfig.cnf (find it on the bottom of the post) and use -config caconfig.cnf option in some commands.

First, prepare set of directories to clearly separate what we’re working on (keys, requests, and resulting certificates in different places for server and user):

mkdir certs
mkdir private
mkdir server
mkdir server/certs
mkdir server/creqs
mkdir server/ckeys
mkdir user
mkdir user/certs
mkdir user/creqs
mkdir user/ckeys

Prepare “database” and index number to keep track of certificates issued:

echo 01 > serial
touch index.txt

Generate the CA: (again) generate key, create request (the interactive part), and create certificate:

openssl genrsa -out private/myCA.key 2048
openssl req -new -key private/myCA.key -out certs/myCA.csr -config caconfig.cnf 
openssl req -x509 -days 365 -in certs/myCA.csr -out certs/myCA.crt -key private/myCA.key

We can always check:

openssl x509 -in certs/myCA.crt -text

Now, generating for the server, I use the name lakmus as an example. First the key:

openssl genrsa -des3 -out server/ckeys/lakmus.key 2048

(Triple-DES cipher will ask for pass phrase of 4 characters minimum)

Enter pass phrase for server/ckeys/lakmus.key:
Verifying - Enter pass phrase for server/ckeys/lakmus.key:

Then, the request (which will ask for the above key pass phrase):

openssl req -new -key server/ckeys/lakmus.key -out server/creqs/lakmus.csr -config caconfig.cnf

Note that organizationName field needs to be the same with the CA certificate.

Then, signing it with the CA (and again check as text):

openssl ca -days 365 -in server/creqs/lakmus.csr -cert certs/myCA.crt -out server/certs/lakmus.crt -keyfile private/myCA.key -config caconfig.cnf
 
openssl x509 -in server/certs/lakmus.crt -text

During signing we’ll see something like (expiry date and validity periode)

Certificate is to be certified until <some date> (365 days)
Sign the certificate? [y/n]:

and index.txt is updated:

V	140123034822Z		01	unknown	/C=ID/ST=WEST JAVA/O=My Organization/CN=lakm.us
V	140123041441Z		02	unknown	/C=ID/ST=WEST JAVA/O=My Organization/CN=client

Finally, the same generate with own key and sign with CA except this time is for client:

openssl genrsa -des3 -out user/ckeys/client1.key 2048
openssl req -new -key user/ckeys/client1.key -out user/creqs/client1.csr -config caconfig.cnf
 
openssl ca -in user/creqs/client1.csr -cert certs/myCA.crt -keyfile private/myCA.key -out user/certs/client1.crt -config caconfig.cnf 
 
openssl x509 -in user/certs/client1.crt -text

For the client certificate to be usable when importing to browser, convert it to PKCS 12

openssl pkcs12 -export -clcerts -in user/certs/client1.crt -inkey user/ckeys/client1.key -out user/certs/client1.p12

It will ask for pass phrase and export password (that will be prompted when importing to browser)

Enter pass phrase for user/ckeys/client1.key:
Enter Export Password:
Verifying - Enter Export Password:

Troubleshooting

If the CA generation already worked smoothly, it is better to remove the key, request, and certificate files of subsequent signing process before repeating them when any error is found. Otherwise it will finally show error such as:

failed to update database
TXT_DB error number 2

Or something like

No certificate matches private key

when exporting to PKCS 12.

We can check the index.txt, index.old, serial, and serial.old to figure our situation by evaluating indexes of signed certificate.

CA Config

I used parts from Code Ghar post for my caconfig.cnf:

[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /home/arif/ssl
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/certs/myCAcert.crt
private_key = $dir/private/myCA.key
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Organization
localityName_default = BOGOR
stateOrProvinceName_default = WEST JAVA
countryName_default = ID
emailAddress_default = fake@lakm.us
commonName_default = lakm.us

Snapshot of uploaded contact data from calendar (skycure.com)

There is not other way but to check my password against the combo_not.txt found via Filestube. People already posted howto check this, the easiest way is doing a single line in the shell:

$ printf bandito | openssl sha1 | cut -c10- | grep -f - combo_not.txt
00000d40df69b72328229d2425714f40d7d9a7a3

Bingo! a match there for the password “bandito” (I choose this randomly expecting some person out there is using it). Another way (for comparison as I’m no security expert) is by this short python script (slightly altered from Phobos Technology blog post):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

"""
Save this file as linkedin_hash.py and ensure it's
in the same folder as combo_not.txt
Usage: python linkedin_hash.py hunter2
"""
from hashlib import sha1
import sys
password = sys.argv[1]
hsh = sha1(password).hexdigest()
print "SHA-1: %s" % hsh
x = 0
for line in open('combo_not.txt','r'):
    if hsh == line.strip():
        x += 1
    elif "00000" + hsh[5:] == line.strip():
        x += 1
        print "Matching line: %s" % line
print "Number of matches: %d" % x

My verdict is: my password is on the list and I’m considering a leap of faith from devoted conspiracy believer.

PS: I don’t find that “password” or “123456″ as common passwords used by many people.
PPS: A side story: Indonesians are found to be using weakest passwords (as research over Yahoo ID revealed)