There is one hope against a complete loss of security if the root account is compromised: encryption. For some types of data files, encryption can be a fourth line of defense, providing protection against cracked root and other privileged accounts. Encryption involves a transforming of the original file the plain or clear text using mathematical functions or techniques. Encryption can protect data stored in the files under certain circumstances: Someone breaking into the system typically as the root and copying the data • Someone stealing the disk, or backup tapes or floppies, or the computer itself in an effort to get the data • Someone acquiring the files via a network • Encryption can protect data from being read by unauthorized people, but it cannot prevent their corruption. It cannot prevent an intruder from deleting the data. Most encryption algorithms use some sort of key as part of the transformation, and the same key is needed to decrypt the file later. The simplest kinds of encryption algorithms use external keys that function much like passwords; more sophisticated ones use part of the input data as a portion of the key. UNIX provides a simple encryption program crypt, using an old encryption scheme that is relatively easy to break; cryptimplements a one−rotor machine designed along the lines of the German Enigma, but with a 256−element rotor. Methods of attack on such machines are quite well known. Encryption and decryption are based on the implemented key as an argument that selects a particular transformation. The overall security is based primarily on the choice of the key and its vulnerability keep in mind, the implemented key is visible during the encryption procedure. The encryption could be made a little more secure by running the program multiple times on the same file. Many UNIX flavors offer the Data Encryption Standard DES encryption subsystem as an optional product. DES is generally regarded as very secure, although rumors flourish about supposed built−in weaknesses. DES encrypted files are believed to be breakable, but only at great CPU−time expense.

8.1.5 Backups

Backups provide the final line of defense against some kinds of security problems and system disasters. Stolen, deleted, and corrupted data can only be recovered from the backup. A good backup scheme will almost always enable you to restore the system to something near its state at any arbitrary point in time; a worst−case scenario would be to recreate the system on entirely new hardware. Backups provide protection against data loss and filesystem damage only in conjunction with frequent system monitoring designed to detect security problems quickly. Otherwise, a problem might not be discovered for some time. If this occurs, then backups will simply save the corrupted system state, making it necessary to go back weeks or even months to a known clean system state and restore by hand newer versions of files not affected by the corruption. In such a case, system recovery could be very hard work; nevertheless, system recovery is still possible. 191 Passwords play a crucial role in UNIX system protection; most UNIX systems are as secure as the implemented password policy. There are no compromises in the password policy; all available administrative tools are legal and recommended to enforce appropriate password implementation. This is an extremely sensitive administration issue, and a more detailed overview of password related issues follows.

8.2.1 Password Encryption

A password should never appear in its original form often known as a clear password; the system handles only the encrypted passwords. A written clear password is an immediate security risk because a potential intruder can use it at any time. Only the users themselves should know their clear passwords. Today, the usual method of remote login to the system through the network involves a transfer of a password during user authentication; this makes the system more vulnerable to attackers, because it is possible to sniff and catch the user password on the network. Obviously, networking has introduced one more level of security risk, and we must handle this problem appropriately. UNIX provides a decent generic password encryption that is compliant with the Data Encryption Standard DES; it is based on a one−way hashing encryption algorithm with multiple variations intended to increase security and frustrate any use of hardware implementations of a password search. Only the first eight characters of the clear password are used; the rest are ignored. Another input argument is a salt also known as a seed: a two−character string chosen from lower−case letters, capital letters, numbers, and dot and slash characters . and . The salt is used to perturb the hashing algorithm in one of 4096 different ways, after which the password is used as the key to repeatedly encrypt a selected constant string. The final output is a unique encrypted password with its first two characters equal to the input salt. The implemented one−way encryption algorithm makes decryption of the encrypted password impossible although the salt is known from the encrypted password. The only way to break an encrypted password is to try with many guessed original passwords and by implementing the known DES encrypting algorithm to search for a matching encrypted password. This is exactly how the system performs password authentication during the login process. UNIX provides the passwd command to generate an encrypted password based on the original supplied password and the time−related salt generated in that instant; the encrypted password is then saved in the password file originally etcpasswd ; today etc shadow. In that way, the system knows about the salt to be used in future password authentication, as well as the encrypted password that should be matched. From the security standpoint, any attempt to break a password without knowing the encrypted password is hopeless. However, by knowing the saved encrypted password the salt and the encrypted password itself, breaking the password becomes more promising, although it promises to be a difficult, time−consuming job, with no guarantee of success. This is why the UNIX password encryption was characterized as decent at the beginning of this section: it is breakable, but it is extremely difficult to do so. Obviously, the encrypted password should be hidden to increase system security and should be known only to the authentication subsystem. We will return to this issue later. 192 Passwords are used to prevent unauthorized people from accessing user accounts and the system in general. Even with the implemented password encryption algorithm, a password should be hard to guess. This means the first step of choosing a password is crucial from the system security standpoint. Generally, a password must be a nonobvious combination of letters and numbers, never directly related to the user. There are some rules that should be respected in choosing an appropriate password. We will start with the items that should be avoided as passwords: Any part of the users name, or the name of any member of the users extended family even a grandmothers maiden name is much easier to find out than you might think • Numbers that are significant to you, or to a person significant to you: SSN, car license, phone number, birthdates, etc. • The name of something important to you, like your favorite food, recording artist, movie, TV character, place, etc.; the same goes for people, places, and things you hate • Any names, numbers, people, places, or other items associated with your company or institution or its products • English words spelled correctly, especially if they appear in online dictionaries; the spell command can be used to check if a word appears in the UNIX online dictionary • The names of famous people, places, things, fictional characters, movies, TV shows, songs, slogans, and the like • Published password examples • Avoiding the listed items makes it harder for someone to figure out a users password and break into the user account using a brute force trial and error method. Also, be aware that there are a number of commercial and homemade programs to break passwords. Once the encrypted password is known, the original password will be very quickly broken. Simple modifications of any of these bad passwords, created by adding a single additional character, spelling it backward, or permuting letters, are still bad passwords and should be avoided. It does not take a password−guessing program very long to try all combinations of adding one character, reversing, and permuting. Passwords that use two or more of the following modifications to ordinary words are usually good choices: Embedding one or more extra characters, especially symbol and control characters • Misspelling it • Concatenating two or more words or parts of words • Interleaving two or more words • Modern UNIX flavors require passwords chosen by users to conform to certain rules, usually including being at least six characters long, including at least two alpha characters and one numeric or special character, and having at least three characters different from the previous password when a password is changed. The superuser generally is not required to adhere to these rules. Some general recommendations about passwords and system security are: The root password should be changed regularly. • Users should be encouraged to keep their password secret and to choose passwords that are hard to guess. • There should be no unprotected accounts on the system. This includes accounts without • 193 •

8.2.3 Setting Password Restrictions