Linux Open Source Encryption - 15 Sept 2000

This provides an introduction to open source encryption software available on linux. The software packages and their potential use are identified.

System security consists of many components, physical security, file ownership and permissions, accounts and passwords, software and services, firewalls and intrusion detection systems, secure communications and encryption, and human factors. Among these components are those necessary for remote access and communication over unsecured channels, primarily the internet. These require encryption for security.

Encryption has many dimensions including technical algorithms, encryption functions, patent and licensure, and legal conveyance between political jurisdictions. All of these must be considered in their adoption.

Numerous algorithms exist. With the expiration of the RSA public key patent in September 2000, only the IDEA algorithm is patented in Europe and RC4 may be in the US. There is an abundance of algorithms available without commercial restriction. These algorithms have been implemented in a variety of products having a range of different objectives from personal to corporate, from file to channel, and from prearranged to on demand. Legal restrictions are much more prevalent. All software considered here was developed abroad and carry no restriction on import, but would likely face export licensure.

The major open source encryption and secure communication packages for linux are
Gnu Privacy Guard, gnupg-1.0.2-1, from www.gnupg.org, supporting openpgp, RFC 2440, for file and email encryption with a GPL license.
Openssl, openssl-0.9.5a-1, from www.openssl.org, secure socket and transport layer encryption libraries and utilities, developed by OpenBSD.
Modssl, from www.modssl.org, or apache-ssl from www.apache-ssl.org, secure socket and transport layer module for Apache as well as openssh with a bsd license.
Openssh, including openssh-2.1.1p4-1, openssh-askpass-gnome-2.1.1p4-1,openssh-clients-2.1.1p4-1, openssh-server-2.1.1.p4-1, from www.openssh.com, for secure shell communication channels including ftp, telnet, and x windows using openssl, developed by OpenBSD.
Freeswan, LATEST.tar.gz 1.5, from www.freeswan.org, for free secure wide area networks using ipsec, independent of application and transport protocol, GPL.

The Canadian mirror, ftp://crypto.yashy.com/pub/cryptography/, has copies of most of these and other cryptographic software. Freeswan is available from ftp://ftp.xs4all.nl/pub/crypto/freeswan/. The software is all open source, free bsd or gpl, software, supporting patented algorithms in separate libraries. Numerous free algorithms exist, only the IDEA algorithm is patented in some countries.

All development occurred abroad and as a result is freely importable, although export would likely need a license from the Commerce Department's Bureau of Export Administration (BXA). It should be exportable to non-embargoed countries, but would require at least an announcement. A quite comprehensive review of policies is the International Law Crypto Survey. Some countries limit import of encryption and even information concerning it leading to considerable difficulties.

Gnu Privacy Guard has been proposed for encryption of internet backups on the server appliance. Files and email may be signed and/or encrypted and the result transmitted over unsecured channels. It supports public key encryption and has a command line interface for key generation and management and encryption and decryption. It is best suited to interpersonal communications, as the encryption exists between the users of it and the encryption stays with the object encrypted. It is less suited to its intended use of email as it would exist on the server rather than on the originating workstations.

Openssl supports general encryption functions, keys, and certificates. Patented algorithms, only IDEA and possibly RC4, are available for separate inclusion, but there are many free algorithms available.

Modssl and apache-ssl use openssl to provide https, port 443, for secure sockets and transport to Apache. It permits security control by site or area. This would be necessary for any secure e-commerce solution.

Openssh uses openssl to provide secure communications channels for sessions over unsecured networks. This is most commonly used for secured remote login, for administration or other purposes. It commonly uses port 22 for connections.

Freeswan implements security at the network level. It is supports secure ip, IPSEC, and internet key exchange, IKE, in the current Internet1/Ipv4, and will be required in Internet2/Ipv6. Key exchange can be accomplished though secure dns. It can encrypt all traffic on all ports between systems. This is most useful in providing virtual private network, VPN, services between systems, as the encryption exists between systems and is transparent to applications. Some modes are encrypted point to point and would not survive network address translation, so would have to be implemented gateway to gateway if used.

Configuration of these packages is largely application and site specific. Generally keys and certificates are created and signed using a selected algorithm and key length and distributed through some broadly known public certificate authority or other secure method. Files are encrypted and decrypted in GnuPG with a secret passphrase while necessary ports must be open in the firewall for secure communication channels. Secure ip, is more intrusive as it is generally built in the kernel.

An abundance of encryption software is available for linux servicing a range of objectives. Providing and maintaining secure systems can certainly be a valuable added service. At minimum, users should be made aware of the dangers of unencrypted communications and their options. An ability to work with standard installable packages downloadable from international sites would be advantageous to support worldwide users without direct intervention.