DOCSLIB.ORG

How the Great Firewall of China Is Blocking Tor

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

How the Great Firewall of China is Blocking Tor Philipp Winter and Stefan Lindskog Karlstad University fphilwint, stefl[email protected] Abstract Tor blocking infrastructure is designed and (3) we dis- cuss and propose circumvention techniques. Internet censorship in China is not just limited to the We also point out that censorship is a fast moving tar- web: the Great Firewall of China prevents thousands get. Our results are only valid at the time of writing1 and of potential Tor users from accessing the network. In might—and probably will—be subject to change. Nev- this paper, we investigate how the blocking mechanism ertheless, we believe that a detailed understanding of the is implemented, we conjecture how China’s Tor block- GFC’s current capabilities, a “censorship snapshot”, is ing infrastructure is designed and we propose circumven- important for future circumvention work. tion techniques. Our work bolsters the understanding of China’s censorship capabilities and thus paves the way towards more effective circumvention techniques. 2 Related Work In [28], Wilde revealed first crucial insights about the 1 Introduction block of Tor traffic. Over a period of one week in Decem- ber 2011, Wilde analysed how unpublished Tor bridges On October 4, 2011 a user reported to the Tor bug tracker are getting scanned and, as a result, blocked by the GFC. that unpublished bridges stop working after only a few Wilde’s results showed that when a Tor user in China minutes when used from within China [17]. Bridges are establishes a connection to a bridge or relay, deep packet unpublished Tor relays and their very purpose is to help inspection (DPI) boxes identify the Tor protocol. Shortly censored users to access the Tor network if the “main after a Tor connection is detected, active scanning is ini- entrance” is blocked [4]. The bug report indicated that tiated. The scanning is done by seemingly random Chi- the Great Firewall of China (GFC) has been enhanced nese IP addresses. The scanners connect to the respec- with the potentiality of dynamically blocking Tor. tive bridge and try to establish a Tor connection. If it This censorship attempt is by no means China’s first succeeds, the bridge is blocked. attempt to block Tor. In the past, there have been efforts Wilde was able to narrow down the suspected cause to block the website [27], the public Tor network [24, 22] for active scanning to the cipher list sent by the Tor client and parts of the bridges [18]. According to a report [27], inside the TLS client hello2. This cipher list appears to these blocks were realised by simple IP blacklisting and be unique and only used by Tor although for a long time HTTP header filtering. All these blocking attempts had it was identical to the cipher list advertised by Firefox in common that they were straightforward and inflexible. 3. That gives the GFC the opportunity to easily identify In contrast to the above mentioned censorship at- Tor connections. Furthermore, Wilde noticed that active tempts, the currently observable block appears to be scanning is started at the beginning of multiples of 15 much more flexible and sophisticated. The GFC blocks minutes. An analysis of the Tor debug logs yielded that bridges dynamically without simply enumerating their IP Chinese scanners initiate a TLS connection, conduct a addresses and blacklisting them (cf. [7]). renegotiation and start building a Tor circuit, once the In this paper, we try to deepen the understanding of TLS connection was set up. After the scan succeeded, the the infrastructure used by the GFC to block the Tor 1 anonymity network. Our contributions are threefold: (1) The data was mostly gathered in March 2012 and the paper written in April 2012. we reveal how users within China are hindered from ac- 2The TLS client hello is sent by the client after a TCP connection cessing the Tor network, (2) we conjecture how China’s has been established. Details can be found in the Tor design paper [5]. 1 IP address together with the associated port (we hereafter proxies and a VPS. We compiled a list of public Chi- refer to this as “IP:port tuple”) of the freshly scanned nese SOCKS proxies by searching Google. We were bridge is blocked resulting in users in China not being able to find a total of 32 SOCKS proxies which were dis- able to use the bridge anymore. tributed amongst 12 distinct autonomous systems. We With respect to Wilde’s contribution, we (1) revisit connected to these SOCKS proxies from computers out- certain experiments in greater detail and with signif- side of China and used them to rerun certain experiments icantly more data, we (2) rectify observations which on a smaller scale to rule out phenomena limited to our changed since Wilde’s analysis, and we (3) answer yet VPS. open questions. Our second vantage point and primary experimental machine is a VPS we rented. The VPS ran Linux and resided in the autonomous system number (ASN) 4808. 3 Experimental Setup We had full root access to the VPS which made it pos- sible for us to sniff traffic and conduct experiments be- During the process of preparing and running our experi- low the application layer. Most of our experiments were ments we took special care to not violate any ethical stan- conducted from our VPS, whereas the SOCKS proxies’ dards and laws. In addition, all our experiments were primary use was to verify the results. in accordance with the terms of service of our service providers. In order to ensure reproducibility and en- courage further research, we publish our gathered data 3.2 Shortcomings and developed code3. The data includes Chinese IP ad- Active analysis of a censorship system can easily attract dresses which were found to conduct active scanning the censor’s attention if no special care is taken to “stay of our bridge. We carefully configured our Tor bridges under the radar”. Due to the fact that China is a sophis- to remain unpublished and we always picked randomly ticated censor with the potential power to actively fal- chosen high ports to listen to so that we can be sure that sify measurement results, we have to point out potential the data is free from legitimate Tor users. shortcomings in our experimental setup. We have no reliable information about the owners of 3.1 Vantage Points our public SOCKS proxies. Whois lookups did not yield anything suspicious but the information in the records In order to ensure a high degree of confidence in our re- can be spoofed. It might even be possible that the sults, we used different vantage points. We had a relay SOCKS proxies are operated by Chinese authorities. in Russia, bridges in Singapore and Sweden and clients Second, our VPS was located in a data center where Tor in China. There is, however, no technical reason why we connections typically do not originate. We also had no chose Russia, Singapore and Sweden. information about whether our service provider conducts Bridge in Singapore: A large part of our experiments Internet filtering and the type or extent thereof. was conducted with our Tor bridge located in Singapore. The bridge was running inside the Amazon EC2 cloud [1, 23]. The OpenNet Initiative reports Singapore as a 4 Analysis country conducting minimal Internet filtering involving only pornography [9]. Hence, we assume that our ex- 4.1 How Are Bridges and Relays Blocked? perimental results were not interfered with by Internet filtering in Singapore. The first step in bootstrapping a Tor connection requires Bridge in Sweden: To reproduce certain experiments, connecting to the directory authorities to download the we set up Tor bridges located at our institution in Swe- consensus which contains all public relays. We noticed den. Internet filtering for these bridges was limited to that seven of all eight directory authorities are blocked well-known malware ports, so we can rule out filtering on the IP layer. These machines responded neither to mechanisms interfering with our results. TCP, nor to ICMP packets. One authority turned out to Relay in Russia: A public Tor relay located in a Rus- be reachable and it was possible for us to download the sian data center was used to investigate the type of block, consensus. We have no explanation why this particular public Tor relays are undergoing. The relay served as a machine was unblocked. middle relay, meaning that it is not picked as the first hop After the consensus has been downloaded, clients can in a Tor circuit and it does not see the exit traffic of users. start creating a circuit. Using our Russian relay, we Clients in China: To avoid biased results, we used found out that when a client in China connects to a re- two types of vantage points inside China: open SOCKS lay, the GFC lets the TCP SYN pass through but drops the SYN/ACK sent by the bridge to the client. The 3http://www.cs.kau.se/philwint/static/gfc/ same happens when a client tries to connect to a blocked 2 bridge. However, clients are still able to connect to dif- 4.4 Where Does the Fingerprinting Hap- ferent TCP ports as well as ping the bridge. We believe pen? that the reason for the GFC blocking relays and bridges by IP:port tuples rather than by IPs is to minimise collat- We want to gain a better understanding of where the Chi- eral damage. nese DPI boxes are looking for the Tor fingerprint. In detail, we tried to investigate whether the DPI boxes also analyse domestic and ingress traffic.
Recommended publications
  • Technical Report (Open)SSH Secure Use Recommendations

    Technical Report (Open)SSH Secure Use Recommendations

    DAT-NT-007-EN/ANSSI/SDE PREMIERMINISTRE Secrétariat général Paris, August 17, 2015 de la défense et de la sécurité nationale No DAT-NT-007-EN/ANSSI/SDE/NP Agence nationale de la sécurité Number of pages des systèmes d’information (including this page): 21 Technical report (Open)SSH secure use recommendations Targeted audience Developers Administrators X IT security managers X IT managers Users Document Information Disclaimer This document, written by the ANSSI, presents the “(Open)SSH secure use recom- mendations”. It is freely available at www.ssi.gouv.fr/nt-ssh. It is an original creation from the ANSSI and it is placed under the “Open Licence” published by the Etalab mission (www.etalab.gouv.fr). Consequently, its diffusion is unlimited and unrestricted. This document is a courtesy translation of the initial French document “Recommanda- tions pour un usage sécurisé d’(Open)SSH”, available at www.ssi.gouv.fr/nt-ssh. In case of conflicts between these two documents, the latter is considered as the only reference. These recommendations are provided as is and are related to threats known at the publication time. Considering the information systems diversity, the ANSSI cannot guarantee direct application of these recommendations on targeted information systems. Applying the following recommendations shall be, at first, validated by IT administrators and/or IT security managers. Document contributors Contributors Written by Approved by Date Cisco1, DAT DAT SDE August 17, 2015 Document changelog Version Date Changelog based on 1.3 – french August 17, 2015 Translation Contact information Contact Address Email Phone 51 bd de La Bureau Communication Tour-Maubourg [email protected] 01 71 75 84 04 de l’ANSSI 75700 Paris Cedex 07 SP 1.
  • Openssh Client Cryptographic Module Versions 1.0, 1.1 and 1.2

    Openssh Client Cryptographic Module Versions 1.0, 1.1 and 1.2

    OpenSSH Client Cryptographic Module versions 1.0, 1.1 and 1.2 FIPS 140-2 Non-Proprietary Security Policy Version 3.0 Last update: 2021-01-13 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com © 2021 Canonical Ltd. / atsec information security This document can be reproduced and distributed only whole and intact, including this copyright notice. OpenSSH Client Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Table of Contents 1. Cryptographic Module Specification ....................................................................................................... 5 1.1. Module Overview .................................................................................................................................... 5 1.2. Modes of Operation ................................................................................................................................ 9 2. Cryptographic Module Ports and Interfaces ......................................................................................... 10 3. Roles, Services and Authentication ...................................................................................................... 11 3.1. Roles ...................................................................................................................................................... 11 3.2. Services .................................................................................................................................................
  • Iclab: a Global, Longitudinal Internet Censorship Measurement Platform

    Iclab: a Global, Longitudinal Internet Censorship Measurement Platform

    ICLab: A Global, Longitudinal Internet Censorship Measurement Platform Arian Akhavan Niaki∗y Shinyoung Cho∗yz Zachary Weinberg∗x Nguyen Phong Hoangz Abbas Razaghpanahz Nicolas Christinx Phillipa Gilly yUniversity of Massachusetts, Amherst zStony Brook University xCarnegie Mellon University {arian, shicho, phillipa}@cs.umass.edu {shicho, nghoang, arazaghpanah}@cs.stonybrook.edu {zackw, nicolasc}@cmu.edu Abstract—Researchers have studied Internet censorship for remains elusive. We highlight three key challenges that must nearly as long as attempts to censor contents have taken place. be addressed to make progress in this space: Most studies have however been limited to a short period of time and/or a few countries; the few exceptions have traded off detail Challenge 1: Access to Vantage Points. With few ex- for breadth of coverage. Collecting enough data for a compre- ceptions,1 measuring Internet censorship requires access to hensive, global, longitudinal perspective remains challenging. “vantage point” hosts within the region of interest. In this work, we present ICLab, an Internet measurement The simplest way to obtain vantage points is to recruit platform specialized for censorship research. It achieves a new balance between breadth of coverage and detail of measurements, volunteers [37], [43], [73], [80]. Volunteers can run software by using commercial VPNs as vantage points distributed around that performs arbitrary network measurements from each the world. ICLab has been operated continuously since late vantage point, but recruiting more than a few volunteers per 2016. It can currently detect DNS manipulation and TCP packet country and retaining them for long periods is difficult. Further, injection, and overt “block pages” however they are delivered.
  • Openssh-Ldap-Pubkey Documentation Release 0.3.0

    Openssh-Ldap-Pubkey Documentation Release 0.3.0

    openssh-ldap-pubkey Documentation Release 0.3.0 Kouhei Maeda May 18, 2020 Contents 1 openssh-ldap-pubkey 3 1.1 Status...................................................3 1.2 Requirements...............................................3 1.3 See also..................................................3 2 How to setup LDAP server for openssh-lpk5 2.1 Precondition...............................................5 2.2 Requirements...............................................5 2.3 Install...................................................5 3 How to setup OpenSSH server9 3.1 Precondition...............................................9 3.2 Requirements...............................................9 3.3 Install with nslcd (recommend).....................................9 3.4 Install without nslcd........................................... 11 4 History 13 4.1 0.3.0 (2020-05-18)............................................ 13 4.2 0.2.0 (2018-09-30)............................................ 13 4.3 0.1.3 (2018-08-18)............................................ 13 4.4 0.1.2 (2017-11-25)............................................ 13 4.5 0.1.1 (2015-10-16)............................................ 14 4.6 0.1.0 (2015-10-16)............................................ 14 5 Contributors 15 6 Indices and tables 17 i ii openssh-ldap-pubkey Documentation, Release 0.3.0 Contents: Contents 1 openssh-ldap-pubkey Documentation, Release 0.3.0 2 Contents CHAPTER 1 openssh-ldap-pubkey 1.1 Status 1.2 Requirements 1.2.1 LDAP server • Add openssh-lpk schema. • Add an objectClass ldapPublicKey to user entry. • Add one or more sshPublicKey attribute to user entry. 1.2.2 OpenSSH server • OpenSSH over 6.2. • Installing this utility. • Setup AuthorozedKeysCommand and AuthorizedKeysCommandUser in sshd_config. 1.3 See also • OpenSSH 6.2 release 3 openssh-ldap-pubkey Documentation, Release 0.3.0 • openssh-lpk 4 Chapter 1. openssh-ldap-pubkey CHAPTER 2 How to setup LDAP server for openssh-lpk 2.1 Precondition This article restricts OpenLDAP with slapd_config on Debian systems only.
  • An Analysis of Contributions to Wikipedia from Tor

    An Analysis of Contributions to Wikipedia from Tor

    Are anonymity-seekers just like everybody else? An analysis of contributions to Wikipedia from Tor Chau Tran Kaylea Champion Andrea Forte Department of Computer Science & Engineering Department of Communication College of Computing & Informatics New York University University of Washington Drexel University New York, USA Seatle, USA Philadelphia, USA [email protected] [email protected] [email protected] Benjamin Mako Hill Rachel Greenstadt Department of Communication Department of Computer Science & Engineering University of Washington New York University Seatle, USA New York, USA [email protected] [email protected] Abstract—User-generated content sites routinely block contri- butions from users of privacy-enhancing proxies like Tor because of a perception that proxies are a source of vandalism, spam, and abuse. Although these blocks might be effective, collateral damage in the form of unrealized valuable contributions from anonymity seekers is invisible. One of the largest and most important user-generated content sites, Wikipedia, has attempted to block contributions from Tor users since as early as 2005. We demonstrate that these blocks have been imperfect and that thousands of attempts to edit on Wikipedia through Tor have been successful. We draw upon several data sources and analytical techniques to measure and describe the history of Tor editing on Wikipedia over time and to compare contributions from Tor users to those from other groups of Wikipedia users. Fig. 1. Screenshot of the page a user is shown when they attempt to edit the Our analysis suggests that although Tor users who slip through Wikipedia article on “Privacy” while using Tor. Wikipedia’s ban contribute content that is more likely to be reverted and to revert others, their contributions are otherwise similar in quality to those from other unregistered participants and to the initial contributions of registered users.
  • End of News:Internet Censorship in Turkey

    End of News:Internet Censorship in Turkey

    https://www.freewebturkey.com/end-of-news End of news: Internet censorship in Turkey This report was published as part of the Free Web Turkey project carried out by the Media and Law Studies Association between November 2019 and October 2020. http://www.freewebturkey.com | http://www.mlsaturkey.com About MLSA and Free Web Turkey The Media and Law Studies Association (MLSA) was founded in 2017 and its main field of activity is of- fering legal protection to journalists and people tried in freedom of expression cases. As the MLSA, we aim to provide guidance to websites, media organizations and all content producers facing censorship in digital media on methods of coping with censorship, offering them legal consultancy, tools to avoid censorship and a set of internet services that would ease their efforts within the scope of the Free Web Turkey project, which we have been conducting in the field of internet freedom for a year. Besides, we bring together groups working in the field of digital freedoms and freedom of expression to organize panels, roundtable discussions, publish articles, and conduct training programs for content producers to raise awareness against censorship. Another goal of our project is to organize the network of communication and solidarity between institutions, which is one of the most essential components in combating digital censorship. To this end, we try to keep an up-to- date list of blocked URLs and create a database so that we can run a joint and more powerful campaign against censorship. While doing all these, we aim to protect the freedom of expression in the law, the Constitution and international conventions, and to exercise this right effectively.
  • Scripting the Openssh, SFTP, and SCP Utilities on I Scott Klement

    Scripting the Openssh, SFTP, and SCP Utilities on I Scott Klement

    Scripting the OpenSSH, SFTP, and SCP Utilities on i Presented by Scott Klement http://www.scottklement.com © 2010-2015, Scott Klement Why do programmers get Halloween and Christmas mixed-up? 31 OCT = 25 DEC Objectives Of This Session • Setting up OpenSSH on i • The OpenSSH tools: SSH, SFTP and SCP • How do you use them? • How do you automate them so they can be run from native programs (CL programs) 2 What is SSH SSH is short for "Secure Shell." Created by: • Tatu Ylönen (SSH Communications Corp) • Björn Grönvall (OSSH – short lived) • OpenBSD team (led by Theo de Raadt) The term "SSH" can refer to a secured network protocol. It also can refer to the tools that run over that protocol. • Secure replacement for "telnet" • Secure replacement for "rcp" (copying files over a network) • Secure replacement for "ftp" • Secure replacement for "rexec" (RUNRMTCMD) 3 What is OpenSSH OpenSSH is an open source (free) implementation of SSH. • Developed by the OpenBSD team • but it's available for all major OSes • Included with many operating systems • BSD, Linux, AIX, HP-UX, MacOS X, Novell NetWare, Solaris, Irix… and yes, IBM i. • Integrated into appliances (routers, switches, etc) • HP, Nokia, Cisco, Digi, Dell, Juniper Networks "Puffy" – OpenBSD's Mascot The #1 SSH implementation in the world. • More than 85% of all SSH installations. • Measured by ScanSSH software. • You can be sure your business partners who use SSH will support OpenSSH 4 Included with IBM i These must be installed (all are free and shipped with IBM i **) • 57xx-SS1, option 33 = PASE • 5733-SC1, *BASE = Portable Utilities • 5733-SC1, option 1 = OpenSSH, OpenSSL, zlib • 57xx-SS1, option 30 = QShell (useful, not required) ** in v5r3, had 5733-SC1 had to be ordered separately (no charge.) In v5r4 or later, it's shipped automatically.
  • Using Vmware Vrealize Orchestrator 8.4 Plug-Ins

    Using Vmware Vrealize Orchestrator 8.4 Plug-Ins

    Using VMware vRealize Orchestrator 8.4 Plug-Ins 15 APRIL 2021 vRealize Orchestrator 8.4 Using VMware vRealize Orchestrator 8.4 Plug-Ins You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2008-2021 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents Using VMware vRealize Orchestrator Plug-Ins 9 1 Introduction to vRealize Orchestrator Plug-Ins 10 vRealize Orchestrator Architecture 11 Plug-Ins Installed with the vRealize Orchestrator Server 11 Access the vRealize Orchestrator API Explorer 14 Time Zone Codes 15 2 Configuring the vRealize Orchestrator Plug-Ins 18 Manage vRealize Orchestrator Plug-Ins 18 Install or Update a vRealize Orchestrator Plug-In 19 Delete a Plug-In 19 3 Using the Active Directory Plug-In 21 Configuring the Active Directory Plug-In 21 Using the Active Directory Plug-In Workflow Library 22 Computer Workflows 22 Organizational Unit Workflows 22 User Workflows 23 User Group Workflows 23 Client-Side Load Balancing for the Active Directory Plug-In 24 4 Using the AMQP Plug-In 25 Configuring the AMQP Plug-In 25 Add a Broker 25 Subscribe to Queues 26 Update a Broker 27 Using the AMQP Plug-In Workflow Library 27 Declare a Binding 28 Declare a Queue 28 Declare an Exchange 29 Send a Text Message 30 Delete a Binding 31 5 Using the Configuration Plug-In 32 6 Using the Dynamic Types Plug-In 34 Dynamic Types Configuration Workflows 34 VMware, Inc.
  • Z/OS Openssh User's Guide

    Z/OS Openssh User's Guide

    z/OS Version 2 Release 4 z/OS OpenSSH User's Guide IBM SC27-6806-40 Note Before using this information and the product it supports, read the information in “Notices” on page 503. This edition applies to Version 2 Release 4 of z/OS (5650-ZOS) and to all subsequent releases and modifications until otherwise indicated in new editions. Last updated: 2020-11-16 © Copyright International Business Machines Corporation 2015, 2019. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Figures................................................................................................................. ix Tables.................................................................................................................. xi About this document...........................................................................................xiii Who should use this document?............................................................................................................... xiii z/OS information........................................................................................................................................xiii Discussion list...................................................................................................................................... xiii How to send your comments to IBM......................................................................xv If you have a technical problem.................................................................................................................xv
  • Gnuk — a Free Software USB Token Implementation Niibe Yutaka

    Gnuk — a Free Software USB Token Implementation Niibe Yutaka

    Gnuk — A Free Software USB Token Implementation Niibe Yutaka <[email protected]> What’s Gnuk? Free Software implementation of Cryptographic Token For GNU Privacy Guard Supports OpenPGP card protocol version 2 Runs on STM32 processor Named after NUK® My son used to be with his NUK®, always, everywhere I wish Gnuk Token can be a soother for GnuPG user NUK® is a registered trademark owend by MAPA GmbH, Germany. Cryptographic Token? Stores your Secret Keys Performs security operations on the device Digital signature Authentication Decryption No direct access of Secret Keys How useful? Can bring secret keys securely On the go, you can do: Make digital signature Authenticate yourself Read encrypted mail GNU Privacy Guard (GnuPG) Tool for Privacy by Cryptography Conforms to OpenPGP standard Usage: Digital Signature Encryption/Decryption Authentication Supports "OpenPGP card" OpenPGP card Smartcard to put GnuPG keys Follows OpenPGP protocol standard Features of v2.0: RSA 1024-bit, 2048-bit, 3072-bit Three keys: Sign, Decrypt, Auth Key generation on the card RSA accelerator OpenPGP card Applications GnuPG OpenSSH → gpg-agent TLS/SSL Client authentication Scute (Network Security Service) PAM Poldi Problem to solve Where and how we put our secret keys? On the disk of our PC Encrypted by passphrase Not Secure Enough OpenPGP card Good (portable, secure) Not easily deployed (reader is not common) FSIJ USB Token v1 (2008) Hardware: Built a PCB CPU: Atmel AVR ATmega 328 @20MHz Software: RSA computation routine for AVR RSA 1024-bit About 5sec Data objects
  • Hardware Cryptographic Support of IBM Z Systems for Openssh in RHEL 7.2 and SLES 12 SP1

    Hardware Cryptographic Support of IBM Z Systems for Openssh in RHEL 7.2 and SLES 12 SP1

    Hardware cryptographic support of IBM z Systems for OpenSSH in RHEL 7.2 and SLES 12 SP1 Uwe Denneler, Harald Freudenberger, Paul Gallagher, Manfred Gnirss, Guillaume Hoareau, Arwed Tschoeke, Ingo Tuchscherer, Arthur Winterling August 18, 2016 Abstract This article summarizes our experiences with the configuration and usage of OpenSSH using hardware cryptographic support of IBM z Systems. We report our findings in the areas of performance and throughput improvement. Our positive experience indicates that you should make use of this capability when using OpenSSH. i IBM Client Center, Germany Contents 1 Introduction 1 2 Hardware cryptographic support of z Systems 1 2.1 Verification of installed LIC 3863 using the SE . .1 2.2 Verification of installed LIC 3863 using a Linux command . .2 3 Configuration of Crypto Express feature for Linux for IBM z Systems 4 4 HW- Support - Architecture for OpenSSH 4 5 Our environment 5 5.1 Installation of SLES 12 SP1 . .6 5.2 Installation of RHEL 7.2 . .9 5.3 Configuring ibmca engine . 14 6 CPACF Support for OpenSSH 15 6.1 General test using openssl speed . 15 6.2 First test with SCP of OpenSSH . 17 6.3 Test with SSH client . 19 7 Selection of cipher and MAC 21 7.1 Small comparison between SHA with CPACF support and MD5 . 21 7.2 Profiles for OpenSSH client and server . 22 7.2.1 SSH client configuration . 22 7.2.2 SSHD server configuration . 23 8 Crypto Express support for RSA with OpenSSH 24 9 Some more performance aspects 25 9.1 Choice of cipher algorithm .
  • Analysis of Software Vulnerabilities Through Historical Data

    Analysis of Software Vulnerabilities Through Historical Data

    Analysis of software vulnerabilities through historical data Magnus Törnquist [email protected] Department of Electrical and Information Technology Lund University Supervisor: Martin Hell Assistant Supervisor: Jonathan Sönnerup Examiner: Thomas Johansson June 29, 2017 c 2017 Printed in Sweden Tryckeriet i E-huset, Lund Popular science summary Lately there has been increasing media coverage of cyber crime, especially in re- lation to the elections in France and the United States. Every day information is being stolen from governments, businesses and private citizens. Information that can be sold, used for blackmail or for other nefarious purposes. Commonly this information is obtained through exploiting vulnerabilities in software. A vulnera- bility is essentially a bug in the code and they are very hard to avoid, especially in large complex programs. Having vulnerabilities in software is inevitable and software is everywhere: in every computer, router, webcam, mobile device and even in some coffeemakers. As long as these devices are connected an intruder has a wide variety of options on how to attack a network and the fast growth of Internet of Things (IoT) has lead to a huge amount of new devices on networks all over the world. This reality means that larger organizations have to spend a lot of time making sure all their software is updated and keeping track of potential breaches. This also means that it is very important for the software developer to maintain their code and patch any discovered vulnerabilities quickly. So how does an organization, the developer of an IoT product or a regular user choose which software to use if they are concerned about software security and is there a way to help them do it? That is what this thesis explores.