diff options
| author | Holger Dengler <dengler@linutronix.de> | 2016-10-28 16:57:24 +0200 |
|---|---|---|
| committer | Holger Dengler <dengler@linutronix.de> | 2016-10-28 16:57:47 +0200 |
| commit | cd03b6d85930eaf8f68240cd3e91a6bcf5035c53 (patch) | |
| tree | 809649e3234fb7d57ef394f8853ea4c80499a8f1 /security | |
| parent | 84508a664655fa1fac11711cb6ecfcba0e571a8f (diff) | |
security: Review findings (Holger, John)
Signed-off-by: Holger Dengler <dengler@linutronix.de>
Diffstat (limited to 'security')
| -rw-r--r-- | security/advanced/frm_capabilities.tex | 2 | ||||
| -rw-r--r-- | security/advanced/frm_namespace_container.tex | 2 | ||||
| -rw-r--r-- | security/crypto/pres_crypto_en.tex | 6 | ||||
| -rw-r--r-- | security/crypto/pres_pki_en.tex | 39 |
4 files changed, 23 insertions, 26 deletions
diff --git a/security/advanced/frm_capabilities.tex b/security/advanced/frm_capabilities.tex index 5acd8e9..d4a2890 100644 --- a/security/advanced/frm_capabilities.tex +++ b/security/advanced/frm_capabilities.tex @@ -205,7 +205,7 @@ Scenario for dropping capabilities in suid-root processes \item effective: drop all \item permitted: keep only required \end{itemize} -\item set SEC\_KEEP\_CAPS (prctl(PR\_SET\_KEEPCAPS, 1)) +\item preserve capabilities (prctl(PR\_SET\_KEEPCAPS, 1)) \item set all UIDs to non-zero \item raise capability in effecive set before calling a privileged syscall \item drop capability from effective set after syscall diff --git a/security/advanced/frm_namespace_container.tex b/security/advanced/frm_namespace_container.tex index c63b6b2..5b907e6 100644 --- a/security/advanced/frm_namespace_container.tex +++ b/security/advanced/frm_namespace_container.tex @@ -37,6 +37,8 @@ \begin{itemize} \item Mount: \\ Provide different filesystem +\item PID: \\ + Provide new Process-ID scope \item IPC: \\ Provide isolated inter process communication entities \item Network: \\ diff --git a/security/crypto/pres_crypto_en.tex b/security/crypto/pres_crypto_en.tex index feba1c5..560f4c9 100644 --- a/security/crypto/pres_crypto_en.tex +++ b/security/crypto/pres_crypto_en.tex @@ -189,6 +189,7 @@ corresponding bit in the following plaintext block \begin{itemize} \item Required only Block Encryption \item Encryption and Decryption parallelizable +\item En-/decryption can be prepared in advance \item No padding required \end{itemize} \begin{figure}[h] @@ -243,6 +244,11 @@ RN\subscript{s} and PMS \begin{itemize} \item OpenSSL: libcrypto and libssl \\ Implementations and Hardware support for most common algorithms +\item LibreSSL \\ + fork of openSSL +\item mbedTLS \\ + implementation for embedded systems \\ + new name for PolarSSL \item GnuTLS: GNU SSL/TLS implementation \\ Focus on TLS handshaking and protocol implementation \item PKCS\#11 (API for Smartcard Slots and Tokens) \\ diff --git a/security/crypto/pres_pki_en.tex b/security/crypto/pres_pki_en.tex index ff0133b..f385550 100644 --- a/security/crypto/pres_pki_en.tex +++ b/security/crypto/pres_pki_en.tex @@ -27,21 +27,21 @@ \begin{frame} \frametitle{Roles} \begin{itemize} +\item Registration Authority + \begin{itemize} + \item Process Certificate Signing Requests + \item Ensure Clients Identity + \end{itemize} \item Certificate Authority -\begin{itemize} -\item Issue CA-Certificate (CA Public Key) -\item Sign Public Keys (with CA Private Key) -\end{itemize} + \begin{itemize} + \item Issue CA-Certificate (CA Public Key) + \item Sign Certificates (with CA Private Key) + \end{itemize} \item Validation Authority -\begin{itemize} -\item Provide signed Certificates -\item Unique relation between Client and Certificate -\end{itemize} -\item Registration Authority -\begin{itemize} -\item Process Certificate Signing Requests -\item Ensure Clients Identity -\end{itemize} + \begin{itemize} + \item Confirm CA-signature of client certificate + \item Validate lifetime and revocation of client certificate + \end{itemize} \end{itemize} \end{frame} @@ -93,17 +93,6 @@ \subsubsection{Workflows} \begin{frame} -\frametitle{Create CA-Certificate} -\begin{itemize} -\item Create Key-Pair -\item Self-Sign Public Key -\item opt: generate Certificate Signing Request for Root CA -\item Send CA-Certificate to Directory Server and/or Validation Authority -\end{itemize} -\end{frame} - -% ---------------------------- -\begin{frame} \frametitle{Process Client Certificate} \begin{itemize} \item Requester @@ -141,7 +130,7 @@ \end{itemize} \item Validation Authority \begin{itemize} -\item Retrieve Clients Certificate in Directory Server +\item Retrieve CA Certificate in Directory Server \item Check Certificate Revocation List \item Validate Clients Certificate with CA-Certificate \item Validate Signature with Clients Certificate |