Skip to main content
Engineering LibreTexts

12-B.7: TTY Security & PKI

  • Page ID
    42881
  • The /etc/securetty File

    The file /etc/securetty contains the names of terminals (one per line, without leading /dev/) which are considered secure for the transmission of certain authentication tokens.

    It is used by (some versions of) login(1) to restrict the terminals on which root is allowed to login. See login.defs(5) if you use the shadow suite.

    On PAM enabled systems, it is used for the same purpose by pam_securetty(8) to restrict the terminals on which empty passwords are accepted.

    It is interesting that most distributions no longer allow root login at all, yet the securetty file is still in existence. It is possible for a system administrator to enable root login - but that is highly discouraged due to the security risks.

    Public Key Infrastructure (PKI)

    A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

    Components of PKI

    There is a long list of components that make up the entire PKI. A few of the more important terms and their meanings are listed below.

    Certificate Authority (CA):

    Trusted certificates can be used to create secure connections to a server via the Internet. A certificate is essential in order to circumvent a malicious party which happens to be on the route to a target server, which acts as if it were the target. Such a scenario is commonly referred to as a man-in-the-middle attack. The client uses the CA certificate to authenticate the CA signature on the server certificate, as part of the authorizations before launching a secure connection. Usually, client software—for example, browsers—include a set of trusted CA certificates. This makes sense, as many users need to trust their client software. A malicious or compromised client can skip any security check and still fool its users into believing otherwise.

    Certificate Signing Request:

    In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a registration authority of the public key infrastructure in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature).

    Digital Certificate

    A public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization.

    Digital Signature

    A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender (authentication), and that the message was not altered in transit (integrity).

    Digital signatures are a standard element of most cryptographic protocol suites, and are commonly used for software distribution, financial transactions, contract management software, and in other cases where it is important to detect forgery or tampering.

    Private Key

    Private keys are used by the recipient to decrypt a message that is encrypted using a public key. Since the message is encrypted using a given public key, it can only be decrypted by the matching private key. This establishes the ownership of the private and public key, ensuring the message is only read by the approved parties.

     

    Alice send Bob an encrypted message. Alice uses her private key to sign the message to Bob. Upon receipt Bob then encrypts the message using Alice's public key
    Figure \(\PageIndex{1}\):

    The message is only signed and not encrypted. 1) Alice signs a message with her private key. 2) Bob can verify that Alice send the message and that the message has not been modified. For verification the public key of Alice must be used.. ("Private_key_signing.svg" by FlippyFlinkWikimedia Commons is licensed under CC BY-SA 4.0)

    Public Key

    A Public key is a cryptographic key that can be distributed to the public and does not require secure storage. Messages encrypted by the public key can only be decrypted by the corresponding private key.

     

    Adapted from:
    "Certificate authority" by Multiple ContributorsWikipedia is licensed under CC BY-SA 3.0
    "Public key infrastructure" by Multiple ContributorsWikipedia is licensed under CC BY-SA 3.0
    "Certificate signing request" by Multiple ContributorsWikipedia is licensed under CC BY-SA 3.0
    "Public key certificate" by Multiple ContributorsWikipedia is licensed under CC BY-SA 3.0
    "Digital signature" by Multiuple ContributorsWikipedia is licensed under CC BY-SA 3.0

    • Was this article helpful?