 All right, I think we're about to start right now, it's 11.30 so Hey everybody, how's everybody doing good? All right, welcome to our presentation on engaging students with customized Linux images for cyber security training My name is Adam Ramirez, and this is my sister Marie Ramirez And I know it's a long title, but it's definitely it's definitely worth it. All right For today's agenda, we're it's gonna include a quick background about ourselves And then an overview about what cyberpatriot is and the training basics for the competition and cyber defense in general Since our customized Linux, I mean since our customized VMs are based on our experience with cyberpatriots This will provide some background of the the use of VMs and Then we'll talk about the benefits of customizing virtual machines and our approach to customizing or themifying the VMs Just to help students get more excited engage about learning about cyber security And then we'll give a quick demo, which will be demonstrated by Marie and then we'll open up for some questions at the end so My name is Adam Ramirez. I am gonna be an incoming freshman at UC Merced I'm gonna be majoring in applied mathematics, country, and computer science I've been in cyber security and cyberpatriots for about seven years I actually founded the cyber security club at my high school, and I was president's for about three years Besides all the computer stuff. I actually do enjoy playing basketball and volleyball and I published about three articles about cyber security through Project Cyber The handle right there is for the Instagram is right there. So Hi, everyone I'm Marie Ramirez and I'm a rising senior at Bishop on one high school And I have been a part of cyberpatriots for six years this upcoming year will be my seventh year And I am now the current president of the cyber security club that Adam founded at our school And I have also published three articles as well in cyber security And I've also competed in local cyberpatriot competitions as well as NCL, which is the National Cyber League and Besides cyber security. I like volleyball and photography. I'm actually part of the head yearbook staff at my school And I yeah So does anybody know what cyberpatria is? All right, so we got a few Well, this is gonna be a little refresher and for those who don't know well cyberpatria is a nationwide cyber defense Competition for that's open for high school students and middle school students Recently they just added Canada, UK, Australia, and Saudi Arabia And it helps train students on cyber security concepts with hands-on training to inspire them to pursue careers such as and To pursue careers in cyber security and also in STEM It focuses on cyber defense, which means no hacking So there's a zero tolerance for hacking through cyberpatriots and Cyberpatriots also helped both of us understand what VMs are and actually how to use them So we are in our script today with customizing VMs Cyberpatria definitely contributed a lot to that So now I'm gonna break down a cyberpatria competition to demonstrate some of the key components using cybercamps that we have Participated in the past and that helped inspiring the helped inspired us in creating the script So usually a cyberpatria competition is a six-hour nationwide event that we're about 5,200 teams consisting of one to five students per team work on various virtual machines and points are given by Finding these vulnerabilities and securing the system settings and answering some of the forensic questions But points can also be subtracted if misconfiguration occurs such as removing an authorized user and Their goal at the end of the competition is to gain 100 points per virtual image and each of the VMs include a read-me file That describes a scenario usually about a company with computing policies such as password policies authorized software and authorized users and admins Each of the teams are given three VMs that are installed using VM where player a Linux system a Windows desktop and Windows server The main point here is that there are standalone virtual machines and used and must be secured and Here's a graphic of the that we have provided that represents the different challenges given at each competition round But here our talk today We're gonna be focusing on just the Linux image, but also in addition to these three images There's also a Cisco packet tracer challenge where students are given a network layout and network-based challenges to configure and routers and switches Plus there was also a security network challenge, which is an online base quiz So now we're gonna move on into what is the cyber training through the limit through the Linux image So since we actually are presenting at a Linux conference. I think it's It's pretty obvious. Well Image we're gonna do a demo on is gonna be Windows. No, just kidding. Is that gonna be on Linux? We do have a customized Windows image, but we haven't fully automated the whole process yet So let's continue talking about the Linux image We do we did have a couple of goals in mind when creating it first and foremost We wanted to create it as close as possible to the cyberpatrick competition since we'll since this will be used as a training tool For instance, like typically in the cyberpatrick competition. They don't really use the latest version of Ubuntu Like for it this year actually we participated. They use Ubuntu 18 when actually Ubuntu 22 was the latest version Second was the use of the VMware player. Although we can use virtual box. We actually encountered many problems Such as the hard disk devices. So sometimes but sometimes we actually have no choice but to use virtual box another instance of why we why we only have to use virtual boxes is When we volunteer at some schools, they only have computer labs full of Macs and through VMware player You actually have to pay if you have a Mac, but through Windows is actually free So that's why that's why we had to use virtual box. So that's a problem we encountered Going back to the VMs the VMs are zipped up They're in zip files and we usually install them on lab desktops similar to the competition competition and training labs and Lastly a script sticks to the similar vulnerabilities or challenges provided by the cyberpatrick competition as we mentioned before So the cyber page of the cyber defense so we list some of basic cyber defense Vulnerabilities or challenges so the first one the first one we have is the OS updates You always have to make sure the OS is up to date and Then the next one is the firewall usually during the competition the firewall is turned off So we have to make sure it's always turned on Then as you move on move on we got the local security policies Which include password policies and the lockout policies then we have the software management Usually competitors have to check if the software is appropriate for each scenario that's given And then we have the user account management competitors usually have to check if each user is authorized by that means Usually have to add or delete users Then we have the unauthorized software usually side of patreon is big on deleting Hacking tools so nmap or wire shock would usually be installed. So we have to delete that or install it So our approach to Customizing a Linux VM being students ourselves We kind of understand how students think and learn so personally for me if these VMs were actually available I think they would be a benefit they would actually benefit me in the long run because I could if I could relate some of my favorite TV shows with learning I Think that would have helped me a great ton So so trying to gauge what students are into is a good first step into like addressing this whole situation After several years inside of Patriot and using Linux we created some of the things we can customize From our learning I was first inspired by theming a VM when I actually installed one from an online Yeah from online. It was actually themed walking dead. So that really inspired me So I was like why not just create our own script using so we can customize it So once we understood what can be customized we then we then generated a list of settings that can be customized we brainstormed and Thought about how can we do that? So we first customized them manually using the GUI and through the command line But we realized like that was way too inefficient. So after through after some Google searches and Talking to our mentors about this we decided to challenge our challenge ourselves and actually try to automate this whole process So the cyber camp training. So during each training session Each student is given a VMware player that is installed in their PC and they usually give them the zipped up file That they would have to unzip themselves and open up the image But sometimes you actually walk through it with them just so they can get used to it We want them to like walk through this whole process and let them learn So once the VMs are up and running, we usually walk through some exercises using the GUI and the command line And as we mentioned earlier, we give them challenges that are similar to the competition. So So why so why are we customizing the VM? So it's simple kids have the intention span of about 10 seconds until they get bored or distracted In supporting several camps we noticed that kids were often distracted as the coaches were presenting their material and They were not engaged, especially the material was challenging for them or they weren't able to comprehend it Usually I would see kids bring up games on online while the teacher was actually teaching. So I was like There was a problem there. So I was like, how can we address this? So coming up with customizing VMs, this is like, I think this is one way we can address this situation but not only does it help the teachers it could also help the students themselves because It allows the students to associate things that they're familiar with with tasks. They're actually learning So one example is my favorite TV show right now or currently is Stranger Things So having an image themed as Stranger Things I think that would help me as I mentioned before the walking dead theme actually really caught my attention So the script can be a great teaching tool for teachers For example, they can use the script to tailor the VM to the latest movie or TV show that the students are talking about So the customizations that we made The most obvious one is the theme background This is obvious because once the kids Start the VM up and they log in to the user. This they see the wallpaper first that they see the background So if they see the background, it's all themed out. I think that would catch the their attention right away And then the next we have the host name. That's just a little additional detail that we added and The user accounts with passwords some we can others complex. This is another big one because when students See they get excited when they see the characters that they know actually list as each user So it gets them pumped up and talking. So next we have the unauthorized software as I mentioned before This is usually like hacking tools Cyberpatriot, this is more like a cyberpatriot thing Just make sure they want to delete the hacking tools. They have the scenario aka the read me File this is a really big one because this sets up the whole story the whole narrative of how the competition is and how it's going to be like The the remi actually sets up the scenario for this for the competition. It presents students with Company policies the authorized users the administrators in the password So we basic for the read me we use a template for Madlib style where we fill in the blanks with the information for the theme file and Then we have the unauthorized files And the media files This is just another thing where the students have to check if each game file is appropriate for each scenario So they would have to delete the media files or the game files. So, yeah So customizing with Python. Why do we why do we choose Python? So we chose Python for for a few reasons first we wanted to expand our experiences in Python And it's actually one of the most popular Programming languages right now. So we're like why not we just decide we actually considered shell scripting But we were just more comfortable with Python. So as we started with our script, we actually set ourselves a few constraints First one is being no external modules a standalone script Basically, that means we wanted the script to have basic like no we didn't want to have any fancy modules We just wanted to default modules because when we go to a volunteer when we volunteer at different schools Some of the schools actually block outgoing traffic. So Some of the fancy modules will get blocked so it wouldn't really run well So we just wanted to keep it default and simple which brings me to the next point keeping it simple We just wanted simple commands just to like have one command to change the wallpaper change add users delete users and Just like that and then another one that I don't think it's on there but to run through the command line as root because if we if we didn't run through the command line as root This would be you're changing the system. So this is something that you would want to run as root So some features we added a small list of command line options This allows people a few options to customize And then the next one is a big one is the use of the Yamao configurations to define each theme Does anyone know what your mouth stands for? Yeah, well Yamao is well Yamao is actually a recursive acronym that stands for Yamao and a markup language It's a common text-based human readable format for configuration files The reason why we chose this format was because it's actually popular among many tools such as Ansible and Docker and plus we just wanted to Chance to learn more about it. We'll show example of the Yamao format in the next slides First we have the script layout. We have the make theme.py layout So this is how it's gonna be laid out when you run the script. We have the configuration directory Then as we move down, we have the log directory Then you have the theme directories This is one this one's important because it lists all the themes that are available So the themes that we chose as an example or among us Avengers, Justice League, and Stranger Things and then the Stranger Things is the one we're actually going to be using for the demo And then as you see below here, we have the readme template file the wallpaper image and the theme Theme configuration so the Yamao format So right here. This is the command line options. This shows the options that are available in the script The first one we have the well the main option is the theme which actually specifies which theme is going to be applied Then as we move down, we have the list option It just lists the supported themes and then the last two are the standard verbose mode and the help the Displays the help so yeah, that's simple. Then here's the sample Yamao file that I mentioned before This Yamao file actually describes the Stranger Things as we mentioned earlier Yamao is a text-based human readable format. So Yamao this is one reason why we chose it because it's actually like just easier to read We just have the host name the theme name We just have all the bunched up then as we move down We have all the users we have the admins and then we have the regular users with their passwords and user names and Then we have the software that's installed as we scroll more down We have m-app which is a hacking tool. So students would have to delete that then we have wire shark Samba tree audit D Then we have the middle Media files that are downloaded this one was just a test one So they would have to delete it then the services that are running the FTP SSHD and Samba and then the read me this is a as you can see it has company services software This is where the madlit style template comes in So for the company we put hockey Hawkins corporation That's just one of that's probably that's part of the theme and then we have the critical services These are services that have to be running is SHHD and post fix and then we have the software, which is this Firefox So this diagram that we have right here shows the workflow of how the make theme that pyro actually works the whole script So as I mentioned before we had the theme files of the Yamao format So that's just basically the ones that we show before which has a stranger things Among us DC Marvel then once we run the Python script in the in the command line a It executes these all these commands. So it sets the background Wallpaper it says the host name it installs a software it creates the users and then it creates a read me and it also Creates the admin accounts. So we'll show So now we're going to move on to the custom customization demo, which would be demonstrated by Marie so So Now I'm going to be starting with a VM with the base install of a bunch you and run the script So as mentioned in the presentation, this is a command line script so And so now I'm going to run the command And as you can see running the script requires root or administrator privileges using pseudo So pseudo allowed you to run the commands with these privileges. So now I'm going to run it using pseudo So now let's go over the options that are displayed on the screen So the first one is the help which shows obviously the help as you can see and then the next is the main one This is the theme option This specifies a theme that you need to be applied And then we have the undo option which undoes the specified theme that you applied and then the list option which shows all the available themes and Lastly is the verbose mode. How many of you guys know what verbose means? Well, yeah, it's used for debugging and To show all the different information So now that we have seen the available options. I'm going to run through the command So first let's run through the list command. So as you can see on the screen, it shows the supported themes Just asly, Stranger Things, Among Us, and Avengers, but today we're going to be using the Stranger Things And so now I'm going to type the command to apply the theme So as the script is running the output of the commands is displayed on the terminal and It's adding all the users Yeah, so let's go through the users to see if they added As you can see it added all the users from the show and also we added some Non-users so that when the students see this they're gonna have to delete them and then which will they which will Gain points for them and there would be a readme file that would show up right there And that would show like all the company name all the users and their passwords and all the software That needs to be running or installed if they haven't been installed yet So I'm gonna log out and enter in as a default user, which is Hopper Bear with us I'm gonna zoom in so you guys are able to see what's on the screen. That's much better So yeah, so you see the wallpaper that was been implemented and the readme file So I'm gonna open it up and go through all the changes that it made so as you go through the readme the first thing that you will see is Hawkins Incorporation Which is the company name that we mentioned and then you would see all the authorized Administrators and authorized users and you obviously see that their passwords are very weak So the students they would have to change their passwords to make them more complex And then at the bottom at the very bottom you'll see the critical services as a sshd and postfix So these are the softwares that would have to be running in the image and if not then they would have to be installed And I think that's it for the demo So here's the it's now we have we're gonna open up for questions now. So Also, we uploaded the script to my github right there as you can see just right there And then if you want to contact us, here's our emails. So Yes Okay, so for virtual box Well virtual box is free for for max, but for VMware player It's actually cost money for max but for windows It's free. So when we usually go to schools, they have computer labs full of max So usually we would use we just run virtual box instead. So that's one problem. We had That's that's good to know now Yes Thank you Yeah, I think yeah, you share the folders and then it's usually it's right there. So then you just type it in Any other questions? Yes Yeah, one one way that I try to keep them engaged usually just talk to them one-on-one or just walk around make sure they're Doing what they're supposed to do. But yeah, that's one way I do And yeah, one way I also notice is that the food that's provided like the pizza the donuts it keeps the kids happy So, yeah Yes, you can actually upload your own theme. It's just there's gonna be a different way. You have to let's see You can yeah, you can make your own theme. Yeah through github. So yeah Yeah Yes Yes Yeah, I'm just volunteering my time. Well, actually, um, I Did at my own school. I hosted one for a cyber camp this year and usually it was just for incoming freshmen Middle schoolers and also any high schoolers from 9th to 12th grade. Usually we just hopefully they would get Notice the club so when they when it's time for like them to actually join the club They're ready for a cyber patriot because cyber patriots already coming around So we just want them to get used to it and then another one is actually actually volunteered at my mom's school She's a teacher. So we went there. We taught 78th graders and we just we went through the VM VMware images and so that's basically it's not through a company just volunteering my own time. So yeah, actually Yeah, I would yeah, I'll be up to that. I think I think I've done that in the past. I I Not just so there's cyber security, but I've done virtual teaching before through like a program. So yeah, I'm kind of used to it Yeah, no, I'm not not available mentor. I'm just I wasn't competitor this upcoming But right now I'm just helping out volunteer. I guess that concludes the presentation. So thank you for coming This is my this was our first time. So it was a little rough, but Thank you test We'll start in a minute. Okay. Is it too loud? Is it Feels kind of loud. Is that better? Is that okay? Everyone's you're good not too loud. Okay? Yeah, it just seems really Serious Yeah, how's that better a little better? Yeah, okay great Alright, let's go the last slot of the day Except for the keynote last track slot It's a pleasure to be with you here today. My name is Bruce Momjan. I Normally speak about Postgres, but today I'm going to be speaking about security. I'll explain in a minute. Why I work for Enterprise DB I've been working there for 16 years and some of the research that I've done here obviously has been on their dime So it's kind of fun. I'll explain that in a minute, too If you would like these slides, they are right here You can download them. There are 58 presentations there and 98 videos of those presentations including 640 blog entries mostly about Postgres But today we're going to be talking about security So why are we talking about security? Why as a Postgres core team member am I talking to about security? about six years ago Well, let me back up I work on the CTO team at the company and My primary job is to work in the community to keep it healthy and so forth and one of the things that I realized Having done it for so many years is that when I was in Security discussions either with customers or when we were talking about it in regards to the database I Kind of understood the security concepts and I could kind of I Could speak intelligently about the various options, but I realized that I did not have a full understanding of security and Fortunately because of the type of role that I have I went to my boss and I said I'd love to do some research because nobody in the community really has a deep knowledge of security particularly cryptography and He said fine. Yeah, go do it. So I bought a bunch of books and I read them and I watched a lot of videos and and I guess nine months later. I had 300 slides You're gonna look at 99 of them today But there are another 200 also on that website. So the first one talks about Really the the foundations of cryptography the mathematics behind it elliptic curves hashes private keys primes and so forth the second one primarily talks about SSL or in more modern parlance TLS how TLS works how you can set up certificates how you can basically configure TLS how it works how it does the handshake and so forth The third one is about configuring Hardware security devices That covers things like the UB key if you're familiar with that and a couple other devices and This one, which is the one that the organizers presented is had unusually the last one, but the most applicable perhaps Which talks about how to use? cryptographic hardware to secure applications now this might be a new topic to some of you But effectively cryptographic hardware is a specialized device That has performed some cryptographic function and normally the value of that cryptographic device is its ability to be detached From a client terminal from a server and when it's detached it takes its security capabilities with it So you can imagine somebody steals the server somebody steals a machine if the cryptographic device is not attached They can't do a whole lot with it if the system is probably configured and that's what I'm going to be talking about today Okay, so I'm not going to be talking about the mathematics of it. I'm not going to be really talking about TLS how to configure it Yes, I have those slides. They are on that website. I believe there are videos of all these as well so if you want to really just make sure you're sitting down for that because it's it's a it's a difficult I Actually go back to those once in a while when I forget a small detail Maybe of how TLS works or how the secrets exchange. I'll be like, oh, yeah, it's Diffie Hellman and oh, yeah You know we have to we have to create the certificates this way and the private key goes here and so forth. So Any questions before I start? Okay, yeah, we glad to answer questions as we go. Okay, so let's take a look so we're gonna basically talk about how we connect Cryptographic hardware and these Effective these application types so open SSH, which is an SSH client Open PGP, which is used for encryption as well as email And that type of thing if you're familiar with that We're gonna talk about PIV devices, which you may not have heard of before, but I've become somewhat adept at those Five we're gonna talk about my favorite use postgres. All right And then in six, we're gonna set we're gonna talk a little bit about database encryption scope and a little more database specific stuff And then finally private key storage options. Okay, okay, so let's talk about open SSH Now as you know open SSH is hopefully you would know when you type SSH at a Linux terminal You're getting open SSH There's really too Just just be aware there's there's two open things that I've always gotten this confused open SSH is the shell command, right? Open SSL is the TLS library Okay, so just if you hear it open SS and you think oh, that's yeah, that last letter is pretty important. Yeah, I know H&L are pretty close in the alphabet So they look kind of the same and they got the big but they are really doing performing a different service So this is open SSH Okay and What I have done here is to create a host that effectively does not allow Passwords so it requires a certificate to connect to SSH. That's the way I do all of my SSH frankly I do recommend it for most use cases and there's two main reasons for that one It's fairly hard to steal the private key of SSH pair because the key is never passed across the network in the same way that a password is Okay, and then secondly The the key is so complex that no matter how many times somebody guesses They're never going to be able to construct in in any reasonable amount of time Centuries right construct the Version a packet that actually matches okay, so again two reasons one Hard to steal the private key because of course it doesn't get passed it gets mixed with other things and then secondly It's very hard to brute force it. That's the term we use. Okay So again, if you are still using passwords, whether it's with postgres or with SSH you might want to be moving into Something like an SSAA certificate case any questions about that? Because that's kind of a fundamental thing at least for me and I learned again I used to talk about it and I sort of knew what I was saying but I Didn't really I now I now I can really speak in the right terms I can talk about the private key versus certificate for example certificates are publicly available I can see public certificates for for websites all day if I want to it's the private key That's actually the the secret that you have to have to to prove you own their certificate That's really what the what the what you're doing when you're logging in So Again, I'm not talking. I have it up and this is somewhat disappointing the configuration of this Actually is in the previous slide deck right so I presented I submitted all four slide decks We've chosen this one. I think it's the right one because I think it's going to be most applicable But again, if you want to know how to configure SSH With with hardware security devices look at the previous deck it's called instead of being called cruising cryptographic hardware to secure applications is so called can you know Cryptographic hardware configuration and talks about how to configure all these things. Okay, so Because I have The I am using a ube key in this case and you can see that right here. I don't you know I don't work for ube key. I don't have any other stock It's just a cheap device that is fairly highly functional. It could be an RSA device It couldn't be any of these Does anyone use any of these devices regularly? Yes. Okay. What manufacturers that would be good to help to know Jamalto. Oh, yeah, those there. That's an old very yeah, they've been around a long time. Yeah, they've been around other people Okay, you be key other ones. Yeah Nitro. Oh, is that also you be key? No nitro. It's a separate company German. Oh, I have heard of them now that room. Yeah, anyone else But the big ones. Okay. Anyway, yeah, it's kind of interesting. I didn't I actually have one She have one right here. If you're really really super curious You might you might laugh but Maybe I don't oh I think I I lost. Yeah, exactly. You totally got me. Yeah, I was carrying it in here forever And I might have just stopped carrying it because I was like, oh, why am I carrying this thing around? No, I guess I don't have it You be key. Yeah, it comes it comes in different formats So you can get it in Yeah, yeah, yeah, exactly You can get it in a little size. It's effectively the size of a USB ending Right just that little square the USB part that you go is literally that big and then they have more of a like a Like a memory stick size that you can put in they have a usb-c version that you can stick in your phone So it's different formats Again, Gamal toast good nitro is good. They're all they're all really good stuff But here I'm using you be key So basically what I have to do here is I have to use a tool Um, I'm using a tool to show you the ub key. It's called pkcs 15 tool again We covered that in the previous slide deck. Um, but it's basically reading The ssh key out and it's dumping it into a fire now. Remember, this is the public key Not the private key. We can't that's actually the hugest advantage to ssh of these devices That you cannot get the private key out Right people sometimes ask me well, why don't I just put the private key on a usb stick? and and use that and you can But keep in mind that when that usb stick is inserted that part private key is readable by the operating system One of the cool things about these cryptographic devices And I think the most valuable Is that the key literally cannot come off of the device if you want a backup of that key You basically create the key off of the outside of the device Make a backup and then store the public and private key in the device I actually have that an example of that in my previous slide deck. Okay Um, so basically it's asking for a pin It's all require some kind of pin. So you have to type it in or you can manually do it if you want Um, and that actually is my is the is my key my rssh my my rsa Um Key right there. That's the public part now. There's some dots here. It's much longer, but you get the idea Um, and then what I can actually do is I can put The key into my Open ssh authorized keys file If you're familiar, there's a bunch of ways of seeing the public key one way is that one long string It starts with ssh rsa and then a big string and just concatenate it on to the end And that's actually what i'm doing. Can you right here concatenating, right? And then what's really cool is I can then do an ssh Okay, and I specify the the open sc library and I can actually connect without a password Because what I've done is I've extracted the public remember I said you can't pull the private key off of off of the ub key But you can pull the public key So I pulled the public key off I put it on my authorized keys and then I can actually ssh Into my system with no password But what is happening here is because I've specified the open sc library. It's going to reach into the ub key It's going to it's going to pass something in get it signed or encrypted by the private key to prove I am who I am Send it to the server and then I've actually logged in and it says I've logged in and now I'm a new user Okay, so that's an example I just wanted to give you all the flow of what this is going to look like Again, there's a lot of presentations before this that to get here But the idea is and you may not need to you may not need to know the other presentations The point is that what I'm doing is I'm using the the hardware device to to do a login Without requiring a password at all. Okay when I I mean it's very similar on my phone Now I don't have a ub key on my phone, but it's a similar issue if I Start an ssh client here. There's a private key on my phone and that's how I'm logging in I'm not logging in with it with any kind of password. Okay Another thing you can do is to effectively instead of Of Basically in you can basically add the pcs 11 provider So you do not need to use the dash i do remember I use the dash capital i So again, if you don't want to use that for every ssh connection There is a file called ssh config in your home directory And if you add the lines i'm specifying here in the middle Then you can see at the bottom I didn't need the i because it knows that the there's an a pcs pkcs 11 provider called open sc there Okay, so that's kind of a way of avoiding that now. I'm basically saying I'm always going to be able to use that Okay, and again if you're curious about more details right here at the bottom. We have a url Um that might help you again You might want to download these slides and just click on the url and it'll take you right to that Now you can just spend an hours in this thing just clicking on links and reading details But again, if you're curious how I got there and what things and again this slide deck is also online So it's easier just download it and click as much as you want. Okay uh another way To do this if you're as I maybe I say I you mentioned before that each time it's asking for a pin You see this asking for a pin here at the bottom. So there is something called ssh agent ssh agent is part of the standard Tools that you typically get with ssh And what it allows you to do is to basically cash the pin for a specified amount of time So then repeated uses of ssh is not going to require you to keep typing the pin in Effectively what we do here is we're starting ssh agent right here And then we're basically using the passphrase and then if I do that you can see the next one. It doesn't it doesn't require it Okay, so it kind of like it remembered That I needed it and again. We have two urls here at the bottom for details about that how I got here There's another way of doing this. I actually create a script Uh for controlling ssh agent because I wanted to auto start again. I'm not going to go through the script There's a lot of slides here that I'm not going to go through But feel free to use the script, you know copy paste from the pdf You should have no trouble doing that and basically all it does Is it basically starts ssh agent when you log in and then it keeps it running? basically, okay, and again There's other tools out there that do something similar. Okay Here's how you install ssh agent d and then you can basically You know run it and there's a bunch of other scripts that do similar things that that you were all right there. Okay Here's how you would start it in your login and then you can see That effectively it doesn't it doesn't it works fine. So here we start the agent and It basically is requiring it the first time and then after that it doesn't require it. Okay Okay, any questions about open ssh I was just trying to give you the framework of how that would be useful Um, and again the big use of this is if you take your hardware token out of that computer Nobody can log in from that computer. Right. It's that's really the value of these of these devices. Okay Um, second one open pgp Uh, this used to be I don't know. I used to see a lot of this back in the 90s and early 2000s I don't see this as much. Maybe it's more standard. Maybe I'm less geeky. I don't know But it's basically a library that allows you to do A whole bunch of security related things. Um, I think Phil Zimmerman is the author of this And um, he's been around forever Also, if you've heard of open gpg, which is kind of opposite of pgp and gpg It's the same. It's the same thing It does file encryption. It does signing using your key Uh, it also does open ssh as well as pam You can even use it for git commit signing. Uh, actually you I actually do use a ubk for git commit signing, but no actually I'm sorry. I use it for git Pulling from an authorized host. I don't use it for signing. So eventually we may get there But right now that's a week I use it for uh, you can even use it for postgres encryption. And again, there's a pretty Good pdf there. Okay. Um, so again open pgp or pgp or gpg Contained a single active sub key used for signing. Um, so again, it's kind of it's designed around email But now it actually has become more like a piv device. How many people know what a piv device is here? Okay, let me okay. We got one So i'm just going to give you the the background and i'm going to I'm going to show you piv device here and also there's a piv There's a huge amount of piv in my previous talk a piv device Is a uh, basically a credit card like device Uh, that's used typically by companies and absolutely by the u.s. government Um, and it can it's very similar to a credit card that has a chip on it You're familiar with the chips, you know, you have a you have a credit card and it's got You know, it's got the chip on it at the top, right? Well that chip I know where we've gotten them in the past couple years But that chip actually can be A hardware device hardware encryption device and that's exactly what a piv device is and it actually has four different roles One is signing one is encryption one is authentication and then there's a fourth one which is kind of weird But p open pgp actually has those slots now So you can have different keys for different purposes Instead of having because imagine in key rotation, you might want to rotate your Authentication key every year, but you may never want to Rotate your signing key for example because then you're signed you could you couldn't validate the signatures anymore So again, you now have the idea of rotating Again, expiration and revocation are important And it's very similar to TLS works and again, there's a nice db and url there about sub keys and how they work So how do we install this? I'm going to install GNU pg2 and That it's actually it's not postgres pg. It's GNU pg, right? It's gpg I'm going to stall. I'm also going to stall something called sc demon, which is called a smart card demon Which is required for this And if I now look this is kind of like blow your mind, but if I now Run gpg2 I actually can see Inside of my card My piv card Okay And uh, you can see the version you can see it's a ubiky I can set my name my Sex my language my url of my public key. That's a nice thing Okay, and even there at the bottom you can see The different keys that I have the signature key the encryption key and the authentication key Okay, uh in this case, they're empty, but we can actually fill them out This um, so i'm not going to go through that but you get the idea There also is a gpg d agent that I wrote again. Feel free to use it if you are familiar with it Make sure you make check it out test it. It's not there's no warranty But it was just something I found useful To get it to start and to get it to manage that demon Which is always running because by definition it was kind of hard for me. Okay um So now if I run the gpg agent d, uh, I can actually Reset the gpg card And that's actually Use using that url there at the bottom. This is literally what you have to do to reset the card and um Then I can configure the the card via gpg I effectively make a directory called ubiky And uh, I delete the key in there And then I generate a random pin for the key And I then echo the pin Uh into a file called open pgp.pin Uh, and then I can actually um Run pgp change the pin and it automatically will kind of set it for me. Okay um Now if I want to go and I want to set my various pins I can loop through Set what's called a puck Which is um There's a pin and a puck the pin Is what you use when you're just running it and the puck is basically an administrative key that you use when you reset it Um, so i'm going to set that as well. And then we also have an admin Uh, that will set at the same time. So we're going to we have a bunch of random numbers Um, the end there's an admin pin that we're going to we're going to set as well. Okay Uh, this is a little better visual. I think of what's going on With the key creation process again when you put the hardware Crypto hardware in it's empty, right? So you have to generate the keys and get them onto the device before you can use them, right? So effectively what we have here is um, there's two parts of the key Again, um, there's a public car and a secret part private part if you want to call it that We have a master key and we have a signing key and encryption key and authentication key the ub4 UB key four has only three of those Which works just fine. So we set the master key. Then we set the sub keys And then we effectively copy the private key to a usb device Because if i don't do that i'll have a backup because remember if you do it on the card You can't get the private part to back out. So you i recommended generating it On the computer Maybe on and then maybe on a usb device and then and then copying it over to The ub key and then removing the usb device and storing that in a safe somewhere So you have a backup, okay? Um, and that's kind of what i'm doing here Uh, so i'm going to here i'm going to do a gpg do key gen So it's actually going to generate the key that i want for Uh, the particular slot that i'm interested in Okay And that's actually what i'm doing here again another url I can set my name my email address. I can put a comment in there So it's kind of like interactive. You can kind of go through it Then I can edit the key if I want now you can see the two keys right here That are now in the uh, the ub key in my case the e stands for encryption So that's my encryption key right there. Okay, uh, then I can add another key Here i'm going to add an rsa key and i'm going to say Um sign encrypts, so i'm going to pick e for um encrypt capability And then i'm going to i'm going to do sign and i'm going to run through it and basically it's going to run through I'm going to create my keys for me So these are the codes that gpg da is authenticate c certificate creation e encrypt as signed And then your public your secret keys your sub keys and your public keys is the way it displays it to you Because when you look at the key itself you can see there on the right left We have pub and sub and then at the bottom we have sec and sbb ssb And then on the right you can see the sign for s and the e and for encrypt and the sc for the other Okay, so again, it's pretty complicated That's the way piv devices work And gpg allows you to access the ub key as a gpg as a piv device Um, if you want to do authentication, you can basically do that. Um, you can see that you can effectively create those keys Uh, authentication key and then we run through it and now you see there is actually an authentication key stored here Um, right up here at the top and then we're going to go through the same thing Uh, you can now see authentication key is filled out, right? Uh, and now we're going to back up the keys So I'm going to copy them over to a usb device so that I have them, right? Then I'm going to pull it out and put it in a bank somewhere We're in a safe Um, and then you can actually see that we have our keys all kind of ready to use Okay, uh, you can delete keys. This is how we're deleting them delete secret keys Uh, and we can even import the secret keys in and again we have a Uh, the wiki is makes it a lot easier to use, okay We can move the secret key to the card. So again, we we generated them separately and now We're going to key the card is the command So basically takes the key that's in the file system and puts it on the card So I'm going to put it in two, which is the encryption key slot And now I have you can see an encryption key defined for In this card, okay And I can toggle between different keys key zero and it shows me key zero if I go to see key two It shows me key two notice how the star gets kind of moves around that little star there Kind of moves around for you. Okay key to card again. This copies a file A private and public key from your file system into your card here I'm going to do the signature key and now the signature key is been loaded As you can see and I'm going to do the final and now you can see all three slots are full Okay, so all three slots now have Keys in them. I remember I said there's three different slots in a ube key that you can use And that's exactly what's going on here. Okay And yeah, it's this like little syntax stuff of how it displays. It's kind of cool Okay, any questions of configuring? Yes, sir Uh, yeah, it might I don't remember it might delete at the same time I know I have to back it up first So there's I backed it up first and yeah, I keyed a card kind of wants it out of the file system now because It's it's a little tricky because for me I would not normally store it on the file system I would store it I would actually do all my work on a on a usb device Instead of doing it in the file system because the file system gets flushed to to to disk Even if I delete the file, it's kind of still there potentially So I would do it on everything on a usb key But if you do that then make sure you don't Copy it to the ube key because and have only one copy because then it's gone Right, so I would almost like create a separate directory and just copy them all in there And then you key to card while you're in that directory and then just flush out that directory Right, so just a little you know that I wish this was simpler That's what kind of got me like there's a lot going on here that you have to understand to really make use of this stuff It's not a plug-and-play in any sense of the word at least to me unless I'm missing something. Okay. Yes, sir Sure So the question is how would you like how would you recycle or change the keys at some point, right? So the public key you can pull off the device at any time Because it's public, right? In fact, I had the earlier slides showed you an example of me pulling the public key off, right? Of of the ube key when we were doing open open ssl. Remember, I just yanked it right off the device No problem. That's the private key. You can't get at right so Um, effectively you can't the only way you can The only thing you can do is to overwrite the private key on the device Okay, so It gets a little tricky because if you If you're using it for encryption, for example, okay You're encrypting stuff and then all of a sudden you decide i'm going to change my encryption key, right? Well, we only store one encryption key on the ube key and all the piv devices not the ube key specific thing so What how do you what if you know if you have something and you're encrypted and you didn't you just lost the private key, right? So what you almost have to do if you want to rotate keys like that is you almost have to Decrypt all your data, right? Change your private key and then re-encrypt all your data back with the new key And that's somewhat disappointing. Maybe maybe you just buy a second ube key and you keep the keep the first one around, right? And or at least at least You're going to keep that back up in the bank around maybe forever Like maybe you're just going to buy 10 usb sticks and you're going to put dates on them And they're just going to sit in the safety deposit box or the safe Right because you can never know you've gotten all of them when you come back So you can't it it has slots. We've got three slots here Technically you could use slot one and slot two and slot three for encryption if you forced it to I don't recommend it, but you can You wouldn't be able to sign anything probably and you wouldn't be able to authenticate using it But you could potentially use those all for the same purpose Then you could get three of them in there, but it still becomes like a mess, right? So I think that's a problem. Um, I don't really know what to tell you except Yeah, it's it I think the good news is that this stuff is so non It's so secure and so non brute forcible that you're probably not going to be rotating your keys every month Or maybe even every year it may be a five year ten year thing that you're going to be rotating these things because remember If you're holding the ub key And and and the copy is never left to safe and nobody's been able to get that out of there It's not like a usb stick somebody making copy and you don't know it, right? There's literally no way for the even the manufacturer. I think without Using electron microscope to try and read the the storage on the it just almost impossible So that's I think a different scope of risk that we're used to that's why I rotate passwords because they get You know, who knows where they go, right? They get passed over the network. They get written down They get these these are not issues with with a hard work. It's token. That's why I got kind of excited about them That answer your question Yes, sir I'm sorry What would be a good method that may us deploy these keys? Well, the real trick would be to Automate the configure these things, right? Sort of what I've done And then you would just hand people a key They wouldn't know you have a backup. They wouldn't know what slots are. They wouldn't know anything It would basically be a preconfigured. I would never give an end user this Yeah, it's just like don't even go there, right? I did it because I'm crazy, right? But but but a normal person you'd have and the beauty of the thing is once they have it if they don't lose it And even if they do lose it the person has to guess the pin I've even talked about this you only get like five guesses at the pin And if you if you if you fail five times the device is literally locked you can't Get in again Period Right now. There's an administrative pin which will allow you to unlock it, but you can only try that one I think 10 times and then that'll lock up So you almost have to assume that if this thing's compromised it's gone Nobody can read it. You have a backup. You make a new key The other one is just dead and hopefully you have it if you don't have it. I guess I don't know. I guess maybe you make a new one. I don't know But that's the interesting part that the the physical thing is very important here And if you configure it, yeah, it just runs Once you configure it, they run normally you just stick it in and you ssh and you're in like there's no That's how google does it all these big a lot of organizations the jamalto and Nitro all these organizations are using it for mass deployment Everything's preconfigured all their ssh is configured all their config files are configured On every laptop and you just stick it in you're in pull it out. Nobody's going in Yes, sir So the question is is a ube key and a piv device Or a credit card and a and a piv to the same. So you have a great point. So The traditional use of a piv device is a credit card. It has the person's picture on it It's government So any government id is going to be a piv device So it has a person's picture and a bunch of stats about them and then a little chip Okay, that is the way the government is basically implemented piv from you know for a decade or two, right? um What we've seen now in the past Seven eight years is that piv device. They're disconnecting the card from the chip And now instead of having the the traditional way is you have a piv reader And you stick the card into the reader you see them in movies, right? The guy puts a thing and and that's how it works It actually checks the the authorization slot on the piv and it finds out who it is and validates their name That's why you have a name slot in there the whole thing, right? What we've seen with the ube key and the nitro and so forth is now taking that credit card and shrinking it down We don't need a credit card anymore. We don't need a reader anymore. We just need a usb slot Right, so there is a ube key piv device. It's literally the size of the chip itself. It's on your credit card Okay, and then there's also some that are bigger like more of a memory stick with a little stick on the end There's one that sits in your cell phone in the usb c slot You just stick it in the slot and then it functions as a piv device. So you're starting you're starting to see more form factors Um, it's a little different and the picture is not on it But it's obviously more functional because now we have a direct usb interface To piv devices that we didn't use to have before we used to have to have a card The card would have to go in the reader the reader would have to be connected to the computer And that's the way the government systems work. You have a terminal You have a piv reader you stick it in and that's how you authorize yourself on that device Did I answer the question? Yeah, so the attributes that I showed are they specific? Okay, so the the attributes that I showed are I believe um, so So what what we're so you're asking about the attributes like scc and stuff like that So some of this stuff is standard like this This all these fields these are standard part of piv cards right here This is all standard piv all piv cards have all these fields. I believe Um, the difference is that this this appearance. This is all pgp This is all very specific to pgp. And in fact, I even mentioned that it changes in another release and stuff This is this is how they they're displaying They were kind of they have to map They have to map The left hand side the right hand side and that's how they're doing it. Yeah, sure other questions Yep, sir. So why would you use ubiki key generation? Um, because you would you know because you don't have a backup Is that what you're saying? That's right That's right Right That's correct So why would you do it? So the question is why would you use why would you? The reason I'm generating it separately is so I can make a copy and back it up, right? That's why I'm not doing it on the ubiki Why would you want to do it on the ubiki? You may not care about a backup You may basically say if I if I if I lose this then my authentication is no good And I'm going to have to get a new authentication somebody's going to have to give me a new key Nope, nothing wrong with that, right? I I I gave the longer one because if I'm doing encryption And I encrypt something I want to be able to decrypt it later But for authorization if you lose the device you just go to the administrator say I need another ubiki I'm like, okay, we'll invalidate the old one and we'll add the new one and we're done Right. So again, depending on whether you need that backup would determine whether you do it on the ubiki or not Much easier to do it on the ubiki. No question, right? Because just if you're commanding it'll fill in all those slots. No problem Right. Good. Yes, sir Are there any hardware devices that Have open source code? Yes The nitro is open. That's great. I learned something today. All right. So the nitro has its source code open That's kind of cool. Yeah, great point. Yes, sir PIV is um Verifier. Yeah Yeah Personal identity verifier. I think yeah but Other questions Good question. Yes, sir So the question is yes. So the question is what what different Encryption public key encryption methods are possible with these devices Basically ubiki supports a couple of them. I don't know what the nitro supports or jamal toe, but effectively these devices could support any you know any public private key Specification that can be anything right now. It's it's that but there's nothing hardwired to the specification that indicates what it has to be Okay. Yes, sir. Um, ma'am. I'm sorry. I'm sorry, sir Uh, does it support does the ubiki support elliptic curve? Public keys, I don't remember. I'm sorry. I don't remember I don't Think I don't think so That's a great question though. I wish I knew the answer Other questions. Okay. All right Let's um, let's actually run It didn't just you let me just show you the use of this key so you can kind of see it So here i'm using the word test And i'm piping it into gpg I'm asking to encrypt with armor I'm giving the recipient id and then i'm decrypting at the same time So i'm actually going in encrypting it and decrypting it and you can see test goes in and test comes out Right, um, if I want to sign something I can use a clear sign and you can see it comes out In the same way. Okay, so that's an example of using ubiki to sign and unsign something You can use you open pgp with open ssh So remember I showed you open ssh Using it with the like the standard traditional you can have open ssh use open pgp So here we have a normal ssh. It's failing I can do an ssh add with the public key of the ubiki of the i'm sorry of gpg There's my setting and then I can actually Can catnate that on and then all of a sudden ssh will use the open pgp key instead of the the piv key Depending on how we want to do it. Okay. Um, this is a very complicated slide. I'm not going to go into it It's basically this the software stack For these public devices and it is not pretty right you got open sc tool pkcs 11 tool pkcs 15 And then over on the right you have the internals of the ubiki Both the piv part and the open gpg part There's actually two parts inside the ubiki one's the piv which is what the gentleman asked for and then there's another part which is Open pgp and then there's another part which is just for authentication So Not not not fun Um piv versus open pgp. This is kind of a just a informative slide. Which one should you use? piv stores all user information on removal media open pgp really Was kind of designed for Storing the keys in the file system. So you kind of you're kind of copying over What's interesting is that a piv has the public and private all on the separate device. So it's made to be removed and added For pgp it really kind of expects the the public part to be in the file system So it's not really thinking of you inserting and removing and coming in as a new user in the same way So you may want to favor one over the other depending on what type of system you're using Okay, um, and again application support. Okay Let's talk a little bit about the postgres side and again I this is going to be super complicated But if you were in my talk on friday I talked about Actually, if you were in jimble jinsky's talk on for anyone here in jimble jinsky's talk on friday morning, right? We have two. Um, he gave my talk. It's this slide So he actually ended up using my slides for his talk and here the concept is that to do postgres You have the the encryption key removable Like a piv device Okay, and you're effectively encrypting and decrypting on the client before you send back and forth on the Network. Okay You could also do that with symmetric keys, but it's not it's not as secure Um, here's an example of this basically. I'm creating a user key And this is a whole bunch of psql, which I don't expect you to understand But the idea is that we generate random numbers. We put in a variable We we actually store that into RSA util so we can kind of find out what's going on we put that in another variable And then we can actually from the ub key Use either decrypt it encrypt it by sending the keys across Or we can actually do the encryption on the client. So again, I'm not sure how you want to do it This is a lot of stuff here Um, but the goal like for example this particular slide Is showing that when you remove the ub key Nothing happens. You get in there, right? It's basically saying I can't issue this query anymore because I don't have a key anymore because I removed it That's what you want to prove, right? If you're going to test it pull the thing out. Does it still work? It better not Is it is the goal, right? Um, I here's that here's a more sophisticated example again Way beyond what we want to sort of cover here, but Postgres has encryption Um, it had there's some libraries we can use to encrypt stuff Um, you know, there is even a a pg get key that I used to allow you to send keys back and forth Uh, I'm not going to go into this, but again, it's uh, you can actually use the hardware security module on the server on the database server You plug it in it operates as soon as you pull it out Nobody can read the data anymore, right? That's what we want kind of cool Questions Yes, sir So how do you handle cases where your uh, the key has to be the device is moving around and you're not sure where to put it or Yes, you're moving between vm hosts Um, that the only real good way of doing that is to make duplicate hardware keys and put them on each device Right, uh, and again if you're using if you're generating the key externally You can do that because you just put a new key in and you go through the same process again And now you have two two keys that are identical And they'll function and but then obviously if you remove them you want to remove both of them So that nobody can use the other one while you're yeah Um, yes, man so Yeah, so in this case the we have a this is basically a special utility. I wrote called pg get key Which will pull the key off of an hsm or or or a ub key or something like that So yeah, it's very specific to postgres. So I don't I didn't really want to cover it here um But again, you can set up keys for functions and yeah, this gets just like super super complicated um, you can use for transparent encryption if you're if you want that feature um And again, i'm just running through here's a case where we actually Have a trigger on a function And we pull the key off of the ub key or the hardware security module encrypt it and then You know continue so we can actually auto by looking at the bottom every time somebody does an insert or an update We automatically encrypt it With the key that we got right again This is this is very databasey. So we're not going to cover it But if you want to deal go into this feel free to do that Okay, here's a transparent insert, right? I just inserted the word test Which is up here on the top line and you can see when I do a select From the view which translates which decrypts it I get the right data, but if I go to the raw data, you can see it's encrypted Right, right. So this is this is me inserting test This is me running through the trigger This is me just looking at the raw data And again as soon as that keys out the view won't work either Which is the whole goal of what we're doing here, right? Same thing with update. Same thing with delete, right? Um, and again, yeah update. So some performance issues here of of how fast it is indexing issues Data key expiration. So the idea of having to rotate the key every so often very difficult to do Again very databasey, I don't want to kind of go too much into this Um, but you can basically encrypt your data or you can encrypt your keys And this is some of the ways you can do encryption inside a database This is not a database talk for this audience But I just wanted to kind of you know, I'll just go through the slides So Again, it's like where do you want to store one of the primary reasons? I got excited about this is one if you're doing encryption on database Where are you going to put the key right are you going to put it unencrypted in the file system, which some people do Are you going to encrypt it in the file system and then require a password to decrypt it or What we're doing here is encrypting it and requiring a pi dv device or a pin To decrypt it and I think that's the real final Thing I wanted to get across i'm not saying you have to do it But i'm saying this is how people do do it if they want that level of security Okay, and again, how do you want to store it? It's also called a cac card if you've ever heard of cac That's that's the more familiar term and it's called a cac card, but it's really common access card So it's common access card card. So you get the idea. It shouldn't be should be just a cac But again, you have a cac option. You have a ubiki option. You have a usb option harser security module option Or just external option again, we have a nice very hefty URLs here at the bottom about these details Okay, all right. So thanks very much. I'll take some questions. I know i'm a little bit over, but I don't want to Lose that opportunity. Yes, sir. So how would you invalidate a key that was lost? How do you invalidate a key? What's the process right? So you have really a so how do you invalidate a key? You have two options You can either create a new key from your backup and don't invalidate it at all Right with the assumption even if it's stolen nobody can read it because they can only get a couple tries at the pin Right. Well, all right. So if you want to so basically if it's for authentication, then all you're really going to do is to Is to just issue a new key and invalidate the old one because she's like a new password Right. So it's about if it's for ssh logins, just remove the old line. You put a new line in and you're done Right. If you're if you're encrypting data, then you're probably going to need to go to your backup Decrypt all the data using your backup Right, and then create a new key and re-encrypt it using the new key and then that's your new key Yeah, that interesting for authentication. There's no like life There's no like life There's no lifetime to the to the authentication. You're authenticated today and tomorrow you get you do it with someone else, right? With data storage, then you have to really you have a lifetime of that key now And you have to expire that key by really removing its use and then making a new one Other questions Yeah Sure Right, so i'm going to take that offline if you want to come up and be glad to answer that Yes, sir. So with indexing, um, I would be happy to cover that as well. Um, if you come on up So i'm a little over so i don't want to i don't want to go into any postgres specific questions right now So thanks, but yeah, come on up and i'll be glad to answer anything else. We're good. Well, thank you very much Appreciate you sticking for the last one. Thank you