SecureMac.com
About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Advertising
Security Consulting
Employment/Jobs
Feedback Form

SecureMac Software
PrivacyScan

 

Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
SAINT
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing


Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
LittleSecrets
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry
Apple.com Security Resources
Marketing Macintosh Security Programs

PGPuam is a very interesting application for AppleShare Networks. I really suggest reading the authors descritpion below. Content taken from his site. For Newer Versions check here.

PGPuam - Public Key Authentication for AppleShare

Last Revision 1.0 12/16/98

Written by: Vinne Moscaritolo


THIS IS SAMPLE CODE!

-------------------- 

 

    This is the first public release, It is pretty

    stable for everyday use, but I am aware of a few bugs. I 

    have listed them below.. 

    

    This sample is a good example of what can be done with the 

    AppleShare IP UAM sdk and also provides some useful authenication 

    on the Macintosh.



 WHAT IS IT?

------------ 



   PGPuam is an enhancement to the standard AppleShare IP User Access

   Methods  (UAM) that enables a user to perform two-way strongly 

   authenticated logins to an AppleShare IP server from a Mac OS client. 

   The PGPuam system consists of two major components, a client and a 

   server plug-in. 



WHY DO I WANT IT? 

-----------------



    Tired of remembering and keeping track of Appleshare passwords?

    Did you know that  same digital signature technology that is used to

    guarantee the identity of  e-mail  can also be used to strongly authenticate

    users of network services. This provides three significant advantages over

    password based user authentication systems:

    

    - Since the same key and passphrase used to sign e-mail messages is

      also used for server access, you only need to remember one passphrase.

    

    - Strong user authentication is provided by cryptographic digital

      signatures.

    

    - Since the user maintains the only secret material in the system,

      compromising a server's user  database results in limited damage.



 HOW DOES IT WORK? 

-----------------



    Authentication with Cryptographic Signatures 

    

    E-mail communication on the Internet faces a security challenge similar to

    network user authentication. Since e-mail packets are broadcast through

    public networks, these messages can also be eavesdropped on and

    counterfeited by unauthorized individuals. However e-mail vendors have

    been able to address this problem by leveraging public key cryptography to

    digitally sign and authenticate e-mail messages. 

    

    In a public key cryptosystem, each user or principle generates a pair of

    mathematically-related cryptographic keys. These keys are created in such

    a way that it is computationally infeasible to derive one key from the

    other. One of the keys is made publicly available to anyone who wishes to

    communicate with that user. The other key is kept private and never

    revealed to anyone else. This private key is secured by either placing it

    in a hardware token or further encrypting it to a passphrase, or both. The

    private key is then used by the principal to digitally sign data. This

    digital signature can later be checked with the matching public key to

    ensure that the data has not been tampered with and that it originated

    from the holder of the private key.`

    

    Since the holder of the private key is the only entity who can create a

    digital signature that verifies with the corresponding public key, there

    is a strong correlation between a user's identity and the ability to sign

    with that private key. Thus the public key can function as a principle's

    identity in cyberspace . 

    

    Because they provide such strong testimony to the authenticity of the

    sender, public-key cryptographic systems are becoming very popular among

    today's Internet e-mail users. 

    

    The same digital signature technology that guarantees the identity of the

    e-mail sender can be used to strongly authenticate users of network

    services, too. By having the user sign a random challenge message from the

    server at login, the server can verify the identity of the user with his

    public key. The server randomly creates the challenge message to prevent

    replay attacks. This process is illustrated in the following scenario : 

    

    1. The user initiates network service access. 

    

    2. The server looks up the user's public key in its authentication

    database. The server then generates a random challenge string and sends

    the challenge to the client. 

    

    3. The client digitally signs the challenge string and returns the

    cryptographic signature to the server. The client also sends a counter

    challenge string which is used to verify the server's authenticity. 

    

    4. The server then checks the client's signature and, if successful,

    grants access. It also signs and returns the client's counter-challenge. 

    

    This process provides several significant advantages over password based

    user authentication systems: 

    

    - Since the same key and passphrase used to sign e-mail messages is also

    used for server access, the user need only remember one passphrase. This

    is done without the risks associated with passphrase caches. 

    

    - Strong user authentication is provided by cryptographic digital

    signatures. 

    

    - Since the user maintains the only secret material in the system,

    compromising a server's user database results in limited damage. 

    

    While similar systems have been proposed by a number of researchers they

    lacked the availability of a widely-accepted key infrastructure. Since PGP

    already has a large key infrastructure, I have chosen to exploit this by

    building a challenge-response system using the PGP software developers kit

    (PGPsdk), which is avilable from the pgp website . 

    

    

WHAT DOES IT RUN ON? 

-------------------



    I have tested the client on MacOS 8.5 PPC only. I have no reason to belive

    that it would not run on 8.1 PPC . It requires AppleShare Client 3.8.1 (or

    newer, it comes with 8.5). The server works with   AppleShare 6.1.  Most 

    important, you must have a copy of PGP 6.0 or better on the client, manager

    and servers machines.



 EXPORT ISSUES 

--------------



    PGPuam does not contain any crypto code. It is purely for

    authentication use only. (In fact all Signatures and Random

    number generation is done via the PGPsdk) Therefor this code

    does not fall under jusidiction of ITAR.  Feel free to enjoy

    it.

  

ABOUT THE CODE.

-------------------



    PGPuam is a Metrowerks Codewarrior PRO 4 project.  The code

    is considered sample code for now. It uses a bunch of

    technologies such as: CFM, Appearance Manager, Collections

    Manager, PGPsdk etc. So there is a lot to learn by examining

    the code itself.



HOW DO I BUILD IT?

-------------------



    1) Before starting, you must get a copy of the PGPsdk. You

    can download it from http://www.pgp.com/sdk/. Place the

    Library and the Headers in the PGPsdkMac folder.



    2) Build the "PGPuam Client" Project.



    - - Move the result, a file called "PGPuam" into either the

    Extensions folder or optionaly create folder titled

    "AppleShare Folder" place it in either the Extensions folder

    or System Folder and place the PGPuam  file in that folder.



    3) Build the "PGPuam Server" Project.

   

HOW DO I SET IT UP?

-------------------

    Server:

    

    0) Install PGP 6.0 (or better) on the server (or at least drop the approp 

	   PGP libraries into the Extension folder)

    

    1) Drop the "PGPuam Server" file in the "AppleShare IP UAM" folder found in

        the server's extension folder. 

    

    2)  - Unfortunately you must also Modify the  SIZE resource of the 	

		"AppleShare IP Registry"  file in  server's extension folder to 

		allocate a bit more memory then the stock configuration.   I suggest 

		adding at least  1K more space. Yes this is a bug  in the ASIP design 

		and yes they are working on a fix for the   future, but for now you 

		can correct this using your favorite resource editor. I have  taken 

		the liberty of enclosing a  copy of a modified one  with this 

		distribution.  

         

    3) Reboot the server. 

    

     

    Manager:

    

    0) Install PGP 6.0 (or better) and make sure it runs, you'll need  to at 

        least setup the default keychains.

    

    1) Launch the PGPuam Manager program

    

    2) Select a server in the "Connect.." Dialog (This must be done on a

        machine remote to the server for now, must also have appletalk

         connectivity)  and enter the Admin Name/password.

    

    3) Select "Server Settings" from  the Server menu.  and Press "Generate" to

        create a server key. (it might ask you to move the mouse around) then

         save the   key.. 

    

    4) Drag out a copy of the new public key to the desktop and save this, you

        will need this for users later.

    

    5) Close the window.

    

    6) Go to the User List window and open a test user up, drag in a copy of

        that users's public Key (From PGPkeys or whatever) and save. Do this

         for each   user you want to test with.

    

    Clients:

    

    0) Install PGP 6.0 (or better) and make sure it runs, you'll need  to  at 

	   least setup the default keychains. Each client  will need their own 

		keys, it can  (should be) be an existing key.

    

    1) If you are not already running "AppleShare" client 3.8.1 (comes with     

        macOS 8.5) then update now. You should be able to find a copy at

        the Appleshare IP website at  .

    

    2) Create a folder in the Extensions folder titled "AppleShare Folder"

        and  Drop the "PGPuam" into that folder and reboot

    

    3) Get a copy of the server PUBLIC key from sysAdmin and drop it into   

        PGPkeys.

    

    4) open the server in the Chooser and select the "PGP Challenge/REsponse"   

        logon method

    

    (the  PUPuam dialog should pop up, feel free to hunt around) 

    

    5) Login with approp user name, you will be asked by PGP to enter the appop     

        passphrase for the key that the sysadmin installed under your username.

    

    6) you'r In.







KNOWN BUGS and THINGS TO DO 

---------------------------



PGPuam Client

-------------



    - Balloon Help does not work. Balloon Help is particularly important when

    the interface uses unlabeled buttons.



--------------------------------------------

 

    - The picture in the About panel still does not display. (Actually, it

    displays briefly, then disapears. Is there a button being drawn over the

    picture?)

 

--------------------------------------------



 - The Apple Help button isn't hooked up yet.



  

=========================================================================



PGPuam Server

-------------



    - CRASH on Shutdown, propb due to OT being shutdown before ASIP plugins.

    this is an ASIP bug.. and we are in the process of tracking it down.

  



=========================================================================

PGPuam Admin Problems

---------------------

    - The PGPuam Admin must currently be run on a machine other than the server.

    Connecting locally causes a crash and hence I have disabled this feature.

    Stay tunned for a fix in the near future.

    

--------------------------------------------



 

  - The "Select Server" window is not centered. This is currently deffered 

  due to lazy programmer. Actually I am trying to replace the StandardNBP call

  with something better. When a NSL or such thing becomes available, I will

  update it.



--------------------------------------------



   - The Password field of the Connect to AppleShare window probably should

    not indicate the password length with bullets. ;-) THis isn't a bug, 

    what it indicated is that the admin password is used in a remote authication

    scheme and is sent over the network, albeit using two-way randnum. It's

    not as secure as the PGPuam method.

 

--------------------------------------------



      - The Name and Kind labels in the User List window appear with a gray

    background when the rest of the window has a white background. (I run Mac

    OS 8.1 with the Black & White appearance variation.) This may be a bug in

    Appearance 1.0.1 or PowerPlant. (Send me your latest sources and I will

    investigate further.) Btw, the "AppleShare IP Web & File Server"

    application has the same problem in the Server Info panel.



    I belive this is a bug in the appearance MGR.

    

--------------------------------------------



    - Select of list items in the User List window darkens the item's icons,

    but it does not color the text of the item, when used in Black and White mode.



 --------------------------------------------

 

      - Opening a second User window displays the window to the right of the

    first as if the windows were being tiled. Opening a third displays the

    window on top of the second. This probably is a PowerPlant bug.  

   

--------------------------------------------

  

    - If the local AppleShare Admin deletes a user when the PGPuam Admin has 

    the user open in a window, it will not be properly be reflected. However

    the user will disappear from the User list window. I have to think about 

    what the proper way to alert the admin user about the changes are..

    

    

 =========================================================================



STAY TUNED.



    I plan to actively update this code in the near future. So

    check the Website every now and them for the latest update.

    feel free to email any questions and/or suggestions..



Vinnie Moscaritolo

 World Wide DTS, Apple Computer.

- ------------------ 

http://www.vmeng.com/vinnie/ 

DSS/DH: 3F903472C3AF622D5D918D9BD8B100090B3EF042

View Slide Preso.

Cool, download It.


Back to my homepage

Comments (vinnie@vmeng.com)




Enter Email Address:

Enter your message:


Select Either of These Two Buttons


Security + OS
DiskLock
PowerBook Security Control Panel
Empower Pro
FileGuard
FreeGuard
FoolProof
Deus Lock Master
OnGuard
Keys Off
LockOut
MacOS Algorithm
Modem Security
Password Key
PGPuam
PPF
Shift Key Suite
Stealth Signal
SuperLock Lite
SuperLock Pro
Web-Confidential


Macintosh Viruses
Disinfectant
Sophos Anti-Virus
Norton AntiVirus
Nav 7 Nav 6 Nav X
Virex - Oct
VirusBarrier - Netupdate
vScan - Discontinued.

Mac Physical Security


Macintosh Firewalls
DoorStop Firewall
Firewall Q & A
IPNetSentry
NetBarrier
Norton Personal Firewall

Mac Spyware & Privacy
Monitorer
NetShred - Delete Files Safely

Network Security
MacAnalysis
Oyabun Tools
WDTech RAE
ToolDaemon

Application Security Issues
AIM - AOL Instant Messenger
Back Orifice
Eudora E-Mail Client
Internet Configure
IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
MS Personal webServer
NetBus
Outlook Express 4.5 Password Flaw
SubSeven
Sub7ME Server

Resource Info
AppleShare Server Info

Mac OS Encryption
EnScript
FGP
FileTwister
ForgotIt?
GenPass
MacLockSmith
My-Privacy
My Secret
PGPi
PGPhone
PGP Personal
PGP Freeware
PowerCrypt-dev
Private File
Quick Encrypt
SubRosa Utilities
Tresor

Deleting Files
Eraser Pro
ShredIt

Backups

Apple Hardware

MacOS DoS
Mac Attack


All material (c) 2014 SecureMac.com and respected owners