#, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2018-12-08 14:45-0200\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Put one translator per line, in the form NAME , YEAR1, YEAR2 msgctxt "_" msgid "translator-credits" msgstr "" #. (itstool) path: info/title #: article.translate.xml:9 msgid "Independent Verification of IPsec Functionality in FreeBSD" msgstr "" #. (itstool) path: affiliation/address #: article.translate.xml:13 #, no-wrap msgid "honig@sprynet.com" msgstr "" #. (itstool) path: info/author #: article.translate.xml:12 msgid "" "DavidHonig <_:address-1/> " msgstr "" #. (itstool) path: info/pubdate #: article.translate.xml:16 msgid "1999-05-03" msgstr "" #. (itstool) path: legalnotice/para #: article.translate.xml:19 msgid "FreeBSD is a registered trademark of the FreeBSD Foundation." msgstr "" #. (itstool) path: legalnotice/para #: article.translate.xml:21 msgid "" "Motif, OSF/1, and UNIX are registered trademarks and IT DialTone and The " "Open Group are trademarks of The Open Group in the United States and other " "countries." msgstr "" #. (itstool) path: legalnotice/para #: article.translate.xml:25 msgid "" "Many of the designations used by manufacturers and sellers to distinguish " "their products are claimed as trademarks. Where those designations appear in " "this document, and the FreeBSD Project was aware of the trademark claim, the " "designations have been followed by the ™ or the ® symbol." msgstr "" #. (itstool) path: info/releaseinfo #: article.translate.xml:33 msgid "" "$FreeBSD: head/en_US.ISO8859-1/articles/ipsec-must/article.xml 52227 2018-09-" "06 01:30:47Z ebrandi $" msgstr "" #. (itstool) path: abstract/para #: article.translate.xml:36 msgid "" "You installed IPsec and it seems to be working. How do you know? I describe " "a method for experimentally verifying that IPsec is working." msgstr "" #. (itstool) path: sect1/title #: article.translate.xml:43 msgid "The Problem" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:45 msgid "" "First, lets assume you have installed " "IPsec. How do you know it is working? Sure, your connection will not work if it is " "misconfigured, and it will work when you finally get it right. " "netstat1 will list it. But can you independently confirm " "it?" msgstr "" #. (itstool) path: sect1/title #: article.translate.xml:54 msgid "The Solution" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:56 msgid "First, some crypto-relevant info theory:" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:60 msgid "" "Encrypted data is uniformly distributed, i.e., has maximal entropy per " "symbol;" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:65 msgid "" "Raw, uncompressed data is typically redundant, i.e., has sub-maximal entropy." "" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:70 msgid "" "Suppose you could measure the entropy of the data to- and from- your network " "interface. Then you could see the difference between unencrypted data and " "encrypted data. This would be true even if some of the data in " "encrypted mode was not encrypted---as the outermost IP header " "must be if the packet is to be routable." msgstr "" #. (itstool) path: sect2/title #: article.translate.xml:78 msgid "MUST" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:80 msgid "" "Ueli Maurer's Universal Statistical Test for Random Bit Generators( MUST) quickly measures the entropy of a sample. It uses a " "compression-like algorithm. The code is given below for a variant which measures successive (~quarter megabyte) chunks of " "a file." msgstr "" #. (itstool) path: sect2/title #: article.translate.xml:89 msgid "Tcpdump" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:91 msgid "" "We also need a way to capture the raw network data. A program called " "tcpdump1 lets you do this, if you have enabled the " "Berkeley Packet Filter interface in your kernel's config file." msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:97 msgid "The command:" msgstr "" #. (itstool) path: sect2/screen #: article.translate.xml:99 #, no-wrap msgid "" "tcpdump -c 4000 -s 10000 -w dumpfile.bin" msgstr "" #. (itstool) path: sect2/para #: article.translate.xml:101 msgid "" "will capture 4000 raw packets to dumpfile.bin. Up " "to 10,000 bytes per packet will be captured in this example." msgstr "" #. (itstool) path: sect1/title #: article.translate.xml:108 msgid "The Experiment" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:110 msgid "Here is the experiment:" msgstr "" #. (itstool) path: step/para #: article.translate.xml:114 msgid "Open a window to an IPsec host and another window to an insecure host." msgstr "" #. (itstool) path: step/para #: article.translate.xml:119 msgid "Now start capturing packets." msgstr "" #. (itstool) path: step/para #: article.translate.xml:124 msgid "" "In the secure window, run the UNIX command yes1, which will stream the " "y character. After a while, stop this. Switch to the " "insecure window, and repeat. After a while, stop." msgstr "" #. (itstool) path: step/para #: article.translate.xml:131 msgid "" "Now run MUST on the captured packets. You " "should see something like the following. The important thing to note is that " "the secure connection has 93% (6.7) of the expected value (7.18), and the " "normal connection has 29% (2.1) of the expected value." msgstr "" #. (itstool) path: step/screen #: article.translate.xml:138 #, no-wrap msgid "" "% tcpdump -c 4000 -s 10000 -w " "ipsecdemo.bin\n" "% uliscan ipsecdemo.bin\n" "\n" "Uliscan 21 Dec 98\n" "L=8 256 258560\n" "Measuring file ipsecdemo.bin\n" "Init done\n" "Expected value for L=8 is 7.1836656\n" "6.9396 --------------------------------------------------------\n" "6.6177 -----------------------------------------------------\n" "6.4100 ---------------------------------------------------\n" "2.1101 -----------------\n" "2.0838 -----------------\n" "2.0983 -----------------" msgstr "" #. (itstool) path: sect1/title #: article.translate.xml:157 msgid "Caveat" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:159 msgid "" "This experiment shows that IPsec does seem to be " "distributing the payload data uniformly, as encryption " "should. However, the experiment described here cannot " "detect many possible flaws in a system (none of which do I have any evidence " "for). These include poor key generation or exchange, data or keys being " "visible to others, use of weak algorithms, kernel subversion, etc. Study the " "source; know the code." msgstr "" #. (itstool) path: sect1/title #: article.translate.xml:171 msgid "IPsec---Definition" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:173 msgid "" "Internet Protocol security extensions to IPv4; required for IPv6. A protocol " "for negotiating encryption and authentication at the IP (host-to-host) level." " SSL secures only one application socket; SSH " "secures only a login; PGP secures only a " "specified file or message. IPsec encrypts everything between two hosts." msgstr "" #. (itstool) path: sect1/title #: article.translate.xml:182 msgid "Installing IPsec" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:184 msgid "" "Most of the modern versions of FreeBSD have IPsec support in their base " "source. So you will need to include the option in " "your kernel config and, after kernel rebuild and reinstall, configure IPsec " "connections using setkey8 command." msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:190 msgid "" "A comprehensive guide on running IPsec on FreeBSD is provided in FreeBSD Handbook." msgstr "" #. (itstool) path: sect1/title #: article.translate.xml:196 msgid "src/sys/i386/conf/KERNELNAME" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:198 msgid "" "This needs to be present in the kernel config file in order to capture " "network data with tcpdump1. Be sure to run " "config8 after adding this, and rebuild and reinstall." msgstr "" #. (itstool) path: sect1/programlisting #: article.translate.xml:203 #, no-wrap msgid "device bpf" msgstr "" #. (itstool) path: sect1/title #: article.translate.xml:207 msgid "Maurer's Universal Statistical Test (for block size=8 bits)" msgstr "" #. (itstool) path: sect1/para #: article.translate.xml:210 msgid "" "You can find the same code at this link." msgstr "" #. (itstool) path: sect1/programlisting #: article.translate.xml:213 #, no-wrap msgid "" "/*\n" " ULISCAN.c ---blocksize of 8\n" "\n" " 1 Oct 98\n" " 1 Dec 98\n" " 21 Dec 98 uliscan.c derived from ueli8.c\n" "\n" " This version has // comments removed for Sun cc\n" "\n" " This implements Ueli M Maurer's \"Universal Statistical Test for Random\n" " Bit Generators\" using L=8\n" "\n" " Accepts a filename on the command line; writes its results, with other\n" " info, to stdout.\n" "\n" " Handles input file exhaustion gracefully.\n" "\n" " Ref: J. Cryptology v 5 no 2, 1992 pp 89-105\n" " also on the web somewhere, which is where I found it.\n" "\n" " -David Honig\n" " honig@sprynet.com\n" "\n" " Usage:\n" " ULISCAN filename\n" " outputs to stdout\n" "*/\n" "\n" "#define L 8\n" "#define V (1<<L)\n" "#define Q (10*V)\n" "#define K (100 *Q)\n" "#define MAXSAMP (Q + K)\n" "\n" "#include <stdio.h>\n" "#include <math.h>\n" "\n" "int main(argc, argv)\n" "int argc;\n" "char **argv;\n" "{\n" " FILE *fptr;\n" " int i,j;\n" " int b, c;\n" " int table[V];\n" " double sum = 0.0;\n" " int iproduct = 1;\n" " int run;\n" "\n" " extern double log(/* double x */);\n" "\n" " printf(\"Uliscan 21 Dec 98 \\nL=%d %d %d \\n\", L, V, MAXSAMP);\n" "\n" " if (argc < 2) {\n" " printf(\"Usage: Uliscan filename\\n\");\n" " exit(-1);\n" " } else {\n" " printf(\"Measuring file %s\\n\", argv[1]);\n" " }\n" "\n" " fptr = fopen(argv[1],\"rb\");\n" "\n" " if (fptr == NULL) {\n" " printf(\"Can't find %s\\n\", argv[1]);\n" " exit(-1);\n" " }\n" "\n" " for (i = 0; i < V; i++) {\n" " table[i] = 0;\n" " }\n" "\n" " for (i = 0; i < Q; i++) {\n" " b = fgetc(fptr);\n" " table[b] = i;\n" " }\n" "\n" " printf(\"Init done\\n\");\n" "\n" " printf(\"Expected value for L=8 is 7.1836656\\n\");\n" "\n" " run = 1;\n" "\n" " while (run) {\n" " sum = 0.0;\n" " iproduct = 1;\n" "\n" " if (run)\n" " for (i = Q; run && i < Q + K; i++) {\n" " j = i;\n" " b = fgetc(fptr);\n" "\n" " if (b < 0)\n" " run = 0;\n" "\n" " if (run) {\n" " if (table[b] > j)\n" " j += K;\n" "\n" " sum += log((double)(j-table[b]));\n" "\n" " table[b] = i;\n" " }\n" " }\n" "\n" " if (!run)\n" " printf(\"Premature end of file; read %d blocks.\\n\", i - Q);\n" "\n" " sum = (sum/((double)(i - Q))) / log(2.0);\n" " printf(\"%4.4f \", sum);\n" "\n" " for (i = 0; i < (int)(sum*8.0 + 0.50); i++)\n" " printf(\"-\");\n" "\n" " printf(\"\\n\");\n" "\n" " /* refill initial table */\n" " if (0) {\n" " for (i = 0; i < Q; i++) {\n" " b = fgetc(fptr);\n" " if (b < 0) {\n" " run = 0;\n" " } else {\n" " table[b] = i;\n" " }\n" " }\n" " }\n" " }\n" "}" msgstr ""