Let’s Encrypt – bringing crypto to the masses

https://letsencrypt.org

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

There was a talk at 31c3, which you can find here

Cisco ACL resequencing

Managing Access Lists on Cisco IOS devices can be a real headache. Copying ACLs and Editing them in a Text Editor was a widely spread method until extended ACLs implemented Named Access Lists (nacls) with featured sequence numbers.

Extended IP access list my_acl_in
2 permit icmp ..... (1234 matches)
3 permit ip any host x.x.x.x
10 permit ip ....
11 permit ip ....
12 permit ip ....
13 permit ip ....
14 permit tcp any host ...... eq 443
15 permit tcp any host ...... eq www

Btw. the IPv6 Access list sequence numbers are placed at the end

permit tcp host 2001:DB8:1::32 host 2001:DB8:2::32 eq ssh sequence 1

Sequence Numbers allow for quick changes to an ACL without the copy&paste foo. A growing and ever changing ACL however can post a challange to your sequencing once the gaps are filled. In order to realign your Access Control Entries you can use the resequence command to put your ACEs in order again.

r1(config)#ip access-list resequence ?
<1-99> Standard IP access-list number
<100-199> Extended IP access-list number
<1300-1999> Standard IP access-list number (expanded range)
<2000-2699> Extended IP access list number (expanded range)
WORD Access-list name

r1(config)#ip access-list resequence my_acl_in ?
<1-2147483647> Starting Sequence Number

r1(config)#ip access-list resequence my_acl_in 5 ?
<1-2147483647> Step to increment the sequence number

r1(config)#ip access-list resequence my_acl_in 5 5

will resequence your ACEs to look something like this:

Extended IP access list my_acl_in
5 permit icmp ..... (1234 matches)
10 permit ip any host x.x.x.x
15 permit ip ....
20 permit ip ....
25 permit ip ....
30 permit ip ....
35 permit tcp any host ...... eq 443
40 permit tcp any host ...... eq www

This feature will definitely help to keep your sanity.

I find it quite a bit strange that this fuction is not mentioned on neither the 640-802 CCNA nor the 640-554 CCNA Security Cert Guides.

For more infos, check out the Cisco ACL sequence numbering guide

Visualizing the Diffie-Hellman key exchange

If you just want to watch so the video, here you go. But this article also contains some more information below.

In 2010 I blogged about Khan Academy featuring free video lectures. Seems like the site is growing quite well with topics covering a large spectrum of science.

One of the most interesting video series I found there was Journey into Cryptography

It offers a great oversight of encryption methods, historical relevance and most importantly, emerging patterns that offer an attack vector due to lack of entropy which leads to a low key-strength. This video is a great way to get into the principles of cryptography.

The series can also be watch directly on youtube via this playlist: