Posts Tagged ‘crypto’

The Collectd encrypted packet format

Friday, March 21st, 2014

Yesterday, Logstash 1.4.0 was released containing many improvements, one of which was contributed by us. We’ve implemented signature verification and packet decryption in the collectd input plugin. This blogpost will give an overview of how encryption and signing is used in the collectd binary protocol.

We’re currently working on deploying a logstash infrastructure that will eventually extend our monitoring and trending capabilties. At the same time, we want to move from our pull-based trending (Munin) to push-based (Collectd). Logstash recently added a Collectd input plugin, but it didn’t support decryption and signature verification of collectd packets. As we send (some) of this data over the public internet, we need to encrypt this traffic, so we decided to implement this.

During implementation, we discovered that the documentation was scarce and the comments in the collectd source-code appeared incomplete. This post gives a description of the collectd signed and encrypted packet formats. It assumes that you’re familiar with the collectd binary protocol.


Fixing hanging Crypto Stick (and other USB peripherals) problems

Wednesday, December 28th, 2011

As you may or may not know, we use the Crypto Stick as our SSH authentication mechanism. Lately, some of us are experiencing ‘hanging’ every now-and-again. Yesterday, I found a blogpost on Ludovic Rousseau’s blog, detailing that this problem stems from a race condition in libusb. This problem is fixed in an experimental branch of libusb. As a full upgrade of libusb (from an experimental branch no less) is out of the question, I backported the patch to Ubuntu 11.04 (natty) and 11.11 (oneiric). These packages indeed solve the problem of the ‘hanging’ Crypto Stick (and probably every other ‘hanging’ USB device). Binary and source packages are available here in our repository. Or, you can add our repo to your sources.list:

  • Natty: deb natty-kumina main
  • Oneiric: deb oneiric-kumina main

Installing the Cryptostick in Ubuntu 11.04

Tuesday, July 5th, 2011

As you probably know by now: We have our SSH and PGP-keys on a CryptoStick. But getting it to work used to be somewhat harder than it is now. So without further ado: The (almost) foolproof way to get SSH and PGP working with the CryptoStick in Ubuntu:

  1. sudo apt-get install gpgsm libccid gnupg-agent
  2. Go to System > Preferences > Startup Applications and disable “SSH Key Agent”, “Secret Storage Service” and “Certificate and Key Storage” (You could possibly only disable the SSH Key Agent, but this is untested)
  3. gpg --card-edit and gpg/card> fetch to import your card public keys. Alternatively, setup your CryptoStick at this stage
  4. echo "enable-ssh-support" >> .gnupg/gpg-agent.conf
  5. Log out and back in
  6. DONE!

You should now see a pinentry program when SSH’ing or signing a message.

HowTo: Reset a cryptostick

Monday, February 21st, 2011

We use this cryptostick a lot and always thought that there was no way to reset it once you entered the admin PIN incorrectly three times. Well, there is a way to reset it! Found it here and describing it below for future reference.