SAM - SSL Amplitude Modulation

".ipref().""; //include("/var/www/web3/share/util/lib/gallery.inc.php"); include("/var/www/common/share/util/lib/gallery.inc.php"); //$hdir = "http://pedemont.net.au/~web4_daniel.g/g/.SAM/"; $hdir = "http://pedemont.net.au/~dan/g/.SAM/"; //$GLOBALS["GDIR"] = "/var/www/web4/user/web4_daniel.g/web/g/.SAM/"; $GLOBALS["GDIR"] = "/var/www/pedemont.net.au/user/dan/web/g/.SAM/"; if (isset($dir)) { $GLOBALS["GDIR"] = "$GLOBALS[GDIR]/$dir"; //setup full http path to gallery $hdir = "$hdir/$dir"; } $gallery_pics = side_gallery($hdir, "400", 1, true); $f = ""; $out = <<< EOF SAM - SSL Amplitude Modulation

S.A.M. esS A.M.: encryption toolkit

$gallery_pics
[ screenshot | downloads ]
mini HOW-TO:
Introduction
SAM is a PHP CLI (command line) set of executables that use a utility library primarily based on OpenSSL. SAM can encrypt and decrypt its own data streams (eg. files) aswell as manage standard PEM certificates. apart from the two main executables/interfaces, there are also two separate yet branded examples that demonstrate the use of the SAM library ie.

point to point encrypted relay http/cgi proxy (www script)
point to point relay smtp encryption injector (Sonic stream module)

in a nutshell, if you want a PKI/x509/PEM encryption toolkit based in PHP, then giggle my nizzle.

SAM can be useful for a few things, eg. encrypting/decrypting data, on the filesystem or in transit via man in the middle. if you're a PHP developer, it makes managing {key size <=> data chunk size} alot easier ie. encrypt/decrypt data of any size with SSL.

Requirements
a PHP CLI enviroment installed, setup and a reason. There is a *nix shell and winblowz batch confgiuration script to help loading the main SAM executables (which may need some tweaking on custom SAM/PHP installs).

SSL disclaimer, SAM uses PHP wrapper hooks for OpenSSL, please remember SSL/cryptography is illegal in some countries and that you are liable for anything you do that might violate your local laws.

Install SAM
Unpack then check the environment configuration script in the bin directory, the SAM ini configuration file in the conf directory, then checkout and run; sam,sam-cert. www scripts sam-security,sam-spy and Sonic stream(s) sam-smtp will need further or a different type of installation.

Development
SAM was written circa 2004, dusted off and taken off the shelf in 2008. the www scripts (aka Security and Spy) are'nt finished, but are still available for examples sake. If anyone wants to finish/write different www scripts or Sonic stream modules then please let me know. There is a download to unpack inside the main SAM directory, for anyone using winblowz and cygwin without PHP installed.

sam aka Rouge Council

Introduction
R.C. aka sam console is the main encrypt/decrypt/ion interface to the SAM library.

Example Usage
-q -e
Encrypt single data stream from standard input to standard output quietly


\$ cat file | bin/sam.sh -eq > encrypted_file.SAM

-e -f file_name
Encrypt single data stream from standard input to file


\$ cat file | bin/sam.sh -ef encrypted_file.SAM

-e file_name | directory_name .. file_name | directory_name
Encrypt single or multiple data stream(s) from file system to standard output


\$ bin/sam.sh -e file1 directory2/ etc3/

-e -f file_name file_name | directory_name .. file_name | directory_name
Encrypt single or multiple data stream(s) from file system to file


\$ bin/sam.sh -ef encrypted_file.SAM file1 directory2/ etc3/

-d
Decrypt single data stream from standard input to standard output


\$ cat encrypted_file.SAM | bin/sam.sh -d

-d -f file_name
Decrypt single data stream from file to file system


\$ bin/sam.sh -df encrypted_file.SAM

Development

xKID hash tag injector (fingerprint marker)
sam.inc needs more xKID utility / library lookup functions
--force flag, ignore file overwrite prompts eg. for piping

man sam:

SAM(1)

NAME
	sam.sh, sam.php - ssl encrypt/decrypt/ion SAM interface

SYNOPSIS
	sam [OPTIONS] [FILE|DIRECTORY..FILE|DIRECTORY]

DESCRIPTION
	sam is a PKI/x509 command line SAM encryption and decryption tool. SAM uses PHP/OpenSSL 
	with PEM formatted certificates. sam certificates can preconfigured or supplied at 
	runtime. sam uses a simple HTTP type ontop of the SSL encryption for packaging SAM data 
	files eg. to set Boundary on FEOF and to preserve original filenames.

OPTIONS
    -s, --sign
                create signature of stream
    -e
                Encrypt data stream
    -d
                Decrypt data stream
    -f, --file
                target file to read/write encrypted stream or
                read data stream
    -q, --quiet
                surpess headers
    -v, --verbose
                verbosely list files processed
    -V
                SAM _library_ Version
    -h, --help
                this help message

SAM OPTIONS
    -p, --pem
                PKI/x509/PEM file for KEY or CRT
    -D, --delim
                custom delimiter for encrypted stream
    --public
                use CRT certificate
		nb, currently only reads either 1st/2nd certificate in PEM file used
    --private
                use KEY certificate
		nb, currently only reads the 1st certificate in PEM file used
    --private-pp
                password for encrypted KEY

-i, --ini
                SAM configuration/settings file
                (default: env SAM_CONF/sam.ini)

PKI/x509/PEM
	SAM uses PEM formatted certificates ie. key(s) inside a file that are Base64 encoded with 
	a standard boundary to delimit them.

DIAGNOSTICS
	sam should have predefined configuration settings for certificate use and archive 
	packaging, which can be overridden individually (--pem, --public, --private, --private-pp 
	and --delim) or entirely (--ini) with runtime flag options.

BUGS
	Email bug reports to dan _at_ pedemont.net. Be sure to include the word 'SAM' somewhere 
	in the 'Subject:' field.

SAM Project				2004-2008/03/17

TOP

sam-cert aka Key Maker

Introduction
the Key Maker aka sam-cert is the main certificate interface to the SAM library.

Example Usage
-k -f PEM_file
Make key t1.pem (KEY)


\$ bin/sam-cert.sh -f t1.pem

-c -f PEM_file
Make key, csr and cert t2.pem (KEY + CRT), t2.csr


\$ bin/sam-cert.sh -cf t2.pem

--csr-key=PEM_file -f PEM_file
Make csr from key t3.csr


\$ bin/sam-cert.sh --csr-key=t1.pem -f t3

--pem-key=PEM_file -f PEM_file
Make csr and cert from key t4.csr, t4.pem (CRT)


\$ bin/sam-cert.sh --pem-key=t1.pem -f t4.pem

--pem-csr=PEM_file -f PEM_file
Make cert from csr and random key t5.pem (CRT)


\$ bin/sam-cert.sh --pem-csr=t3.csr -f t5.pem

--pem-csr-key=PEM_file,PEM_file -f PEM_file
Make cert from csr and key t6.pem, t7.pem (CRT)


\$ bin/sam-cert.sh --pem-csr-key=t3.csr,t1.pem -f t6

\$ bin/sam-cert.sh --pem-csr-key=t2.csr,t2.pem -f t7

Development

better handling of restrictions on DN information input
more methods for xKID hashing, eg. sha1, whatever
set better chmod perms for key, csr, nfi

man sam-cert:

SAM-CERT(1)

NAME
	sam-cert.sh, sam-cert.php - PKI/x509/PEM certificate key maker

SYNOPSIS
	sam-cert [OPTIONS]

DESCRIPTION
	sam-cert is a PKI/x509 command line PEM certificate generation and information tool. SAM 
	uses PHP/OpenSSL with PEM formatted certificates. sam-cert certificate generation rules 
	can preconfigured or supplied at runtime.

OPTIONS
    --cert-info
		certificate information
    --fingerprint
		n'th certificate xKID/hash (1)st
    --digest-alg
		digest method for fingerprint (md5)
    -c
		new KEY, CSR and CRT from new KEY and CSR
    --pem-csr-key
		new CRT from given KEY and CSR
    --pem-csr
		new CRT from random KEY and given CSR
    --pem-key
		new CSR and CRT from given KEY
    --csr-key
		new CSR from given KEY
    -k
		new KEY (default)
    -f, --file
		PKI/x509/PEM file
    --pass-phrase
		KEY password (blank/disabled)
    -q, --quiet
		surpess headers
    -v, --verbose
		verbose output
    -V
		SAM Version
    -h, --help
                this help message

SAM-CERT OPTIONS
    --key-bits
		number of bits used to generate new KEY (1024)
    --encrypt-key
		KEY 3DES password encryption confirmation (no)
		nb, no password = no encryption
    --key-default
		SAM default keybits and encryption confirmation

--dn-default
		openssl default Distinguished Name

--cert-expiry
		expiry time of new CRT in days (365)

--openssl-cnf
		openssl configuration file
		(default: env SAM_CONF/openssl.cnf)

-i, --ini       
		SAM configuration/settings file
		(default: env SAM_CONF/sam.ini)

PKI/x509/PEM
	OpenSSL supports several certificate formats. certificates are based on the DSA signature 
	algorithm and the RSA algorithm for public-key cryptography according to PKCS algorithms. 
	the certificate format depends on the application, as there is no agreement on file format
	standards. certificates are usually available in PEM, DER, PKCS12 format.

PKCS12 -> PEM, cert.pkcs12 to cert.pem
	    openssl pkcs12 -clcerts -nokeys -in cert.p12 -out cert.crt.pem
	    openssl pkcs12 -nocerts -in cert.p12 -out cert.key.pem

PEM -> PKCS12, cert.pem to cert.pkcs12
	    openssl pkcs12 -export -out cert.p12 -inkey ./cert.key.pem -in ./cert.crt.pem

Private KEYs may be encrypted with DES (Data Encryption Standard). The KEY can optionally
	be encrypted using a symmetric cipher algorithm, eg. 3DES. An encrypted KEY would have 
	headers inside the boundary describing the type of encryption used, and the initialization
	vector;

-----BEGIN RSA PRIVATE KEY-----
	    Proc-Type: 4,ENCRYPTED
	    DEK-Info: DES-EDE3-CBC,62BC433BAAE88251

j5gpiAbiph4u7OWFO6ZchatjQxchYAOYiv1usxlSDwoVYgCDjxj6zdEFczai1Z==
	    -----END RSA PRIVATE KEY-----

SAM uses PEM formatted certificates ie. key(s) inside a file that are Base64 encoded with 
	a standard boundary to delimit them.

DIAGNOSTICS
	sam-cert should have predefined configuration settings for private key and public key 
	certificate creation, which can be overridden individually (--key-bits, --encrypt-key, 
	--cert-expiry, --openssl-cnf) or entirely (--key-default, --dn-default, --ini) with 
	runtime flag options.

BUGS
	Email bug reports to dan _at_ pedemont.net.  Be sure to include the word 'SAM' somewhere 
	in the 'Subject:' field.

SAM Project				2004-2008/03/17

TOP

sam-security aka Security

Introduction
Security aka sam-security is a WWW cgi proxy that passes on and fetches requests from your browser to a SAM Spy. the requests passed on and fetched between Security and Spy are encrypted, the requests made between your browser and Security are unencrypted as are the requests from the Spy out to the internet.

Requirements
Space on a web server that can execute PHP code and a web browser. Once the cgi proxy front-end is web viewable and configured to talk to a working Spy, you can begin surfing the internet via Security.

Install sam-security
Extract and install the PHP HQ/sam-security files to any web viewable directory eg. your local intranet. Open up sam-security.ini in your favorite editor and change the location of the SAM Spy to use with its certificate information for decryption. currently you are able to suggest a certificate (via its xKID hash aka fingerprint) for the Spy to use for encryption (the Spy must have the certificate matching fingerprint loadable from its configured PEM file).
You are now ready to surf with your requests encrypted from the location of Security to the location of the Spy.

Development

continue fingerprint (xKID hash) tag stuff
actually finish this alot more one day

TOP

sam-spy aka Spy

Introduction
the Spy aka sam-spy is a SAM/WWW cgi proxy that passes on and fetches requests from SAM Security to the internet. the requests passed on and fetched between Security and Spy are encrypted, the requests made between the Spy and the internet are not encrypted with SAM.

Requirements
Space on a web server that can execute PHP code. Once the SAM/cgi proxy front-end is web viewable (or at least to SAM Security), you can begin decrypting requests sent from SAM Security (if the Spy is able to match the certificate Security used or vice versa).

Install sam-spy
Extract and install the PHP DMZ/sam-spy files to any web viewable directory e.g outside your local intranet. Open up sam-spy.ini in your favorite editor and change the certificate information for the Spy.
the Spy is now ready to take requests from SAM Security.

Development

continue fingerprint (xKID hash) tag stuff
actually finish this alot more one day

TOP

sam-smtp aka SAM SMTP Agent

Introduction
the SAM SMTP Agent is a Sonic stream module that when loaded, acts as a proxy relay (with injection) between two SMTP connection end points ie. client and server. the SSAgent repackages the original E-Mail sent from client to server as an encrypted SAM file attachment. SSA is only able to sniff unencrypted data (eg. TLS encrypted sessions are unable to be inspected and reinjected as SAM attachments).

Requirements
You will first require the Sonic server daemon setup and working properly.

Install SSA
Extract and install the PHP sonic.stream.ssa.php file into the stream directory (commonly lib/streams) of your working Sonic directory. Merge and edit the example ssa.ini into the main Sonic ini file and restart the Sonic server.

Development

make dynamic end point mode ie. implement virtual host type lookup from client request
come back here when i have a SSH Agent so we can understand encrypted sessions (pipedream)
test this better, eg. different clients and servers
make a script to send files/something (DATA != E-Mail) directly to this Agent for packaging and delivery - why not

TOP

EOF; echo $out; ?>