Add Security Presentation

src/presentations/4-Security.qmd

@@ -0,0 +1,265 @@
+---
+title: "Security and Privacy"
+author: "Presented by Trevor and Wolf"
+---
+
+# 1: Why Security?
+
+## What is Security?
+
+Security is a precaution
+
+- implemented through measures and practices
+- protects:
+  - data
+  - systems
+  - networks
+- from:
+  - unauthorized access
+  - damage
+  - theft
+
+## What is Privacy?
+
+Privacy is a right
+
+- to control where your data goes
+- know what is done with your data
+- know if your data is stored securely
+
+## Cybersecurity
+
+Cybersecurity is specifically about the security of digital systems
+
+Typically utilizes the CIA triad:
+
+- Confidentiality
+- Integrity
+- Availability
+
+## Why does Cybersecurity Matter?
+
+Digital systems are extremely prone to theft due to their interconnectivity
+
+- Vulerabilities in public accessible software
+- Contains multitudes of private information
+- Protects valuable resources, like shared infrastructure
+
+## How does this relate to Linux?
+
+96.3% of The top 1 million web-servers run Linux
+
+- Principle of Least Privilege
+- Plenty of multi-user linux systems
+
+# 2: Ways to apply security
+
+## Permission Control
+
+Protect files and services with the correct permissions
+
+- UNIX permissions
+- Separation of concerns
+- Sandboxing
+
+## Symmetric Encryption
+
+Encryption and Decreyption key are the same
+
+- Good for protecting data, but less for communication
+- Like applying a lock on your house
+- Examples include Caesar Cypher or AES
+
+## Symmetric Encryption - OpenSSL
+
+This simple script encrypts a single file with AES-256-CBC with a password
+
+```bash
+# Encrypt with a password
+openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.txt
+
+# Decrypt with a password
+openssl enc -d -aes-256-cbc -in encrypted.txt -out decrypted.txt
+```
+
+## Asymmetric Encryption
+
+Works by having different encryption and decryption keys
+
+- Good for establishing secure connections over public channels
+- Utilized by many key exchange algorithms (KEX)
+- Examples include TLS and SSH
+- May utilize public key infrastructure
+
+## Asymmetric Encryption
+
+::: {.columns}
+::: {.column}
+
+TLS handshake and key exchange
+
+:::
+::: {.column}
+```{mermaid}
+sequenceDiagram
+    User->>Server: SYN
+    Server->>User: SYNACK
+    User->>Server: ACK
+    User->>Server: Hello (Random seed)!
+    Server->>User: Hello (Random seed)!
+    Server->>User: Public Key
+    Server->>User: I am done Helloing
+    User->>Server: Public Key
+    User->>Server: Cipher Parameters (TLS 1.2)
+    User->>Server: Done!
+    Server->>User: Cipher Parameters (TLS 1.2)
+    Server->>User: Done!
+```
+:::
+:::
+
+## Asymmetric Encryption - Demo
+
+Demo!
+
+- An example of how we can "pretend" to be a CA (I skimmed this and prompted to get something specific, I think this is good but we should double-verify it)
+
+```bash
+# ------------------------------------------------------------
+# STEP 1: Create the CA's private key
+# ------------------------------------------------------------
+# This key represents the root of trust for our fake CA.
+# Anyone who trusts certificates signed by this CA will effectively
+# trust any certificate we issue using this key.
+# We're using 2048-bit RSA for simplicity.
+openssl genrsa -out ca.key 2048
+
+# ------------------------------------------------------------
+# STEP 2: Self-sign a CA certificate
+# ------------------------------------------------------------
+# A CA typically has a self-signed certificate to establish its identity.
+# This command uses the CA's private key to create a corresponding
+# X.509 certificate that is signed by itself.
+# -x509 means "self-signed cert" instead of a CSR
+# -nodes skips encrypting the key (for demo only; not secure in real life)
+# -subj sets the Distinguished Name fields directly (no interactive prompt)
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 \
+  -subj "/C=US/ST=Demo/L=Local/O=FakeCA/CN=Fake CA" \
+  -out ca.crt
+
+# ------------------------------------------------------------
+# STEP 3: Create the server's private key
+# ------------------------------------------------------------
+# This is the key belonging to the "applicant" — e.g., a server that wants
+# a TLS certificate. It will remain private to that server.
+openssl genrsa -out server.key 2048
+
+# ------------------------------------------------------------
+# STEP 4: Generate a Certificate Signing Request (CSR)
+# ------------------------------------------------------------
+# The server uses its private key to create a CSR, which includes:
+#   - The public key corresponding to server.key
+#   - Metadata (Subject, CN, etc.)
+#   - A signature proving the server owns the private key
+# This CSR will be sent to the CA for signing.
+openssl req -new -key server.key \
+  -subj "/C=US/ST=Demo/L=Local/O=FakeServer/CN=localhost" \
+  -out server.csr
+
+# ------------------------------------------------------------
+# STEP 5: Sign the server's CSR with the CA to issue a certificate
+# ------------------------------------------------------------
+# Here the CA plays its role:
+#   - It reads the CSR (server.csr)
+#   - It verifies and signs it with its CA key (ca.key)
+#   - It produces a signed server certificate (server.crt)
+# This server.crt can now be presented to clients during TLS handshakes.
+# -CAcreateserial creates ca.srl (serial number file) if it doesn't exist
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
+  -out server.crt -days 365 -sha256
+
+# ------------------------------------------------------------
+# STEP 6: Verify the issued certificate against the CA's certificate
+# ------------------------------------------------------------
+# This checks that server.crt is valid and chains correctly to ca.crt.
+# If successful, you'll see: "server.crt: OK"
+openssl verify -CAfile ca.crt server.crt
+```
+
+## Asymmetric Encryption - Demo
+
+And a simple `go` server (intentionally using low level primitives) that uses a cert.
+
+```go
+package main
+
+import (
+	"crypto/tls"
+	"fmt"
+)
+
+func main() {
+	// Load the TLS certificate and private key from disk.
+	// These are the credentials the server will present during the TLS handshake.
+	// server.crt = public certificate; server.key = private key.
+	cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
+	if err != nil {
+		panic(err)
+	}
+
+	// Create a TLS configuration object using the loaded certificate.
+	// This defines how the TLS handshake should work and what credentials to use.
+	cfg := &tls.Config{Certificates: []tls.Certificate{cert}}
+
+	// Start a TCP listener wrapped in TLS on port 8443.
+	// tls.Listen() does the normal TCP listen + wraps new connections with TLS.
+	ln, err := tls.Listen("tcp", ":8443", cfg)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Println("Listening on https://localhost:8443/")
+
+	for {
+		// Wait for a new TLS connection (client TCP connect + TLS handshake).
+		conn, err := ln.Accept()
+		if err != nil {
+			// If something goes wrong accepting a connection, skip it and continue.
+			continue
+		}
+
+		// Handle each connection concurrently in a goroutine.
+		go func(c tls.Conn) {
+			defer c.Close()
+
+			// Read the incoming data (the HTTP request) into a buffer.
+			// We don't parse it here — we just read enough to clear it from the socket.
+			buf := make([]byte, 4096)
+			c.Read(buf)
+
+			// Prepare a simple HTTP/1.1 200 OK response.
+			body := []byte("hello over tls\n")
+			fmt.Fprintf(
+				&c,
+				"HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\nContent-Length: %d\r\nConnection: close\r\n\r\n",
+				len(body),
+			)
+
+			// Send the body and close the connection.
+			c.Write(body)
+		}(*conn.(*tls.Conn))
+	}
+}
+```
+
+# 3: General good practices
+
+## 2FA
+### TOTP 
+- How does TOTP work
+- A system diagram of TOTP
+- Including some nitty-gritty here
+
+### Yubikey
+- How does Yubikey work
+- A system diagram
+- If this is complicated (no idea how it works) then we can skip