[hopefully on topic] is SSH secure in default configuration?
Hi, I am not hopeful to secure much of anything against the likes of NSA or GCHQ. However, my curiousity woke up when the latest NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much of Internet encryption were accompanied by graphics like http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html Now, NYT is hardly a technical authority, but I assume they have technically competent sources and advisers. The above page lists Cisco, Microsoft (I wonder if they were the ones who outed Skype - chuckle), and EFF as sources. I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The only part that is somewhat surprising (and particularly relevant to Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion justified? A glance at man 5 ssh_config (or man 5 sshd_config) reveals the Ciphers section and the default preference list for v2 ciphers, with AES-128 in the leading position. Can any security/cryptography guru here (Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect? AES-256 still seems to be regarded as NSA-safe (but not RC4? http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/). Is it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment on performance impact of using AES-256 vs. AES-128 for the usual scenarios? I am not sure I quite understand the implications of AES-128 and AES-256 both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA assume that anything they can break others can break, too, so Type 1 product being defined as endorsed by the NSA for securing classified and sensitive U.S. Government information, when appropriately keyed hopefully means NSA cannot break it. However, there is also Type-1/Suite-A... Suite A being seemingly regarded as even more secure than Suite B (is it?) goes against the common cryptographic wisdom that says disclosed algos deserve more trust. Is it an indication that (at least) AES-128 may be somewhat vulnerable? Or is is only because AES was not historically NSA-sourced that it is in Suite B and not in Suite A? http://en.wikipedia.org/wiki/Type_1_product http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography Back to NYT graphics: Another, more mundane possibility is that NSA's partial success against SSH (and/or OpenSSH implementation) means that SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That would not be a big surprise (at least the DES part). I am not changing the default SSHv2 Ciphers configuration unless someone I trust says AES-128 is suspect. And maybe not even then... But curiousity is killing this cat... -- Oleg Goldshmidt | p...@goldshmidt.org ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: [hopefully on topic] is SSH secure in default configuration?
2013/9/8 Oleg Goldshmidt p...@goldshmidt.org: Hi, I am not hopeful to secure much of anything against the likes of NSA or GCHQ. However, my curiousity woke up when the latest NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much of Internet encryption were accompanied by graphics like http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html Now, NYT is hardly a technical authority, but I assume they have technically competent sources and advisers. The above page lists Cisco, Microsoft (I wonder if they were the ones who outed Skype - chuckle), and EFF as sources. I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The only part that is somewhat surprising (and particularly relevant to Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion justified? A glance at man 5 ssh_config (or man 5 sshd_config) reveals the Ciphers section and the default preference list for v2 ciphers, with AES-128 in the leading position. Can any security/cryptography guru here (Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect? AES-256 still seems to be regarded as NSA-safe (but not RC4? http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/). Is it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment on performance impact of using AES-256 vs. AES-128 for the usual scenarios? I am not sure I quite understand the implications of AES-128 and AES-256 both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA assume that anything they can break others can break, too, so Type 1 product being defined as endorsed by the NSA for securing classified and sensitive U.S. Government information, when appropriately keyed hopefully means NSA cannot break it. However, there is also Type-1/Suite-A... Suite A being seemingly regarded as even more secure than Suite B (is it?) goes against the common cryptographic wisdom that says disclosed algos deserve more trust. Is it an indication that (at least) AES-128 may be somewhat vulnerable? Or is is only because AES was not historically NSA-sourced that it is in Suite B and not in Suite A? http://en.wikipedia.org/wiki/Type_1_product http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography Back to NYT graphics: Another, more mundane possibility is that NSA's partial success against SSH (and/or OpenSSH implementation) means that SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That would not be a big surprise (at least the DES part). I am not changing the default SSHv2 Ciphers configuration unless someone I trust says AES-128 is suspect. And maybe not even then... But curiousity is killing this cat... Without going into the cryptography side of things I can say that SSH in it's default configuration (client/server) has various weaknesses. 1. Root is generally default on 2. Default auth mechanism is passwords 3. Most importantly SSH clients by default are set to allow fail-over to SSHv1 so even if the server is set to only accept SSHv2 it is possible to MITM with a machine that forces the client to SSHv1 while talking to the server in SSHv2. 4. Servers aren't always set to accept SSHv2 only either Other then that if you don't take steps to prevent brute-force attacks you will obviously be brute-forced eventually... Regards, Eliyahu - אליהו -- Oleg Goldshmidt | p...@goldshmidt.org ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: [hopefully on topic] is SSH secure in default configuration?
I'm only taking a wild guess here. To be clear, I have no inside knowledge and my guess is probably as good as anyone else's. But if I had to bet this is where I would put my money. Either: 1. They have a 0-day against SSH (e.g. if you have ssh running they can login to your box) 2. They are aware of a weakness in the openssh implementation, unrelated to the encryption itself Pressed against the wall, I would go for option 1. But I wouldn't rule out option 2. I *would* bet against them being able to break the encryption itself. Why? Because obviously, it's much easier to break the implementation than the encryption. I find it hard to believe the NSA can easily break AES or 3DES, and I find it easy to believe they found a flaw or weakness in the implementation. It's that simple. The question is encryption ABC safe is nowadays a purely academic question and only academics care about them (no offense Oleg). A quick note on Elyahu's list: 1. I don't think allowing root login is a huge issue 2. Likewise with password authentication 3. We rarely see SSHv1 being allowed in modern systems - I don't believe that's been the default for a while now 4. Likewise, I think having SSHv2 only is the default for years (but I could be wrong, of course) On Sun, Sep 8, 2013 at 9:19 PM, Oleg Goldshmidt p...@goldshmidt.org wrote: Hi, I am not hopeful to secure much of anything against the likes of NSA or GCHQ. However, my curiousity woke up when the latest NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much of Internet encryption were accompanied by graphics like http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html Now, NYT is hardly a technical authority, but I assume they have technically competent sources and advisers. The above page lists Cisco, Microsoft (I wonder if they were the ones who outed Skype - chuckle), and EFF as sources. I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The only part that is somewhat surprising (and particularly relevant to Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion justified? A glance at man 5 ssh_config (or man 5 sshd_config) reveals the Ciphers section and the default preference list for v2 ciphers, with AES-128 in the leading position. Can any security/cryptography guru here (Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect? AES-256 still seems to be regarded as NSA-safe (but not RC4? http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/). Is it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment on performance impact of using AES-256 vs. AES-128 for the usual scenarios? I am not sure I quite understand the implications of AES-128 and AES-256 both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA assume that anything they can break others can break, too, so Type 1 product being defined as endorsed by the NSA for securing classified and sensitive U.S. Government information, when appropriately keyed hopefully means NSA cannot break it. However, there is also Type-1/Suite-A... Suite A being seemingly regarded as even more secure than Suite B (is it?) goes against the common cryptographic wisdom that says disclosed algos deserve more trust. Is it an indication that (at least) AES-128 may be somewhat vulnerable? Or is is only because AES was not historically NSA-sourced that it is in Suite B and not in Suite A? http://en.wikipedia.org/wiki/Type_1_product http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography Back to NYT graphics: Another, more mundane possibility is that NSA's partial success against SSH (and/or OpenSSH implementation) means that SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That would not be a big surprise (at least the DES part). I am not changing the default SSHv2 Ciphers configuration unless someone I trust says AES-128 is suspect. And maybe not even then... But curiousity is killing this cat... -- Oleg Goldshmidt | p...@goldshmidt.org ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: [hopefully on topic] is SSH secure in default configuration?
2013/9/8 Aviram Jenik avi...@jenik.com: I'm only taking a wild guess here. To be clear, I have no inside knowledge and my guess is probably as good as anyone else's. But if I had to bet this is where I would put my money. Either: 1. They have a 0-day against SSH (e.g. if you have ssh running they can login to your box) 2. They are aware of a weakness in the openssh implementation, unrelated to the encryption itself Pressed against the wall, I would go for option 1. But I wouldn't rule out option 2. I *would* bet against them being able to break the encryption itself. Why? Because obviously, it's much easier to break the implementation than the encryption. I find it hard to believe the NSA can easily break AES or 3DES, and I find it easy to believe they found a flaw or weakness in the implementation. It's that simple. The question is encryption ABC safe is nowadays a purely academic question and only academics care about them (no offense Oleg). A quick note on Elyahu's list: 1. I don't think allowing root login is a huge issue 2. Likewise with password authentication 3. We rarely see SSHv1 being allowed in modern systems - I don't believe that's been the default for a while now I was talking about *clients* almost all clients are still default 2 try 1 even on modern linux systems. A quick look on my laptop shows that the default on Ubuntu 13.04 thankfully is 2 only, but I know that when I looked at it more then a year ago it was not the default. Putty and winscp last time I used them still defaulted to 2+1 unless you consciously set them to 2 only I don't have old systems to check on anymore, but on CentOS 5 which is still a very widely used production system iirc the default for the client was 2+1, the server was 2 only. Regards, Eliyahu - אליהו 4. Likewise, I think having SSHv2 only is the default for years (but I could be wrong, of course) On Sun, Sep 8, 2013 at 9:19 PM, Oleg Goldshmidt p...@goldshmidt.org wrote: Hi, I am not hopeful to secure much of anything against the likes of NSA or GCHQ. However, my curiousity woke up when the latest NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much of Internet encryption were accompanied by graphics like http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html Now, NYT is hardly a technical authority, but I assume they have technically competent sources and advisers. The above page lists Cisco, Microsoft (I wonder if they were the ones who outed Skype - chuckle), and EFF as sources. I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The only part that is somewhat surprising (and particularly relevant to Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion justified? A glance at man 5 ssh_config (or man 5 sshd_config) reveals the Ciphers section and the default preference list for v2 ciphers, with AES-128 in the leading position. Can any security/cryptography guru here (Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect? AES-256 still seems to be regarded as NSA-safe (but not RC4? http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/). Is it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment on performance impact of using AES-256 vs. AES-128 for the usual scenarios? I am not sure I quite understand the implications of AES-128 and AES-256 both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA assume that anything they can break others can break, too, so Type 1 product being defined as endorsed by the NSA for securing classified and sensitive U.S. Government information, when appropriately keyed hopefully means NSA cannot break it. However, there is also Type-1/Suite-A... Suite A being seemingly regarded as even more secure than Suite B (is it?) goes against the common cryptographic wisdom that says disclosed algos deserve more trust. Is it an indication that (at least) AES-128 may be somewhat vulnerable? Or is is only because AES was not historically NSA-sourced that it is in Suite B and not in Suite A? http://en.wikipedia.org/wiki/Type_1_product http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography Back to NYT graphics: Another, more mundane possibility is that NSA's partial success against SSH (and/or OpenSSH implementation) means that SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That would not be a big surprise (at least the DES part). I am not changing the default SSHv2 Ciphers configuration unless someone I trust says AES-128 is suspect. And maybe not even then... But curiousity is killing this cat... -- Oleg Goldshmidt | p...@goldshmidt.org ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: [hopefully on topic] is SSH secure in default configuration?
The algorithm itself is the least of your worries. In modern cryptography, key management is the preferred target. With regards to ssh, this means the key negotiation phase of the protocol handshake. Using your own keys of reasonable size, and managing them properly, is your best bet for reasonable security, along with configuring sshd not to fallback to SSHv1, as Eliyahu wrote. For a wider perspective of the latest NSA revelations, I recommend this article by Bruce Schneier: http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance Rony On Sun, Sep 8, 2013 at 3:19 PM, Oleg Goldshmidt p...@goldshmidt.org wrote: Hi, I am not hopeful to secure much of anything against the likes of NSA or GCHQ. However, my curiousity woke up when the latest NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much of Internet encryption were accompanied by graphics like http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html Now, NYT is hardly a technical authority, but I assume they have technically competent sources and advisers. The above page lists Cisco, Microsoft (I wonder if they were the ones who outed Skype - chuckle), and EFF as sources. I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The only part that is somewhat surprising (and particularly relevant to Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion justified? A glance at man 5 ssh_config (or man 5 sshd_config) reveals the Ciphers section and the default preference list for v2 ciphers, with AES-128 in the leading position. Can any security/cryptography guru here (Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect? AES-256 still seems to be regarded as NSA-safe (but not RC4? http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/). Is it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment on performance impact of using AES-256 vs. AES-128 for the usual scenarios? I am not sure I quite understand the implications of AES-128 and AES-256 both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA assume that anything they can break others can break, too, so Type 1 product being defined as endorsed by the NSA for securing classified and sensitive U.S. Government information, when appropriately keyed hopefully means NSA cannot break it. However, there is also Type-1/Suite-A... Suite A being seemingly regarded as even more secure than Suite B (is it?) goes against the common cryptographic wisdom that says disclosed algos deserve more trust. Is it an indication that (at least) AES-128 may be somewhat vulnerable? Or is is only because AES was not historically NSA-sourced that it is in Suite B and not in Suite A? http://en.wikipedia.org/wiki/Type_1_product http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography Back to NYT graphics: Another, more mundane possibility is that NSA's partial success against SSH (and/or OpenSSH implementation) means that SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That would not be a big surprise (at least the DES part). I am not changing the default SSHv2 Ciphers configuration unless someone I trust says AES-128 is suspect. And maybe not even then... But curiousity is killing this cat... -- Oleg Goldshmidt | p...@goldshmidt.org ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- Ubi dubium, ibi libertas (where there is doubt, there is freedom) ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: [hopefully on topic] is SSH secure in default configuration?
Aviram Jenik avi...@jenik.com writes: The question is encryption ABC safe is nowadays a purely academic question and only academics care about them (no offense Oleg). None taken[*]. I re-read my post and I see now that I didn't emphasize that I meant OpenSSH implementation of AES when I wrote AES. All my wondering is about SSH on Linux, not about maths, but I realize now that I did not make it clear, apart from the subject line. ;-) [I did say the question was strictly curiousity-driven.] Having said that, safety is defined/interpreted in terms of cost and time required from an adversary. I have no idea how many Hubble times one would need to break either AES-128 or AES-256 given the aggregate resources of Top500 (or NSA) or custom HW, or how many orders of magnitude can be shaved off by clever use of additional information[*]. But I would not completely discount the rate at which the safety margin of a fixed (in terms of number of rounds, etc.) implementation is shrinking. To emphasize again, I expect NSA, if they suddenly develop an interest in one of my machines, to break in exploiting an unpatched bug somewhere rather than breaking AES, of course. [*] I hope no member of Linux-IL who has authored academic papers on attacks on AES that experts dubbed almost practical will be offended, either. ;-) https://www.schneier.com/blog/archives/2009/07/another_new_aes.html http://www.wisdom.weizmann.ac.il/~tromer/papers/cache.pdf -- Oleg Goldshmidt | p...@goldshmidt.org ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
