[hopefully on topic] is SSH secure in default configuration?

[hopefully on topic] is SSH secure in default configuration?

Aviram Jenik aviram at jenik.com
Sun Sep 8 16:44:15 IDT 2013 

I'm only taking a wild guess here. To be clear, I have no inside knowledge
and my guess is probably as good as anyone else's. But if I had to bet this
is where I would put my money.

Either:

1. They have a 0-day against SSH (e.g. if you have ssh running they can
login to your box)
2. They are aware of a weakness in the openssh implementation, unrelated to
the encryption itself

Pressed against the wall, I would go for option 1. But I wouldn't rule out
option 2. I *would* bet against them being able to break the encryption
itself.

Why? Because obviously, it's much easier to break the implementation than
the encryption. I find it hard to believe the NSA can easily break AES or
3DES, and I find it easy to believe they found a flaw or weakness in the
implementation. It's that simple.
The question "is encryption ABC safe" is nowadays a purely academic
question and only academics care about them (no offense Oleg).

A quick note on Elyahu's list:

1. I don't think allowing root login is a huge issue
2. Likewise with password authentication
3. We rarely see SSHv1 being allowed in modern systems - I don't believe
that's been the default for a while now
4. Likewise, I think having SSHv2 only is the default for years (but I
could be wrong, of course)



On Sun, Sep 8, 2013 at 9:19 PM, Oleg Goldshmidt <pub at goldshmidt.org> wrote:

>
> Hi,
>
> I am not hopeful to secure much of anything against the likes of NSA or
> GCHQ. However, my curiousity woke up when the latest
> NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much
> of Internet encryption were accompanied by graphics like
>
>
> http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html
>
> Now, NYT is hardly a technical authority, but I assume they have
> technically competent sources and advisers. The above page lists Cisco,
> Microsoft (I wonder if they were the ones who "outed" Skype - chuckle),
> and EFF as sources.
>
> I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The
> only part that is somewhat surprising (and particularly relevant to
> Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion
> justified?
>
> A glance at "man 5 ssh_config" (or "man 5 sshd_config") reveals the
> Ciphers section and the default preference list for v2 ciphers, with
> AES-128 in the leading position. Can any security/cryptography guru here
> (Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect?
> AES-256 still seems to be regarded as NSA-safe (but not RC4?
>
> http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/).
> Is
> it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment
> on performance impact of using AES-256 vs. AES-128 for the usual
> scenarios?
>
> I am not sure I quite understand the implications of AES-128 and AES-256
> both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA
> assume that anything they can break others can break, too, so Type 1
> product being defined as "endorsed by the NSA for securing classified
> and sensitive U.S. Government information, when appropriately keyed"
> hopefully means NSA cannot break it. However, there is also
> Type-1/Suite-A... Suite A being seemingly regarded as even more secure
> than Suite B (is it?) goes against the common cryptographic wisdom that
> says "disclosed algos deserve more trust". Is it an indication that (at
> least) AES-128 may be somewhat vulnerable? Or is is only because AES was
> not historically NSA-sourced that it is in Suite B and not in Suite A?
>
> http://en.wikipedia.org/wiki/Type_1_product
> http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography
> http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography
>
> Back to NYT graphics: Another, more mundane possibility is that NSA's
> "partial success" against SSH (and/or OpenSSH implementation) means that
> SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That
> would not be a big surprise (at least the DES part).
>
> I am not changing the default SSHv2 Ciphers configuration unless someone
> I trust says AES-128 is suspect. And maybe not even then... But
> curiousity is killing this cat...
>
> --
> Oleg Goldshmidt | pub at goldshmidt.org
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20130908/a15df003/attachment.html>

More information about the Linux-il mailing list