<div dir="ltr">I'm only taking a wild guess here. To be clear, I have no inside knowledge and my guess is probably as good as anyone else's. But if I had to bet this is where I would put my money.<div><br></div><div>
Either:</div><div><br></div><div>1. They have a 0-day against SSH (e.g. if you have ssh running they can login to your box)</div><div>2. They are aware of a weakness in the openssh implementation, unrelated to the encryption itself</div>
<div><br></div><div>Pressed against the wall, I would go for option 1. But I wouldn't rule out option 2. I *would* bet against them being able to break the encryption itself.</div><div><br></div><div>Why? Because obviously, it's much easier to break the implementation than the encryption. I find it hard to believe the NSA can easily break AES or 3DES, and I find it easy to believe they found a flaw or weakness in the implementation. It's that simple. </div>
<div>The question "is encryption ABC safe" is nowadays a purely academic question and only academics care about them (no offense Oleg).</div><div><br></div><div>A quick note on Elyahu's list:</div><div><br>
</div>
<div>1. I don't think allowing root login is a huge issue</div><div>2. Likewise with password authentication</div><div>3. We rarely see SSHv1 being allowed in modern systems - I don't believe that's been the default for a while now</div>
<div>4. Likewise, I think having SSHv2 only is the default for years (but I could be wrong, of course)</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Sep 8, 2013 at 9:19 PM, Oleg Goldshmidt <span dir="ltr"><<a href="mailto:pub@goldshmidt.org" target="_blank">pub@goldshmidt.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Hi,<br>
<br>
I am not hopeful to secure much of anything against the likes of NSA or<br>
GCHQ. However, my curiousity woke up when the latest<br>
NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much<br>
of Internet encryption were accompanied by graphics like<br>
<br>
<a href="http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html" target="_blank">http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html</a><br>
<br>
Now, NYT is hardly a technical authority, but I assume they have<br>
technically competent sources and advisers. The above page lists Cisco,<br>
Microsoft (I wonder if they were the ones who "outed" Skype - chuckle),<br>
and EFF as sources.<br>
<br>
I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The<br>
only part that is somewhat surprising (and particularly relevant to<br>
Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion<br>
justified?<br>
<br>
A glance at "man 5 ssh_config" (or "man 5 sshd_config") reveals the<br>
Ciphers section and the default preference list for v2 ciphers, with<br>
AES-128 in the leading position. Can any security/cryptography guru here<br>
(Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect?<br>
AES-256 still seems to be regarded as NSA-safe (but not RC4?<br>
<a href="http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/" target="_blank">http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/</a>). Is<br>
it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment<br>
on performance impact of using AES-256 vs. AES-128 for the usual<br>
scenarios?<br>
<br>
I am not sure I quite understand the implications of AES-128 and AES-256<br>
both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA<br>
assume that anything they can break others can break, too, so Type 1<br>
product being defined as "endorsed by the NSA for securing classified<br>
and sensitive U.S. Government information, when appropriately keyed"<br>
hopefully means NSA cannot break it. However, there is also<br>
Type-1/Suite-A... Suite A being seemingly regarded as even more secure<br>
than Suite B (is it?) goes against the common cryptographic wisdom that<br>
says "disclosed algos deserve more trust". Is it an indication that (at<br>
least) AES-128 may be somewhat vulnerable? Or is is only because AES was<br>
not historically NSA-sourced that it is in Suite B and not in Suite A?<br>
<br>
<a href="http://en.wikipedia.org/wiki/Type_1_product" target="_blank">http://en.wikipedia.org/wiki/Type_1_product</a><br>
<a href="http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography" target="_blank">http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography</a><br>
<a href="http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography" target="_blank">http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography</a><br>
<br>
Back to NYT graphics: Another, more mundane possibility is that NSA's<br>
"partial success" against SSH (and/or OpenSSH implementation) means that<br>
SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That<br>
would not be a big surprise (at least the DES part).<br>
<br>
I am not changing the default SSHv2 Ciphers configuration unless someone<br>
I trust says AES-128 is suspect. And maybe not even then... But<br>
curiousity is killing this cat...<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Oleg Goldshmidt | <a href="mailto:pub@goldshmidt.org">pub@goldshmidt.org</a><br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</font></span></blockquote></div><br></div>