<div dir="ltr">The algorithm itself is the least of your worries. In modern cryptography, key management is the preferred target. With regards to ssh, this means the key negotiation phase of the protocol handshake. Using your own keys of reasonable size, and managing them properly, is your best bet for reasonable security, along with configuring sshd not to fallback to SSHv1, as Eliyahu wrote.<div>
<br></div><div>For a wider perspective of the latest NSA revelations, I recommend this article by Bruce Schneier:</div><div><a href="http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance">http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance</a><br>
</div><div><br></div><div>Rony</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Sep 8, 2013 at 3:19 PM, Oleg Goldshmidt <span dir="ltr"><<a href="mailto:pub@goldshmidt.org" target="_blank">pub@goldshmidt.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Hi,<br>
<br>
I am not hopeful to secure much of anything against the likes of NSA or<br>
GCHQ. However, my curiousity woke up when the latest<br>
NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much<br>
of Internet encryption were accompanied by graphics like<br>
<br>
<a href="http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html" target="_blank">http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html</a><br>
<br>
Now, NYT is hardly a technical authority, but I assume they have<br>
technically competent sources and advisers. The above page lists Cisco,<br>
Microsoft (I wonder if they were the ones who "outed" Skype - chuckle),<br>
and EFF as sources.<br>
<br>
I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The<br>
only part that is somewhat surprising (and particularly relevant to<br>
Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion<br>
justified?<br>
<br>
A glance at "man 5 ssh_config" (or "man 5 sshd_config") reveals the<br>
Ciphers section and the default preference list for v2 ciphers, with<br>
AES-128 in the leading position. Can any security/cryptography guru here<br>
(Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect?<br>
AES-256 still seems to be regarded as NSA-safe (but not RC4?<br>
<a href="http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/" target="_blank">http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/</a>). Is<br>
it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment<br>
on performance impact of using AES-256 vs. AES-128 for the usual<br>
scenarios?<br>
<br>
I am not sure I quite understand the implications of AES-128 and AES-256<br>
both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA<br>
assume that anything they can break others can break, too, so Type 1<br>
product being defined as "endorsed by the NSA for securing classified<br>
and sensitive U.S. Government information, when appropriately keyed"<br>
hopefully means NSA cannot break it. However, there is also<br>
Type-1/Suite-A... Suite A being seemingly regarded as even more secure<br>
than Suite B (is it?) goes against the common cryptographic wisdom that<br>
says "disclosed algos deserve more trust". Is it an indication that (at<br>
least) AES-128 may be somewhat vulnerable? Or is is only because AES was<br>
not historically NSA-sourced that it is in Suite B and not in Suite A?<br>
<br>
<a href="http://en.wikipedia.org/wiki/Type_1_product" target="_blank">http://en.wikipedia.org/wiki/Type_1_product</a><br>
<a href="http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography" target="_blank">http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography</a><br>
<a href="http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography" target="_blank">http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography</a><br>
<br>
Back to NYT graphics: Another, more mundane possibility is that NSA's<br>
"partial success" against SSH (and/or OpenSSH implementation) means that<br>
SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That<br>
would not be a big surprise (at least the DES part).<br>
<br>
I am not changing the default SSHv2 Ciphers configuration unless someone<br>
I trust says AES-128 is suspect. And maybe not even then... But<br>
curiousity is killing this cat...<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Oleg Goldshmidt | <a href="mailto:pub@goldshmidt.org">pub@goldshmidt.org</a><br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>Ubi dubium, ibi libertas (where there is doubt, there is freedom)<br>
</div>