[hopefully on topic] is SSH secure in default configuration?

[hopefully on topic] is SSH secure in default configuration?

Oleg Goldshmidt pub at goldshmidt.org
Sun Sep 8 15:19:43 IDT 2013


Hi,

I am not hopeful to secure much of anything against the likes of NSA or
GCHQ. However, my curiousity woke up when the latest
NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much
of Internet encryption were accompanied by graphics like

http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html

Now, NYT is hardly a technical authority, but I assume they have
technically competent sources and advisers. The above page lists Cisco,
Microsoft (I wonder if they were the ones who "outed" Skype - chuckle),
and EFF as sources.

I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The
only part that is somewhat surprising (and particularly relevant to
Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion
justified?

A glance at "man 5 ssh_config" (or "man 5 sshd_config") reveals the
Ciphers section and the default preference list for v2 ciphers, with
AES-128 in the leading position. Can any security/cryptography guru here
(Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect?
AES-256 still seems to be regarded as NSA-safe (but not RC4?
http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/). Is
it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment
on performance impact of using AES-256 vs. AES-128 for the usual
scenarios?

I am not sure I quite understand the implications of AES-128 and AES-256
both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA
assume that anything they can break others can break, too, so Type 1
product being defined as "endorsed by the NSA for securing classified
and sensitive U.S. Government information, when appropriately keyed"
hopefully means NSA cannot break it. However, there is also
Type-1/Suite-A... Suite A being seemingly regarded as even more secure
than Suite B (is it?) goes against the common cryptographic wisdom that
says "disclosed algos deserve more trust". Is it an indication that (at
least) AES-128 may be somewhat vulnerable? Or is is only because AES was
not historically NSA-sourced that it is in Suite B and not in Suite A?

http://en.wikipedia.org/wiki/Type_1_product
http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography
http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography

Back to NYT graphics: Another, more mundane possibility is that NSA's
"partial success" against SSH (and/or OpenSSH implementation) means that
SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That
would not be a big surprise (at least the DES part).
 
I am not changing the default SSHv2 Ciphers configuration unless someone
I trust says AES-128 is suspect. And maybe not even then... But
curiousity is killing this cat...

-- 
Oleg Goldshmidt | pub at goldshmidt.org



More information about the Linux-il mailing list