Skip to main content

SSH getting a security tune-up from NIST and IETF

Image
By
 Image: iStock/bluebay2014
Secure Shell, among the most common protocols for safely accessing a remote computer across the internet, is getting a fresh security examination from the US government and an internet standards body.
SSH emerged in the 1990s, became more popular than legacy protocols such as Telnet in the 2000s, and now is starting to show its age. The current version called SSH-2 has been on the losing side of notable hacks and is vulnerable tobrute-force attacks, which may start happening more often with a Microsoft implementation due soon.
The newest concern is mismanagement of SSH keys, according to a report(PDF) issued October 2015 by the National Institute of Standards and Technology (NIST). "We are in a position where some organizations have 50 times more SSH keys than they have people," said Tatu Ylönen, who coauthored the report and invented SSH in 1995.
"We are in a position where some organizations have 50 times more SSH keys than they have people."Tatu Ylönen
Trouble begins when employees create new keys without their IT staff being aware and continues when people leave companies but their SSH keys remain, Ylönen said. Hackers exploit unmanaged or forgotten keys, so the more prominent the protocol becomes, the greater its risk, he explained. Ylönen's own company, SSH Communications Security, sells software to address this for very large organizations, but for most businesses, "There haven't been any controls, no policies, and the keys haven't been removed," he cautioned.
The alarm from Ylönen is not a new one, but NIST hoisting the flag is an eye-opener. The report gives 13 suggestions for safely managing SSH keys, mostly focusing on issues such as key lifespans and privileges. Auditing, testing, and deploying are also covered in detail.
Many IT departments may not realize that key management tools are already available to them in the very popular OpenSSH implementation. Damien Miller, who maintains the implementation, cited examples such as support for public keys managed by administrators rather than users, keys held on tokens, hooks that allow command access to fetch keys, and certificates for lifespans.
"Broadly speaking, our medium-term priorities area to continue getting rid of bad/legacy crypto as fast as we can without causing excessive user pain and continue ... refactoring and modernization of OpenSSH's internals. As we're refactoring, we're writing unit and fuzz tests as we go to improve correctness and security," Miller added.
Ed Skoudis, a security instructor at training company SANS Institute, said these improvements make sense. "The biggest weakness [of SSH] is the management and storage of the keys," he said. "That's why I think what NIST has done is really good."
Another way to keep SSH secure is to prevent people from using obsolete cryptography algorithms, said officials at the Internet Engineering Task Force(IETF), which manages the actual protocol. There aren't any plans to upgrade SSH-2, although security experts on Nov. 18, 2015 proposed a new working group to formally deprecate outdated methods. This will apply to several protocols, not just SSH, they said. The new group's proposed name is CURDLE: "CURves, Deprecating and a Little more Encryption."
"As with many modern protocols, the SSH protocol has been designed to support algorithm agility, that is, the ability to update the cryptographic algorithms used, without other changes being needed to the protocol," CURDLE leader Stephen Farrell said. "There are currently discussions ongoing... as to how best to incorporate new crypto into the SSH protocol. So far that hasn't shown a need for a new SSH working group but should one be needed, we'd form one. Instead we may form a working group that handles adding, e.g., the new elliptic curves specifications from the [Crypto Forum Research Group] across a number of protocols at once."
SANS' Skoudis added that network communications between Microsoft Windows and other operating systems are the last bastion of non-SSH connections. There are products for achieving SSH connections in that situation, but Microsoft said last summer that it plans to build SSH into its PowerShell system administration application. That is scheduled to ship by the middle of 2016 based on an OpenSSH port, but will also have Redmond's proprietary cryptology interfaces rather than standard open-source implementations of the Secure Sockets Layer — a move that drew criticism on a Microsoft blog post.

Comments

Post a Comment

Popular posts from this blog

SoftBank Lands $236M From Alibaba And Foxconn To Bring Its Pepper Robot To The World

By
Remember Pepper,  the intelligent robot that SoftBank unveiled last year ? Pepper goes on sale in Japan this coming weekend, but in advance of that launch  SoftBank has revealed  that Alibaba and manufacturer Foxconn have invested $118 million each in its robotics division. That deal will give Alibaba and Foxconn 20 percent shares in SoftBank Robotics Holdings (known as SBRH), with SoftBank retaining a dominant 60 percent stake. “SoftBank, Alibaba and Foxconn will build a structure to bring Pepper and other robotics businesses to global markets, and cooperate with the aim of spreading and developing the robotics industry on a worldwide scale,” SoftBank said in its announcement. SoftBank isn’t short on money, of course — it is building up quite a portfolio of e-commerce investments across Asia — but its two partners bring know-how, strategy and global networks to the table. So, it looks like Pepper has eventual world domination plans. Or, at least, ...
Post a Comment
Read more

LeafLink Raises $750K To Become Salesforce For The Cannabis Industry

By
LeafLink , an NY-based wholesale management platform for the cannabis industry, has closed a $750k seed round led by group of NY angel investors. The software platform is designed to support participants in a B2B supply chain, providing basic tools designed to save money for retailers and allow producers to get better pricing for their product. These tools will include a centralized location to view correspondence between buyers and suppliers, inventory and order tracking tools, and a portal to discover new products and services so users can source leads and close deals from within the platform. Founders Ryan Smith and Zach Silverman explained that they “believe cannabis regulation and distribution is moving toward mimicking the alcohol industry with regional distributors and nonsensical supply chain participants”. By focusing on creating a supply chain similar to the alcohol industry, the company hopes to eventually be the universally accepted way for buyer...
Post a Comment
Read more

Apple to release new small phone before iPhone 7

By
Apple to release new small phone before iPhone 7 Apple is to create a smaller, cheap version of the iPhone, persistent to the 4 inch size of the iPhone 5. Apple is testing 5 different iPhone 7 models. It will sell next to Apple’s existing phones however mark the first time that Apple has ready a latest phone smaller than the one it locate on sale before. There will be the choice of 2 or three colours likely the  gold, space grey  and silver options that mainly Apple products now coming up. Other than inside there will be very much better components. The flagship improve will be the addition of the A9 chip that powers the iPhone 6S. There may also be a number of changes to the outside. The most able to be seen is apt to be the addition of the somewhat curved edges that are found on the iPhone 6 and 6S. careinfo.in Apple  dropped the iPhone 5C previous this year. A number of hoped that it would be replaced by a 6C, though reports at the time made clear that we...
Post a Comment
Read more

Airbnb will open its Cuba listings to users outside the United States

By
Airbnb  will now let travelers from outside the U.S. to book properties in Cuba after receiving authorization from the U.S. government,  reports the Associated Press . Previously, only Americans were allowed to reserve the site’s  Cuban listings . They will open to international users on April 2. Airbnb launched its  Cuban operations in April 2014 , four months after the Obama administration revealed that it will begin to  restore diplomatic relations with the Communist country . The historic policy change means that  travel and trade sanctions will be lifted , which is expected to boost tourism to Cuba dramatically because Americans no longer need licenses to visit. In fact, President Obama is  currently on an official visit to Cuba , the first president since Calvin Coolidge to do so. According to the AP, Cuba is currently Airbnb’s fastest-growing market, with about 4,000 homes added since it opened listings. Other travel businesses...
Post a Comment
Read more

Three Reasons Why You Need Better Personal Cyber security

By
From the infamous Sony hack to the recent WannaCry virtual catastrophe that affected over 300,000 computers, the need for reliable personal cyber security has never been more apparent. Rubica's skilled team of experts want to remind every one of the importance of cyber security and the three reasons why it is becoming a more pressing issue every day. With top-notch personal cyber security, most attacks are preventable. 1. Larger Number Of Attacks Americans have heard of the most notable attacks on major corporations or government entities over the past several years. However, most people who are not in the information security field do not learn just how much the attack frequency is growing. The number of cyber attacks carried out worldwide in 2015 was quadruple a number of attacks recorded in 2013. Although the cost associated with the number of annual recorded attacks is in the $500 billion range right now, experts say that it will grow well into the trillions by ...
Post a Comment
Read more