SSH getting a security tune-up from NIST and IETF

Secure Shell, among the most common protocols for safely accessing a remote computer across the internet, is getting a fresh security examination from the US government and an internet standards body.

SSH emerged in the 1990s, became more popular than legacy protocols such as Telnet in the 2000s, and now is starting to show its age. The current version called SSH-2 has been on the losing side of notable hacks and is vulnerable tobrute-force attacks, which may start happening more often with a Microsoft implementation due soon.

The newest concern is mismanagement of SSH keys, according to a report(PDF) issued October 2015 by the National Institute of Standards and Technology (NIST). "We are in a position where some organizations have 50 times more SSH keys than they have people," said Tatu Ylönen, who coauthored the report and invented SSH in 1995.

"We are in a position where some organizations have 50 times more SSH keys than they have people."Tatu Ylönen

Trouble begins when employees create new keys without their IT staff being aware and continues when people leave companies but their SSH keys remain, Ylönen said. Hackers exploit unmanaged or forgotten keys, so the more prominent the protocol becomes, the greater its risk, he explained. Ylönen's own company, SSH Communications Security, sells software to address this for very large organizations, but for most businesses, "There haven't been any controls, no policies, and the keys haven't been removed," he cautioned.

The alarm from Ylönen is not a new one, but NIST hoisting the flag is an eye-opener. The report gives 13 suggestions for safely managing SSH keys, mostly focusing on issues such as key lifespans and privileges. Auditing, testing, and deploying are also covered in detail.

Many IT departments may not realize that key management tools are already available to them in the very popular OpenSSH implementation. Damien Miller, who maintains the implementation, cited examples such as support for public keys managed by administrators rather than users, keys held on tokens, hooks that allow command access to fetch keys, and certificates for lifespans.

"Broadly speaking, our medium-term priorities area to continue getting rid of bad/legacy crypto as fast as we can without causing excessive user pain and continue ... refactoring and modernization of OpenSSH's internals. As we're refactoring, we're writing unit and fuzz tests as we go to improve correctness and security," Miller added.

Ed Skoudis, a security instructor at training company SANS Institute, said these improvements make sense. "The biggest weakness [of SSH] is the management and storage of the keys," he said. "That's why I think what NIST has done is really good."

Another way to keep SSH secure is to prevent people from using obsolete cryptography algorithms, said officials at the Internet Engineering Task Force(IETF), which manages the actual protocol. There aren't any plans to upgrade SSH-2, although security experts on Nov. 18, 2015 proposed a new working group to formally deprecate outdated methods. This will apply to several protocols, not just SSH, they said. The new group's proposed name is CURDLE: "CURves, Deprecating and a Little more Encryption."

"As with many modern protocols, the SSH protocol has been designed to support algorithm agility, that is, the ability to update the cryptographic algorithms used, without other changes being needed to the protocol," CURDLE leader Stephen Farrell said. "There are currently discussions ongoing... as to how best to incorporate new crypto into the SSH protocol. So far that hasn't shown a need for a new SSH working group but should one be needed, we'd form one. Instead we may form a working group that handles adding, e.g., the new elliptic curves specifications from the [Crypto Forum Research Group] across a number of protocols at once."

SANS' Skoudis added that network communications between Microsoft Windows and other operating systems are the last bastion of non-SSH connections. There are products for achieving SSH connections in that situation, but Microsoft said last summer that it plans to build SSH into its PowerShell system administration application. That is scheduled to ship by the middle of 2016 based on an OpenSSH port, but will also have Redmond's proprietary cryptology interfaces rather than standard open-source implementations of the Secure Sockets Layer — a move that drew criticism on a Microsoft blog post.

Comments

Here Are The First Connected Home Devices For Apple’s HomeKit

Apple’s HomeKit is finally starting to roll out to actual consumers, via the first crop of HomeKit-enabled accessories from third-party manufacturers. This means you’ll soon be able to get your hands on a range of products for the connected home that work with Siri on your iOS device, and that you’ll be able to do so as soon as today, since some of the new HomeKit accessories start shipping now. The accessories in question range from sensors, to lights, to thermostats, to smart outlets, and come from a group of accessory-makers with a trusted reputation in the connected home industry. HomeKit may have taken a while to arrive, but it’s doing so in grand fashion, with a practical lineup to get your home connected to your iOS ecosystem in an essential way. Elgato Eve The Elgato Eve is a set of connected wireless sensors that monitor key factors like indoor air quality, temperature, humidity as well as conditions outside, like temperature, humidity and air pre...

How to Run Older Applications in Windows 10

You cannot expect all the vendors to upgrade their programs to make them compatible with Windows and neither would you want to purchase all the applications every time a new version of Windows is out. Nonetheless, the fact still remains the same that not all applications are compatible with the latest operating systems and there are times when many applications do not initialize when you upgrade your PC to a newer version of Windows. To make things easy for you, Windows 10 allows you to run the programs in compatibility mode. Running a program in compatibility mode makes the application think that it is installed on an older, compatible version of Windows, thus the software runs without any flaws. There are two ways you can run a program in compatibility mode: Program Compatibility Troubleshooter – This is a step-by-step wizard that allows you to pick a program that you prefer to use and configures it to run in compatibility mode. Compatibility Tab – This tab can...

5 Best Free Antivirus for Android Phones and Tablets

Android mobiles are trending today. World is running behind android and its versions. I am sure you also having one high end android mobile with you. So, here in this article I’ve listed the best 5 antivirus for Android phones and tablets. 1- AVG Antivirus App For Android When you download AVG Anti-virus and install it on your mobile or tablet then it shows screen alert. By touching the screen you can perform the scan. It is a free anti virus software, which helps you to protect your mobiles from virus, malware and spyware It provides some other features like ANTI THEFT, SMS SCANNER, TASK KILLER etc. It protects your mobile when you use internet Download AVG anti-virus from ANDROID MARKET. 2- Look Out Mobile Antivirus Look out anti virus for mobile is one of the best android anti virus software. It keeps your tablets and phones safe and secure You can run the app any time and scan for virus It protects your mobile when you use interne...

eGym raises $45M Series C for cloud-connected gym equipment and fitness software

eGym , the Munich-based startup that offers cloud-connected gym equipment and supporting cloud software and app for the fitness training floor, has closed $45 million in Series C funding. The round was led by new investor HPE Growth Capital, while existing investors, including Highland Europe, also participated. The problem that eGym is looking to solve is that, whilst gyms have moved from a bodybuilder market to a mass market in the last 20 years, the technology in gyms lags behind. That’s despite the fact that better use of technology can help to reduce customer churn, the biggest pain-point of both gym operator and gym users. Comprising of an app for both gym user and trainer, combined with the company’s connected strength machines, the eGym Cloud makes it possible for gym members to receive better fitness instruction and an evolving and personalised fitness plan based on data collected as they workout. And by providing a better workout feedback loop, gym goers can get an i...

Amazon Is Giving Away Unlimited Cloud Storage For $5.00

Amid a slew of deep discounts appearing on the web today as a part of the shopping holiday Black Friday, Amazon has introduced one deal that’s sort of a no brainer. The company is giving away unlimited online storage on its cloud servers for just five dollars. The normal price for this is $60 per year, so this – 92% off – represents a significant savings. The deal is aimed at promoting Amazon’s Cloud Drive service – an online storage site that competes with similar services like Dropbox, Google Drive, Microsoft’s OneDrive, and more. Cloud Drive allows you to store documents, music, photos, videos and other files in the cloud, which you can access from any web-connected device, including smartphones and tablets by way of Amazon’s Cloud Drive mobile applications. However, be aware that if you’re planning to use the now $5 service primarily for photo backups, you may already have that option enabled. Amazon Prime currently offers free, unlimited pho...

Exciting Technology

Search This Blog