SSH getting a security tune-up from NIST and IETF

Secure Shell, among the most common protocols for safely accessing a remote computer across the internet, is getting a fresh security examination from the US government and an internet standards body.

SSH emerged in the 1990s, became more popular than legacy protocols such as Telnet in the 2000s, and now is starting to show its age. The current version called SSH-2 has been on the losing side of notable hacks and is vulnerable tobrute-force attacks, which may start happening more often with a Microsoft implementation due soon.

The newest concern is mismanagement of SSH keys, according to a report(PDF) issued October 2015 by the National Institute of Standards and Technology (NIST). "We are in a position where some organizations have 50 times more SSH keys than they have people," said Tatu Ylönen, who coauthored the report and invented SSH in 1995.

"We are in a position where some organizations have 50 times more SSH keys than they have people."Tatu Ylönen

Trouble begins when employees create new keys without their IT staff being aware and continues when people leave companies but their SSH keys remain, Ylönen said. Hackers exploit unmanaged or forgotten keys, so the more prominent the protocol becomes, the greater its risk, he explained. Ylönen's own company, SSH Communications Security, sells software to address this for very large organizations, but for most businesses, "There haven't been any controls, no policies, and the keys haven't been removed," he cautioned.

The alarm from Ylönen is not a new one, but NIST hoisting the flag is an eye-opener. The report gives 13 suggestions for safely managing SSH keys, mostly focusing on issues such as key lifespans and privileges. Auditing, testing, and deploying are also covered in detail.

Many IT departments may not realize that key management tools are already available to them in the very popular OpenSSH implementation. Damien Miller, who maintains the implementation, cited examples such as support for public keys managed by administrators rather than users, keys held on tokens, hooks that allow command access to fetch keys, and certificates for lifespans.

"Broadly speaking, our medium-term priorities area to continue getting rid of bad/legacy crypto as fast as we can without causing excessive user pain and continue ... refactoring and modernization of OpenSSH's internals. As we're refactoring, we're writing unit and fuzz tests as we go to improve correctness and security," Miller added.

Ed Skoudis, a security instructor at training company SANS Institute, said these improvements make sense. "The biggest weakness [of SSH] is the management and storage of the keys," he said. "That's why I think what NIST has done is really good."

Another way to keep SSH secure is to prevent people from using obsolete cryptography algorithms, said officials at the Internet Engineering Task Force(IETF), which manages the actual protocol. There aren't any plans to upgrade SSH-2, although security experts on Nov. 18, 2015 proposed a new working group to formally deprecate outdated methods. This will apply to several protocols, not just SSH, they said. The new group's proposed name is CURDLE: "CURves, Deprecating and a Little more Encryption."

"As with many modern protocols, the SSH protocol has been designed to support algorithm agility, that is, the ability to update the cryptographic algorithms used, without other changes being needed to the protocol," CURDLE leader Stephen Farrell said. "There are currently discussions ongoing... as to how best to incorporate new crypto into the SSH protocol. So far that hasn't shown a need for a new SSH working group but should one be needed, we'd form one. Instead we may form a working group that handles adding, e.g., the new elliptic curves specifications from the [Crypto Forum Research Group] across a number of protocols at once."

SANS' Skoudis added that network communications between Microsoft Windows and other operating systems are the last bastion of non-SSH connections. There are products for achieving SSH connections in that situation, but Microsoft said last summer that it plans to build SSH into its PowerShell system administration application. That is scheduled to ship by the middle of 2016 based on an OpenSSH port, but will also have Redmond's proprietary cryptology interfaces rather than standard open-source implementations of the Secure Sockets Layer — a move that drew criticism on a Microsoft blog post.

Comments

Google Announces Android Wear Update With WiFi Support, Always-On Apps, And More

It has been a while since Android Wear got any substantial updates, but today Google is announcing a big one. A new version of Wear will be rolling out over the coming weeks that includes a number of previously rumored features (like WiFi support) and some all new stuff (like always-on apps). Most Wear devices use the always-on ambient mode for the watch face by default, the Moto 360 being a notable exception. The new Android Wear version allows apps to operate in ambient mode too, so they remain active when the watch goes to sleep. That makes it easier to take a quick glance at the app instead of waking the device up and opening the app all over again. The watch will still only go into full-color mode when necessary. WiFi support is also coming in the update, which means your watch can be useful even if your phone isn't connected. Watches with WiFi support will be able to connect to WiFi and still get messages and notifications from your phone, provided it has an interne...

Budding #entrepreneur from Chandigarh University!!

Budding #entrepreneur from Chandigarh University!! #CU #students unfolded their creative ideas and presented them with a productive shape! Meet Our #Automobile #Engineering student - Trilok Singh, who has started his own start-up with the name GEARR TECHNOLOGIES under the guidance of CU-TBI. This start up focuses on affordable high end #Bicycles and its high #technology equipment’s. This start- up will bring to the Indian audience the scope of Products, #innovation, creativity and customization available in the market. Watch the video!!

The Eight Most Impactful Excel Shortcuts That You Should Master

If you’ve ever gone online to research improving your Excel skills, you’ve undoubtedly come across a post or two listing all of Excel’s keyboard shortcuts. In the latest version of Excel, Microsoft has made it easier than ever to learn shortcuts, by assigning shortcuts to nearly every function and making the discovery of the input sequence very transparent. While memorizing Excel shortcuts will generally improve your productivity, not all shortcuts are created equal. Shortcuts that you never use are not inherently not very useful and not worth memorizing. Your focus should be on the shortcuts that have the most impact – either by the amount of time it saves you, the frequency that you’ll use them, or the behavior it encourages. If you’ve already started using Excel or just haven’t utilized shortcuts heavily before, review the top eight shortcuts below. For any that you don’t know already, I would suggest memorizing them and incorp...

Facebook will verify the location of U.S. election ad buyers by mailing them postcards

Facebook’s global director of policy programs says it will start sending postcards by snail mail to verify buyers of ads related to United States elections. Katie Harbath, who described the plan at a conference held by the National Association of Secretaries of State this weekend, didn’t reveal when the program will start, but told Reuters that it would be before the Congressional midterm elections in November. The cards will be sent to people who want to purchase ads that mention candidates running for federal offices, but not issue-based political ads, Harbath said, and contain a code that buyers need to enter to verify that they are in the U.S. The program is similar to ones used by Google My Business and Nextdoor when they need to verify business owners or users who want to join closed neighborhood groups, respectively. Harbath told Reuters that the postcards “won’t solve everything,” but were the most effective method the company came up with to prevent people from using fa...

South Korea aims for startup gold

Back in 2011, when South Korea won its longshot bid to host the 2018 Winter Olympics, the country wasn’t widely recognized as a destination for ski and snow lovers. It wasn’t considered much of a tech startup hub either. Fast forward seven years and a lot has changed. For the next 10 days, the eyes of the world will be on the snowy slopes of PyeongChang. Meanwhile, a couple of hours away in Seoul, a burgeoning startup scene is seeing investments multiply, generating exits and even creating a unicorn or two. While South Korea doesn’t get a perfect score as a startup innovation hub, it has established itself as a serious contender. More than half a billion dollars annually has gone to seed through late-stage funding rounds for the past few years. During that time, at least two companies, e-commerce company Coupang and mobile-focused content and commerce company Yello Mobile, have established multi-billion-dollar valuations. To provide a broader picture of how South Korea stacks ...

Exciting Technology

Search This Blog