Skip to main content

SSH getting a security tune-up from NIST and IETF

Image
By
 Image: iStock/bluebay2014
Secure Shell, among the most common protocols for safely accessing a remote computer across the internet, is getting a fresh security examination from the US government and an internet standards body.
SSH emerged in the 1990s, became more popular than legacy protocols such as Telnet in the 2000s, and now is starting to show its age. The current version called SSH-2 has been on the losing side of notable hacks and is vulnerable tobrute-force attacks, which may start happening more often with a Microsoft implementation due soon.
The newest concern is mismanagement of SSH keys, according to a report(PDF) issued October 2015 by the National Institute of Standards and Technology (NIST). "We are in a position where some organizations have 50 times more SSH keys than they have people," said Tatu Ylönen, who coauthored the report and invented SSH in 1995.
"We are in a position where some organizations have 50 times more SSH keys than they have people."Tatu Ylönen
Trouble begins when employees create new keys without their IT staff being aware and continues when people leave companies but their SSH keys remain, Ylönen said. Hackers exploit unmanaged or forgotten keys, so the more prominent the protocol becomes, the greater its risk, he explained. Ylönen's own company, SSH Communications Security, sells software to address this for very large organizations, but for most businesses, "There haven't been any controls, no policies, and the keys haven't been removed," he cautioned.
The alarm from Ylönen is not a new one, but NIST hoisting the flag is an eye-opener. The report gives 13 suggestions for safely managing SSH keys, mostly focusing on issues such as key lifespans and privileges. Auditing, testing, and deploying are also covered in detail.
Many IT departments may not realize that key management tools are already available to them in the very popular OpenSSH implementation. Damien Miller, who maintains the implementation, cited examples such as support for public keys managed by administrators rather than users, keys held on tokens, hooks that allow command access to fetch keys, and certificates for lifespans.
"Broadly speaking, our medium-term priorities area to continue getting rid of bad/legacy crypto as fast as we can without causing excessive user pain and continue ... refactoring and modernization of OpenSSH's internals. As we're refactoring, we're writing unit and fuzz tests as we go to improve correctness and security," Miller added.
Ed Skoudis, a security instructor at training company SANS Institute, said these improvements make sense. "The biggest weakness [of SSH] is the management and storage of the keys," he said. "That's why I think what NIST has done is really good."
Another way to keep SSH secure is to prevent people from using obsolete cryptography algorithms, said officials at the Internet Engineering Task Force(IETF), which manages the actual protocol. There aren't any plans to upgrade SSH-2, although security experts on Nov. 18, 2015 proposed a new working group to formally deprecate outdated methods. This will apply to several protocols, not just SSH, they said. The new group's proposed name is CURDLE: "CURves, Deprecating and a Little more Encryption."
"As with many modern protocols, the SSH protocol has been designed to support algorithm agility, that is, the ability to update the cryptographic algorithms used, without other changes being needed to the protocol," CURDLE leader Stephen Farrell said. "There are currently discussions ongoing... as to how best to incorporate new crypto into the SSH protocol. So far that hasn't shown a need for a new SSH working group but should one be needed, we'd form one. Instead we may form a working group that handles adding, e.g., the new elliptic curves specifications from the [Crypto Forum Research Group] across a number of protocols at once."
SANS' Skoudis added that network communications between Microsoft Windows and other operating systems are the last bastion of non-SSH connections. There are products for achieving SSH connections in that situation, but Microsoft said last summer that it plans to build SSH into its PowerShell system administration application. That is scheduled to ship by the middle of 2016 based on an OpenSSH port, but will also have Redmond's proprietary cryptology interfaces rather than standard open-source implementations of the Secure Sockets Layer — a move that drew criticism on a Microsoft blog post.

Comments

Post a Comment

Popular posts from this blog

eGym raises $45M Series C for cloud-connected gym equipment and fitness software

By
eGym , the Munich-based startup that offers cloud-connected gym equipment and supporting cloud software and app for the fitness training floor, has closed $45 million in Series C funding. The round was led by new investor HPE Growth Capital, while existing investors, including Highland Europe, also participated. The problem that eGym is looking to solve is that, whilst gyms have moved from a bodybuilder market to a mass market in the last 20 years, the technology in gyms lags behind. That’s despite the fact that better use of technology can help to reduce customer churn, the biggest pain-point of both gym operator and gym users. Comprising of an app for both gym user and trainer, combined with the company’s connected strength machines, the eGym Cloud makes it possible for gym members to receive better fitness instruction and an evolving and personalised fitness plan based on data collected as they workout. And by providing a better workout feedback loop, gym goers can get an i...
2 comments
Read more

Xiaomi’s 15.6” Notebook To Cost Less Due To Older CPU & GPU

By
Xiaomi is, first and foremost, a smartphone manufacturer. This company tends to dabble in pretty much anything tech-related, and they will release their first notebook soon.  Inventec  has already confirmed that they’re working on (one of) the company’s notebook, and that the device is expected to arrive in April next year. Well, Inventec is working on one of the company’s notebooks, but three different ones have been mentioned, the 12.5, 13.3 and 15.6-inch models. Inventec is working on the 12.5-inch model, while Compal is rumored to be working on the 13.3-inch variant. The  15.6-inch notebook  is the most interesting one here, read on. The specifications of the 15.6-inch Xiaomi notebook have surfaced a while back, and according to that report, the device will sport a 15.6-inch 1080p (1920 x 1080) display, 8GB of RAM and will be powered by Intel’s Core i7 4th-generation SoC. Nvidia’s GeForce GTX 760M GPU is said to be included in this package as well, and...
Post a Comment
Read more

What will a driverless future actually look like?

By
There is a growing consensus that autonomous vehicles (AVs) will soon be a reality. The debate today centers not on whether, but how soon, AVs will be commonplace on our roads. But for all the buzz surrounding AVs, many details about what a driverless future will look like remain unclear. Which business models will work best for the commercialization of AVs? Which AV usage models will be most appealing for consumers? Which companies are best positioned to win in this new market? These are big questions, and no certain answers can be given at this stage. Nonetheless, it is valuable to reflect, in a concrete way, on how this transformative technology might develop. This article will present some conjectures. The end of private car ownership? At a high level, two possible paradigms seem most likely for how society will use AVs. The first is private AV ownership. Under this model, individuals or families would continue to own their own vehicles and use them to get a...
Post a Comment
Read more

Why Edge is the best browser for Windows 10 users?

By
Windows 10 comes with a whole new browser,i.e. Edge aka project SPARTAN. The good news is, EDGE is fast with a user friendly interface. The bad news is, there is not a lot to offer to Chrome users. #User_interface Project Spartan was started from scratch with a user friendly interface. The home screen of EDGE contains news-feed updates and more, just like iGoogle homepage and a welcoming search bar with the title “Where to next?” . Edge UI contains only basic controls required for general operation i.e., bold icons, wider tabs than the traditional slimmer ones in google chrome. Address bar contains buttons such as HUB giving easy access to favorite bar, reading list, history and downloads, web note button, share and more actions. Bold icons and wider tabs are easily accessible by touch users resulting in better user experience. Also, the light colored theme seems clean and simple. #Performance The best part of EDGE is, it is boosted with performance. Browser...
Post a Comment
Read more