SSH getting a security tune-up from NIST and IETF

Secure Shell, among the most common protocols for safely accessing a remote computer across the internet, is getting a fresh security examination from the US government and an internet standards body.

SSH emerged in the 1990s, became more popular than legacy protocols such as Telnet in the 2000s, and now is starting to show its age. The current version called SSH-2 has been on the losing side of notable hacks and is vulnerable tobrute-force attacks, which may start happening more often with a Microsoft implementation due soon.

The newest concern is mismanagement of SSH keys, according to a report(PDF) issued October 2015 by the National Institute of Standards and Technology (NIST). "We are in a position where some organizations have 50 times more SSH keys than they have people," said Tatu Ylönen, who coauthored the report and invented SSH in 1995.

"We are in a position where some organizations have 50 times more SSH keys than they have people."Tatu Ylönen

Trouble begins when employees create new keys without their IT staff being aware and continues when people leave companies but their SSH keys remain, Ylönen said. Hackers exploit unmanaged or forgotten keys, so the more prominent the protocol becomes, the greater its risk, he explained. Ylönen's own company, SSH Communications Security, sells software to address this for very large organizations, but for most businesses, "There haven't been any controls, no policies, and the keys haven't been removed," he cautioned.

The alarm from Ylönen is not a new one, but NIST hoisting the flag is an eye-opener. The report gives 13 suggestions for safely managing SSH keys, mostly focusing on issues such as key lifespans and privileges. Auditing, testing, and deploying are also covered in detail.

Many IT departments may not realize that key management tools are already available to them in the very popular OpenSSH implementation. Damien Miller, who maintains the implementation, cited examples such as support for public keys managed by administrators rather than users, keys held on tokens, hooks that allow command access to fetch keys, and certificates for lifespans.

"Broadly speaking, our medium-term priorities area to continue getting rid of bad/legacy crypto as fast as we can without causing excessive user pain and continue ... refactoring and modernization of OpenSSH's internals. As we're refactoring, we're writing unit and fuzz tests as we go to improve correctness and security," Miller added.

Ed Skoudis, a security instructor at training company SANS Institute, said these improvements make sense. "The biggest weakness [of SSH] is the management and storage of the keys," he said. "That's why I think what NIST has done is really good."

Another way to keep SSH secure is to prevent people from using obsolete cryptography algorithms, said officials at the Internet Engineering Task Force(IETF), which manages the actual protocol. There aren't any plans to upgrade SSH-2, although security experts on Nov. 18, 2015 proposed a new working group to formally deprecate outdated methods. This will apply to several protocols, not just SSH, they said. The new group's proposed name is CURDLE: "CURves, Deprecating and a Little more Encryption."

"As with many modern protocols, the SSH protocol has been designed to support algorithm agility, that is, the ability to update the cryptographic algorithms used, without other changes being needed to the protocol," CURDLE leader Stephen Farrell said. "There are currently discussions ongoing... as to how best to incorporate new crypto into the SSH protocol. So far that hasn't shown a need for a new SSH working group but should one be needed, we'd form one. Instead we may form a working group that handles adding, e.g., the new elliptic curves specifications from the [Crypto Forum Research Group] across a number of protocols at once."

SANS' Skoudis added that network communications between Microsoft Windows and other operating systems are the last bastion of non-SSH connections. There are products for achieving SSH connections in that situation, but Microsoft said last summer that it plans to build SSH into its PowerShell system administration application. That is scheduled to ship by the middle of 2016 based on an OpenSSH port, but will also have Redmond's proprietary cryptology interfaces rather than standard open-source implementations of the Secure Sockets Layer — a move that drew criticism on a Microsoft blog post.

Comments

eGym raises $45M Series C for cloud-connected gym equipment and fitness software

eGym , the Munich-based startup that offers cloud-connected gym equipment and supporting cloud software and app for the fitness training floor, has closed $45 million in Series C funding. The round was led by new investor HPE Growth Capital, while existing investors, including Highland Europe, also participated. The problem that eGym is looking to solve is that, whilst gyms have moved from a bodybuilder market to a mass market in the last 20 years, the technology in gyms lags behind. That’s despite the fact that better use of technology can help to reduce customer churn, the biggest pain-point of both gym operator and gym users. Comprising of an app for both gym user and trainer, combined with the company’s connected strength machines, the eGym Cloud makes it possible for gym members to receive better fitness instruction and an evolving and personalised fitness plan based on data collected as they workout. And by providing a better workout feedback loop, gym goers can get an i...

Building a smarter home

The Jetsons presented a highly entertaining vision of what homes of the future would look like . The animated television show anticipated a world where humans would be able to do everything with just the push of a button. In many ways, the show turned out to be prophetic; today we have printable food, video chats, smartwatches and robots that help with housework — and flying cars may even be on the way. The challenge for companies is to integrate digital technologies in meaningful ways that enhance people’s homes and improve their lives. Many of the innovations to emerge over the past few years have been geared toward this kind of “push-button living.” Thanks to the rise of smartphones and the proliferation of cheap sensors, it is possible to make just about any household appliance “smart” and “connected.” By 2019, companies are expected to ship 1.9 billion connected home devices, bringing in about $490 billion in revenue. ...

Careless USB removal causes multiple deaths

EIGHTEEN workers have died after a USB stick was removed from a computer without adequate precautions. The offices of Hereford-based Envision Photography were completely destroyed in the ensuing blast. Survivor Norman Steele said: “My colleague Helen had put some files on the stick to work on at home, and she yanked it out of the computer before anyone could scream ‘no’. “I kicked her aside as a jet of white-hot flame belched out of the USB port and set fire to the desk opposite. “Grabbing her, I dived through the window just before all the PCs in the network exploded with purple electricity that fried everyone in the building. “I sprinted to my car, knowing that the printers were already becoming merciless hunter-killer drones, shouting for Helen to follow. “But when I looked round I saw her frozen, something glowing in her hand, the awareness dawning of her fate. She was still holding the USB. “She detonated in a flash of ultraviolet light that turned eve...

Airbnb will open its Cuba listings to users outside the United States

Airbnb will now let travelers from outside the U.S. to book properties in Cuba after receiving authorization from the U.S. government, reports the Associated Press . Previously, only Americans were allowed to reserve the site’s Cuban listings . They will open to international users on April 2. Airbnb launched its Cuban operations in April 2014 , four months after the Obama administration revealed that it will begin to restore diplomatic relations with the Communist country . The historic policy change means that travel and trade sanctions will be lifted , which is expected to boost tourism to Cuba dramatically because Americans no longer need licenses to visit. In fact, President Obama is currently on an official visit to Cuba , the first president since Calvin Coolidge to do so. According to the AP, Cuba is currently Airbnb’s fastest-growing market, with about 4,000 homes added since it opened listings. Other travel businesses...

Oculus’ New $99 Samsung Gear VR Makes Serious Virtual Reality Affordable

At half the price of its last mobile VR headset, the new $99 Oculus-made Samsung Gear VR is cheap enough to unlock virtual reality for the mainstream. Revealed today at the Oculus Connect conference, it works with the whole 2015 line of Samsung Smartphones including the Note 5, S6, S6 Edge, and S6 Edge+. It will ship in November in time for Black Friday. Compared to the $199 previous Gear VRs that only worked with fewer phones, this headset will be a lot more accessible. The new Gear VR is 22% lighter, making it more comfortable to wear. The trackpad on the temple of the headset also now has a tactile directional pad on it so your finger will know where it’s touching. The previous Gear VRs had a smooth trackpad and sometimes it was to tough to know if you were touching it or just the unsensitive shell of the headset when you couldn’t see for yourself. There’s also a new Gear VR Gamepad which all the Oculus Connect conference attendees will get for free. It features an...

Exciting Technology

Search This Blog