Skip to main content

SSH getting a security tune-up from NIST and IETF

 Image: iStock/bluebay2014
Secure Shell, among the most common protocols for safely accessing a remote computer across the internet, is getting a fresh security examination from the US government and an internet standards body.
SSH emerged in the 1990s, became more popular than legacy protocols such as Telnet in the 2000s, and now is starting to show its age. The current version called SSH-2 has been on the losing side of notable hacks and is vulnerable tobrute-force attacks, which may start happening more often with a Microsoft implementation due soon.
The newest concern is mismanagement of SSH keys, according to a report(PDF) issued October 2015 by the National Institute of Standards and Technology (NIST). "We are in a position where some organizations have 50 times more SSH keys than they have people," said Tatu Ylönen, who coauthored the report and invented SSH in 1995.
"We are in a position where some organizations have 50 times more SSH keys than they have people."Tatu Ylönen
Trouble begins when employees create new keys without their IT staff being aware and continues when people leave companies but their SSH keys remain, Ylönen said. Hackers exploit unmanaged or forgotten keys, so the more prominent the protocol becomes, the greater its risk, he explained. Ylönen's own company, SSH Communications Security, sells software to address this for very large organizations, but for most businesses, "There haven't been any controls, no policies, and the keys haven't been removed," he cautioned.
The alarm from Ylönen is not a new one, but NIST hoisting the flag is an eye-opener. The report gives 13 suggestions for safely managing SSH keys, mostly focusing on issues such as key lifespans and privileges. Auditing, testing, and deploying are also covered in detail.
Many IT departments may not realize that key management tools are already available to them in the very popular OpenSSH implementation. Damien Miller, who maintains the implementation, cited examples such as support for public keys managed by administrators rather than users, keys held on tokens, hooks that allow command access to fetch keys, and certificates for lifespans.
"Broadly speaking, our medium-term priorities area to continue getting rid of bad/legacy crypto as fast as we can without causing excessive user pain and continue ... refactoring and modernization of OpenSSH's internals. As we're refactoring, we're writing unit and fuzz tests as we go to improve correctness and security," Miller added.
Ed Skoudis, a security instructor at training company SANS Institute, said these improvements make sense. "The biggest weakness [of SSH] is the management and storage of the keys," he said. "That's why I think what NIST has done is really good."
Another way to keep SSH secure is to prevent people from using obsolete cryptography algorithms, said officials at the Internet Engineering Task Force(IETF), which manages the actual protocol. There aren't any plans to upgrade SSH-2, although security experts on Nov. 18, 2015 proposed a new working group to formally deprecate outdated methods. This will apply to several protocols, not just SSH, they said. The new group's proposed name is CURDLE: "CURves, Deprecating and a Little more Encryption."
"As with many modern protocols, the SSH protocol has been designed to support algorithm agility, that is, the ability to update the cryptographic algorithms used, without other changes being needed to the protocol," CURDLE leader Stephen Farrell said. "There are currently discussions ongoing... as to how best to incorporate new crypto into the SSH protocol. So far that hasn't shown a need for a new SSH working group but should one be needed, we'd form one. Instead we may form a working group that handles adding, e.g., the new elliptic curves specifications from the [Crypto Forum Research Group] across a number of protocols at once."
SANS' Skoudis added that network communications between Microsoft Windows and other operating systems are the last bastion of non-SSH connections. There are products for achieving SSH connections in that situation, but Microsoft said last summer that it plans to build SSH into its PowerShell system administration application. That is scheduled to ship by the middle of 2016 based on an OpenSSH port, but will also have Redmond's proprietary cryptology interfaces rather than standard open-source implementations of the Secure Sockets Layer — a move that drew criticism on a Microsoft blog post.

Comments

Popular posts from this blog

Five budget-friendly open source storage servers

Storage is essential for the enterprise: Data must be stored. Data must be retrieved. Data must be shared. Data must be secured. At the same time, storage must not consume the entirety of your IT budget. Fortunately, you can find effective solutions in the world of open source. Outside of cost effectiveness, one of the biggest benefits of these solutions is the ability to modify them to perfectly fit your needs. You can make minor changes or even roll your own storage solution based on one of these tools. If you want enterprise support and a "solution in a can" that will meet just about any enterprise storage need, you should turn to Red Hat or SUSE. Both Linux-based companies offer some of the most powerful enterprise-ready tools on the market. But if you'd rather get your hands dirty and craft something of your own—something that won't demolish your budget—these five open source tools are a great place to start. 1: ownCloud ownCloud ( Figure ...

Google Announces “Purchases On Google” For Buying Straight From PLAs And Other Mobile Shopping Updates

The much-anticipated buy button in Google search ads is finally here. Called Purchases On Google, it turns out the new feature isn’t a button at all. “Buy on Google” messaging will appear in eligible product listing ads on both iOS and Android smartphones. Purchases on Google is launching in a very limited pilot with select retailers. When consumers click on Purchases On Google-enabled ads, they’ll be taken to a page hosted by Google where they can make a purchase using payment criteria stored with Google. The orders are then passed through to the retailer for fulfillment and any customer service follow up. Check out our full coverage  where you’ll find many more details about Purchases On Google on our sister site Marketing Land. Google also announced several of other updates to mobile PLAs: New Mobile Shopping Ad Formats For Voice Search When consumers use voice search to find products, Google is starting to show...

Iron Man Galaxy S6 Edge Arrives With An Arc Reactor Charger

Samsung’s  Iron Man-branded Galaxy S6 Edge  arrives tomorrow, with a custom paint job, 64GB of on-board storage and a limited edition wireless charger accessory with an appropriate arc reactor graphic included on top. It ships with a clear cover, too, so you can protect your precious “armor” when ticketing around in the real world. The box it comes in is also red and gold, and there’s a big ol’ Iron Man helmet stencil graphic on the back of the device, too, as well as a software theme to match. I probably would’ve left off the face personally, letting the colors speak for themselves, but this was a partnership with Marvel with the intent of promoting the new Avengers film oversees, so they probably could’ve been a lot less tasteful with the branding overall. The sad news for those of you who were hoping to advertise their Stark fandom on their phones is that availability is listed as only Korea as of tomorrow, with sales beginning in China and Hong Kong...

Visa confirms Coinbase wasn’t at fault for overcharging users

Yesterday, we wrote that Coinbase customers were being charged multiple times for past transactions. While some speculated that the erroneous withdraws were down to a Coinbase engineering issue, Coinbase issued a statement saying it wasn’t liable for the duplicate charges. The blame, instead, rested with Visa for the way it handled a migration of merchant categories for cryptocurrencies, Coinbase said. While you can read my post yesterday for an in-depth description of what happened, the basic gist is that Visa refunded and recharged (under a different merchant category) a month of old transactions. Many users saw the recharge come through before the refund processed, making it look like they were double charged. Honestly, the issue was likely exacerbated by existing payment rails — it’s normal for refunds to take multiple days to show up on credit and debit statements. But here’s where it gets weird — this morning Visa issued a statement to some publications shifting the blam...

Trump cites Facebook exec’s comments downplaying Russian ad influence on election

You’d be forgiven for missing Donald Trump’s multiple retweets of Facebook executive Rob Goldman over the weekend. Perhaps you were spending time with family, watching Black Panther or just attempting to forget politics for a moment by ignoring the manic flurry of social media updates from the leader of the free world. But in amongst a deluge of tweets that blamed Democrats for failing to preserve DACA, called out the FBI over the recent school shooting in Florida on the FBI and affectionately referred to a member of congress as “Liddle’ Adam Schiff, the leakin’ monster of no control,” the President cited Facebook’s VP of Ads as evidence against claims that his campaign colluded with Russia. “The Fake News Media never fails,” Trump tweeted over the weekend. “Hard to ignore this fact from the Vice President of Facebook Ads, Rob Goldman!” Trump was citing Goldman’s own Twitter dump over the past week, responding to Special Counsel Robert Mueller’s recent indictment of 13 Russian...