Skip to main content

SSH getting a security tune-up from NIST and IETF

Image
By
 Image: iStock/bluebay2014
Secure Shell, among the most common protocols for safely accessing a remote computer across the internet, is getting a fresh security examination from the US government and an internet standards body.
SSH emerged in the 1990s, became more popular than legacy protocols such as Telnet in the 2000s, and now is starting to show its age. The current version called SSH-2 has been on the losing side of notable hacks and is vulnerable tobrute-force attacks, which may start happening more often with a Microsoft implementation due soon.
The newest concern is mismanagement of SSH keys, according to a report(PDF) issued October 2015 by the National Institute of Standards and Technology (NIST). "We are in a position where some organizations have 50 times more SSH keys than they have people," said Tatu Ylönen, who coauthored the report and invented SSH in 1995.
"We are in a position where some organizations have 50 times more SSH keys than they have people."Tatu Ylönen
Trouble begins when employees create new keys without their IT staff being aware and continues when people leave companies but their SSH keys remain, Ylönen said. Hackers exploit unmanaged or forgotten keys, so the more prominent the protocol becomes, the greater its risk, he explained. Ylönen's own company, SSH Communications Security, sells software to address this for very large organizations, but for most businesses, "There haven't been any controls, no policies, and the keys haven't been removed," he cautioned.
The alarm from Ylönen is not a new one, but NIST hoisting the flag is an eye-opener. The report gives 13 suggestions for safely managing SSH keys, mostly focusing on issues such as key lifespans and privileges. Auditing, testing, and deploying are also covered in detail.
Many IT departments may not realize that key management tools are already available to them in the very popular OpenSSH implementation. Damien Miller, who maintains the implementation, cited examples such as support for public keys managed by administrators rather than users, keys held on tokens, hooks that allow command access to fetch keys, and certificates for lifespans.
"Broadly speaking, our medium-term priorities area to continue getting rid of bad/legacy crypto as fast as we can without causing excessive user pain and continue ... refactoring and modernization of OpenSSH's internals. As we're refactoring, we're writing unit and fuzz tests as we go to improve correctness and security," Miller added.
Ed Skoudis, a security instructor at training company SANS Institute, said these improvements make sense. "The biggest weakness [of SSH] is the management and storage of the keys," he said. "That's why I think what NIST has done is really good."
Another way to keep SSH secure is to prevent people from using obsolete cryptography algorithms, said officials at the Internet Engineering Task Force(IETF), which manages the actual protocol. There aren't any plans to upgrade SSH-2, although security experts on Nov. 18, 2015 proposed a new working group to formally deprecate outdated methods. This will apply to several protocols, not just SSH, they said. The new group's proposed name is CURDLE: "CURves, Deprecating and a Little more Encryption."
"As with many modern protocols, the SSH protocol has been designed to support algorithm agility, that is, the ability to update the cryptographic algorithms used, without other changes being needed to the protocol," CURDLE leader Stephen Farrell said. "There are currently discussions ongoing... as to how best to incorporate new crypto into the SSH protocol. So far that hasn't shown a need for a new SSH working group but should one be needed, we'd form one. Instead we may form a working group that handles adding, e.g., the new elliptic curves specifications from the [Crypto Forum Research Group] across a number of protocols at once."
SANS' Skoudis added that network communications between Microsoft Windows and other operating systems are the last bastion of non-SSH connections. There are products for achieving SSH connections in that situation, but Microsoft said last summer that it plans to build SSH into its PowerShell system administration application. That is scheduled to ship by the middle of 2016 based on an OpenSSH port, but will also have Redmond's proprietary cryptology interfaces rather than standard open-source implementations of the Secure Sockets Layer — a move that drew criticism on a Microsoft blog post.

Comments

Post a Comment

Popular posts from this blog

Top 20 WordPress Interview Questions and Answers

By
Top 40 WordPress Interview Questions and Answers  for freshers and experienced are below are below : 1. What is WordPress? WordPress is an online, open source website creation tool written in PHP. But in non-geek speak, it's probably the easiest and most powerful blogging and website content management system (or CMS) in existence today. 2. Different between WordPress.com vs WordPress.org? WordPress.com (fully hosted) Focus on your beautiful content, and let us handle the rest. WordPress.org (self-hosted) Get your hands dirty, and host your website yourself. refer official URL: https://en.support.wordpress.com/com-vs-org/ for more details. 3. Use of WordPress? WordPress is a free and open-source blogging tool and a content management system (CMS) based on PHP and MySQL. Features include a plugin architecture and a template system. WordPress was used by more than 23.3% of the top 10 million websites as of January 2015 4. feature of WordPress? Here are some of the featu...
Post a Comment
Read more

IT Where

By
#Responsive_Webdesign  start from #7500, #hosting_Service  Start from #3300 Per Year #get   #your   #special  offers at  Itwhere Pondy #Digital_Marketing  , #SEO , #Product_Branding  at Itwhere Pondy Email:info@itwheretech.co. in M:+91 9092734853 www.itwheretech.co.in
Post a Comment
Read more

How Education Will Be Smarter, Less Intrusive, And Able To Respond To How You Feel

By
Impatience characterizes the technology sector’s approach to education. Disruption is taking place in all other sectors of society — so, why not education? I know too well, whether at Pearson or in the classroom, the challenges and frustration of developing and using digital tools that improve outcomes for students. But I’m optimistic. We are on the verge of a tide of smarter innovation that, if allowed to spread, will turbocharge the learning experience for students. Here are four areas worth watching: 1. Using technology to learn from learners Every great digital product constantly evolves by learning from its users, adding capabilities, and improving its performance. If it’s true for your Facebook feed, then why not education? The potential is there, as the OECD’s recent report on  Students, Computers and Learning  (OECD) incidentally showed how clickstream and tracking navigation in digital readers can be used to see how students process online text and...
Post a Comment
Read more

Phoenix OS is (another) Android-as-a-desktop

By
Google Android may have been developed as a smartphone operating system (and later ported to tablets, TVs, watches, and other platforms), but over the past few years we’ve seen a number of attempts to turn it into a desktop operating system. One of the most successful has been  Remix OS , which gives Android a taskbar, start menu, and an excellent window management system. The Remix OS team has also generated a lot of buzz over the past year, and this week the operating system gained a lot of new alpha testers thanks to a  downloadable version of Remix OS  that you can run on many recent desktop or notebook computers. But Remix OS isn’t the only game in town.  Phoenix OS  is another Android-as-desktop operating system, and while it’s still pretty rough around the edges, there are a few features that could make it a better option for some testers. Some background I first discovered Phoenix OS from  a post in the Remix OS Google Group , altho...
3 comments
Read more

Google Announces Android Wear Update With WiFi Support, Always-On Apps, And More

By
It has been a while since Android Wear got any substantial updates, but today Google is announcing a big one. A new version of Wear will be rolling out over the coming weeks that includes a number of previously rumored features (like WiFi support) and some all new stuff (like always-on apps). Most Wear devices use the always-on ambient mode for the watch face by default, the Moto 360 being a notable exception. The new Android Wear version allows apps to operate in ambient mode too, so they remain active when the watch goes to sleep. That makes it easier to take a quick glance at the app instead of waking the device up and opening the app all over again. The watch will still only go into full-color mode when necessary. WiFi support is also coming in the update, which means your watch can be useful even if your phone isn't connected. Watches with WiFi support will be able to connect to WiFi and still get messages and notifications from your phone, provided it has an interne...
Post a Comment
Read more