I'm only taking a wild guess here. To be clear, I have no inside knowledge and my guess is probably as good as anyone else's. But if I had to bet this is where I would put my money.
Either: 1. They have a 0-day against SSH (e.g. if you have ssh running they can login to your box) 2. They are aware of a weakness in the openssh implementation, unrelated to the encryption itself Pressed against the wall, I would go for option 1. But I wouldn't rule out option 2. I *would* bet against them being able to break the encryption itself. Why? Because obviously, it's much easier to break the implementation than the encryption. I find it hard to believe the NSA can easily break AES or 3DES, and I find it easy to believe they found a flaw or weakness in the implementation. It's that simple. The question "is encryption ABC safe" is nowadays a purely academic question and only academics care about them (no offense Oleg). A quick note on Elyahu's list: 1. I don't think allowing root login is a huge issue 2. Likewise with password authentication 3. We rarely see SSHv1 being allowed in modern systems - I don't believe that's been the default for a while now 4. Likewise, I think having SSHv2 only is the default for years (but I could be wrong, of course) On Sun, Sep 8, 2013 at 9:19 PM, Oleg Goldshmidt <p...@goldshmidt.org> wrote: > > Hi, > > I am not hopeful to secure much of anything against the likes of NSA or > GCHQ. However, my curiousity woke up when the latest > NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much > of Internet encryption were accompanied by graphics like > > > http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html > > Now, NYT is hardly a technical authority, but I assume they have > technically competent sources and advisers. The above page lists Cisco, > Microsoft (I wonder if they were the ones who "outed" Skype - chuckle), > and EFF as sources. > > I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The > only part that is somewhat surprising (and particularly relevant to > Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion > justified? > > A glance at "man 5 ssh_config" (or "man 5 sshd_config") reveals the > Ciphers section and the default preference list for v2 ciphers, with > AES-128 in the leading position. Can any security/cryptography guru here > (Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect? > AES-256 still seems to be regarded as NSA-safe (but not RC4? > > http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/). > Is > it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment > on performance impact of using AES-256 vs. AES-128 for the usual > scenarios? > > I am not sure I quite understand the implications of AES-128 and AES-256 > both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA > assume that anything they can break others can break, too, so Type 1 > product being defined as "endorsed by the NSA for securing classified > and sensitive U.S. Government information, when appropriately keyed" > hopefully means NSA cannot break it. However, there is also > Type-1/Suite-A... Suite A being seemingly regarded as even more secure > than Suite B (is it?) goes against the common cryptographic wisdom that > says "disclosed algos deserve more trust". Is it an indication that (at > least) AES-128 may be somewhat vulnerable? Or is is only because AES was > not historically NSA-sourced that it is in Suite B and not in Suite A? > > http://en.wikipedia.org/wiki/Type_1_product > http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography > http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography > > Back to NYT graphics: Another, more mundane possibility is that NSA's > "partial success" against SSH (and/or OpenSSH implementation) means that > SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That > would not be a big surprise (at least the DES part). > > I am not changing the default SSHv2 Ciphers configuration unless someone > I trust says AES-128 is suspect. And maybe not even then... But > curiousity is killing this cat... > > -- > Oleg Goldshmidt | p...@goldshmidt.org > > _______________________________________________ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il