2013/9/8 Aviram Jenik <avi...@jenik.com>: > I'm only taking a wild guess here. To be clear, I have no inside knowledge > and my guess is probably as good as anyone else's. But if I had to bet this > is where I would put my money. > > Either: > > 1. They have a 0-day against SSH (e.g. if you have ssh running they can > login to your box) > 2. They are aware of a weakness in the openssh implementation, unrelated to > the encryption itself > > Pressed against the wall, I would go for option 1. But I wouldn't rule out > option 2. I *would* bet against them being able to break the encryption > itself. > > Why? Because obviously, it's much easier to break the implementation than > the encryption. I find it hard to believe the NSA can easily break AES or > 3DES, and I find it easy to believe they found a flaw or weakness in the > implementation. It's that simple. > The question "is encryption ABC safe" is nowadays a purely academic question > and only academics care about them (no offense Oleg). > > A quick note on Elyahu's list: > > 1. I don't think allowing root login is a huge issue > 2. Likewise with password authentication > 3. We rarely see SSHv1 being allowed in modern systems - I don't believe > that's been the default for a while now I was talking about *clients* almost all clients are still default "2 try 1" even on modern linux systems. A quick look on my laptop shows that the default on Ubuntu 13.04 thankfully is 2 only, but I know that when I looked at it more then a year ago it was not the default. Putty and winscp last time I used them still defaulted to 2+1 unless you consciously set them to 2 only....
I don't have "old" systems to check on anymore, but on CentOS 5 which is still a very widely used production system iirc the default for the client was 2+1, the server was 2 only. Regards, Eliyahu - אליהו > 4. Likewise, I think having SSHv2 only is the default for years (but I could > be wrong, of course) > > > > On Sun, Sep 8, 2013 at 9:19 PM, Oleg Goldshmidt <p...@goldshmidt.org> wrote: >> >> >> Hi, >> >> I am not hopeful to secure much of anything against the likes of NSA or >> GCHQ. However, my curiousity woke up when the latest >> NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much >> of Internet encryption were accompanied by graphics like >> >> >> http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html >> >> Now, NYT is hardly a technical authority, but I assume they have >> technically competent sources and advisers. The above page lists Cisco, >> Microsoft (I wonder if they were the ones who "outed" Skype - chuckle), >> and EFF as sources. >> >> I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The >> only part that is somewhat surprising (and particularly relevant to >> Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion >> justified? >> >> A glance at "man 5 ssh_config" (or "man 5 sshd_config") reveals the >> Ciphers section and the default preference list for v2 ciphers, with >> AES-128 in the leading position. Can any security/cryptography guru here >> (Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect? >> AES-256 still seems to be regarded as NSA-safe (but not RC4? >> >> http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/). >> Is >> it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment >> on performance impact of using AES-256 vs. AES-128 for the usual >> scenarios? >> >> I am not sure I quite understand the implications of AES-128 and AES-256 >> both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA >> assume that anything they can break others can break, too, so Type 1 >> product being defined as "endorsed by the NSA for securing classified >> and sensitive U.S. Government information, when appropriately keyed" >> hopefully means NSA cannot break it. However, there is also >> Type-1/Suite-A... Suite A being seemingly regarded as even more secure >> than Suite B (is it?) goes against the common cryptographic wisdom that >> says "disclosed algos deserve more trust". Is it an indication that (at >> least) AES-128 may be somewhat vulnerable? Or is is only because AES was >> not historically NSA-sourced that it is in Suite B and not in Suite A? >> >> http://en.wikipedia.org/wiki/Type_1_product >> http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography >> http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography >> >> Back to NYT graphics: Another, more mundane possibility is that NSA's >> "partial success" against SSH (and/or OpenSSH implementation) means that >> SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That >> would not be a big surprise (at least the DES part). >> >> I am not changing the default SSHv2 Ciphers configuration unless someone >> I trust says AES-128 is suspect. And maybe not even then... But >> curiousity is killing this cat... >> >> -- >> Oleg Goldshmidt | p...@goldshmidt.org >> >> _______________________________________________ >> Linux-il mailing list >> Linux-il@cs.huji.ac.il >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > > > > _______________________________________________ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
