Re: SSH DSA logins on crank.
Hi, On Tuesday 20 May 2008 15:50, Carl-Daniel Hailfinger wrote: I claim you didn't understand. And you were right. :) regards, Holger pgp5EvMNeXBFb.pgp Description: PGP signature ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
Hi, On Wednesday 21 May 2008 16:06, Chris Ball wrote: Yes. We have the openssh-blacklist package installed, which contains keyhashes of all possible weak keys and disallows logins using them. AFAIK not all possible weak keys, but only for the most popular arches and (definitly only) the popular key lengths. regards, Holger pgpNC32RMeBbc.pgp Description: PGP signature ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
Hi, On 23.05.2008 17:16, Holger Levsen wrote: On Wednesday 21 May 2008 16:06, Chris Ball wrote: Yes. We have the openssh-blacklist package installed, which contains keyhashes of all possible weak keys and disallows logins using them. AFAIK not all possible weak keys, but only for the most popular arches and (definitly only) the popular key lengths. Holger is right about the blacklist being a useful strict subset of all weak keys. The good news is that ssh_keygen only allows 1024 bit DSA keys (the man page says: DSA keys must be exactly 1024 bits as specified by FIPS 186-2.). Regards, Carl-Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
On 23.05.2008 17:15, Holger Levsen wrote: On Tuesday 20 May 2008 15:50, Carl-Daniel Hailfinger wrote: I claim [...] And you were right. Thanks for checking my math. Regards, Carl-Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
one reason would be that DSA is more secure then RSA. If you have a copy of the secret key from one end of the conversation and they are using RSA you can decrypt the communication, with DSA you cannot do so. That blanket statement is false. I'm still working my way through the RFC's for SSH, but my impression at this point is that ssh's RSA implements perfect forward secrecy, which involves doing a signed Diffie-Hellman exchange that generates an ephemeral session key that can't be decrypted by a non-party to the conversation. several products on the market that take advantage of this fact and have you load your keys on a seperate box that then intercepts the communication to your webservers and decrypts the traffic... The products you're talking about seem to be for monitoring https traffic, which use a different protocol than ssh. In general, RSA's security properties are better understood than DSA's. It has withstood the test of time for decades longer; it is not limited to a fixed length key; it was not designed by NSA; and it has no inherent covert channels. (DSA looks like it was designed to make huge covert channels.) And as we discovered from the Debian cluelessness: when signing with yuor key, if your random numbers are corrupt, RSA doesn't leak your private key, but DSA does. (I've been exclusively using RSA for my own encryption for a long time. And when generating RSA keys, I generate large ones in the 4200-8000 bit range, size pseudo-randomly selected. This avoids one possible attack, which is: if 90% of the RSA keys are 2048 bits, clearly a major attacker like NSA would build a brute force attack machine that handles 2048 bits. If no particular bit length has more than 20% of the market, you have to build a cracker for a much longer length to capture a significant part of the traffic. The one-time time to generate the keys is a minute or two; but computers are so fast you don't notice any extra overhead while in everyday use.) John ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
Hi Chris, On 19.05.2008 17:02, Chris Ball wrote: I've disabled logins with DSA keys on dev.laptop.org. Turns out that while your RSA key is only vulnerable if *created* on a weak Debian or Ubuntu machine, your DSA key is vulnerable if *used* on Debian/Ubuntu¹, due to DSA having a greater reliance on randomness. Please mail [EMAIL PROTECTED] if you were using a DSA key that you now need to replace. What happens to those who never logged in *from* a Debian/Ubuntu machine? There's no reason to not let them keep their DSA key. The PRNG on the target host doesn't even appear in the DSA signature creation calculations and therefore is irrelevant to DSA key security. Regards, Carl-Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
Carl-Daniel Hailfinger wrote: What happens to those who never logged in *from* a Debian/Ubuntu machine? There's no reason to not let them keep their DSA key. The point, iiuc, is that if even one such key was sniffed, crank is compromised. At least that user's account, which is dangerous enough. -- Gary Oberbrunner ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
On 21.05.2008 14:36, Gary Oberbrunner wrote: Carl-Daniel Hailfinger wrote: What happens to those who never logged in *from* a Debian/Ubuntu machine? There's no reason to not let them keep their DSA key. The point, iiuc, is that if even one such key was sniffed, crank is compromised. At least that user's account, which is dangerous enough. OK, but then a statement from the user like I never logged in anywhere from a Debian/Ubuntu system should suffice to reenable the existing key. Regards, Carl-Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
On May 21, 2008, at 5:58 AM, Carl-Daniel Hailfinger wrote: OK, but then a statement from the user like I never logged in anywhere from a Debian/Ubuntu system should suffice to reenable the existing key. Given the trivial cost of generating a new RSA key and the high fallibility of human memory, it's not at all unreasonable to err on the side of caution as Chris has done. -- Ivan Krstić [EMAIL PROTECTED] | http://radian.org ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
On 21.05.2008 15:12, Ivan Krstić wrote: On May 21, 2008, at 5:58 AM, Carl-Daniel Hailfinger wrote: OK, but then a statement from the user like I never logged in anywhere from a Debian/Ubuntu system should suffice to reenable the existing key. Given the trivial cost of generating a new RSA key and the high fallibility of human memory, it's not at all unreasonable to err on the side of caution as Chris has done. So DSA is a no-go from now until the end of time? Chris Ball wrote: Please mail [EMAIL PROTECTED] if you were using a DSA key that you now need to replace. I interpreted the statement above as replace with a RSA or new DSA key. Ivan, you seem to interpret it as replace with a RSA key. Since Chris wrote he disabled logins with DSA keys, I guess you're right. Thanks for clarifying. By the way, will remaining and new RSA keys be tested for bad randomness? Regards, Carl-Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
On 21.05.2008, at 15:27, Carl-Daniel Hailfinger wrote: Chris Ball wrote: Please mail [EMAIL PROTECTED] if you were using a DSA key that you now need to replace. I interpreted the statement above as replace with a RSA or new DSA key. Ivan, you seem to interpret it as replace with a RSA key. Since Chris wrote he disabled logins with DSA keys, I guess you're right. I was able to log in yesterday with my old (non-debian) DSA key. I replaced it with an RSA one in the mean time. - Bert - ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
Hi, So DSA is a no-go from now until the end of time? I'm open to debate on that, though many systems have made that decision; debian.org and freedesktop.org are no longer allowing DSA logins, for example. (I'm curious to hear reasons for wanting to use DSA keys, now that the RSA patents have expired.) By the way, will remaining and new RSA keys be tested for bad randomness? Yes. We have the openssh-blacklist package installed, which contains keyhashes of all possible weak keys and disallows logins using them. - Chris. -- Chris Ball [EMAIL PROTECTED] ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
On Wed, 21 May 2008, Chris Ball wrote: Hi, So DSA is a no-go from now until the end of time? I'm open to debate on that, though many systems have made that decision; debian.org and freedesktop.org are no longer allowing DSA logins, for example. (I'm curious to hear reasons for wanting to use DSA keys, now that the RSA patents have expired.) one reason would be that DSA is more secure then RSA. If you have a copy of the secret key from one end of the conversation and they are using RSA you can decrypt the communication, with DSA you cannot do so. There are several products on the market that take advantage of this fact and have you load your keys on a seperate box that then intercepts the communication to your webservers and decrypts the traffic (either inline or from a tap). With these products you have to configure your webservers to refuse DSA and only do RSA becouse with DSA they cannot decrypt the traffic. David Lang By the way, will remaining and new RSA keys be tested for bad randomness? Yes. We have the openssh-blacklist package installed, which contains keyhashes of all possible weak keys and disallows logins using them. - Chris. ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
On 5/21/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: one reason would be that DSA is more secure then RSA. If you have a copy of the secret key from one end of the conversation and they are using RSA you can decrypt the communication, with DSA you cannot do so. There are several products on the market that take advantage of this fact and have you load your keys on a seperate box that then intercepts the communication to your webservers and decrypts the traffic (either inline or from a tap). With these products you have to configure your webservers to refuse DSA and only do RSA becouse with DSA they cannot decrypt the traffic. Documentation, please? I think you've misunderstood something you read. --scott -- ( http://cscott.net/ ) ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
Hi, On Tuesday 20 May 2008 04:08, Bernie Innocenti wrote: Hopefully this doesn't mean that the _private_ DSA key can be compromised if the _public_ key was copied on a Debian/Ubuntu machine. Not by copying to, but by using with, yes, unfortunatly. Read http://blog.sesse.net/blog/tech/2008-05-14-17-21_some_maths.html - in short, if the randomness is not really random, DSA can be attacked rather easily. That's why debian.org and freedesktop.org don't allow DSA keys at all anymore. regards, Holger pgpLp9n4DTc9k.pgp Description: PGP signature ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
On 20.05.2008 13:31, Holger Levsen wrote: Hi, On Tuesday 20 May 2008 04:08, Bernie Innocenti wrote: Hopefully this doesn't mean that the _private_ DSA key can be compromised if the _public_ key was copied on a Debian/Ubuntu machine. Not by copying to, but by using with, yes, unfortunatly. Sorry, using with is very imprecise language and leads many people to the wrong conclusion. Read http://blog.sesse.net/blog/tech/2008-05-14-17-21_some_maths.html - in short, if the randomness is not really random, DSA can be attacked rather easily. That's why debian.org and freedesktop.org don't allow DSA keys at all anymore. Everybody points to the blog entry, but nobody seems to read it. The entry states that if you used the private DSA key on a Debian/Ubuntu machine for login to another machine, it might be compromised. Logging in to a Debian/Ubuntu machine does no harm. Short version: The combination of bad random numbers and a private DSA key on the same machine is harmful. Regards, Carl-Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
Hi, On Tuesday 20 May 2008 14:13, Carl-Daniel Hailfinger wrote: Not by copying to, but by using with, yes, unfortunatly. Sorry, using with is very imprecise language and leads many people to the wrong conclusion. If you think that using was confusing here, you should probably also remove the confusion by suggesting a better word. I still think using is correct here. Read http://blog.sesse.net/blog/tech/2008-05-14-17-21_some_maths.html - in short, if the randomness is not really random, DSA can be attacked rather easily. That's why debian.org and freedesktop.org don't allow DSA keys at all anymore. Everybody points to the blog entry, but nobody seems to read it. The entry states that if you used the private DSA key on a Debian/Ubuntu machine for login to another machine, it might be compromised. You haven't understood the entry. Let me quote the relevant bit: For instance, Applied Cryptography (Schneier) says (thanks to Peter Palfrader for digging up the quote): Each signature requires a new value of k, and that value most be chosen randomly. If Eve ever recovers a k that Alice used to sign a message, perhaps by exploiting some properties of the random number generator that generated k, she can recover Alice's private key, x. If Ever ever gets two messages signed using the same k, even if she doesn't know what it is, she can recover x. And with x, Eve can generate undetectable forgeries of Alice's signature. In any implementation of the DSA a good random-number generateor is essential to the system's security. Short version: The combination of bad random numbers and a private DSA key on the same machine is harmful. Wrong, also the combination of a bad random numbers and a public DSA key has to be considered harmful. If someone sniffed your traffic (which you have to consider), you have to consider your DSA keys to be compromised. regards, Holger pgpepQxYZLFSU.pgp Description: PGP signature ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: SSH DSA logins on crank.
On Tue, 20 May 2008, Bernie Innocenti wrote: Chris Ball wrote: I've disabled logins with DSA keys on dev.laptop.org. Turns out that while your RSA key is only vulnerable if *created* on a weak Debian or Ubuntu machine, your DSA key is vulnerable if *used* on Debian/Ubuntu¹, due to DSA having a greater reliance on randomness. Hopefully this doesn't mean that the _private_ DSA key can be compromised if the _public_ key was copied on a Debian/Ubuntu machine. If something like this was even possible, as it would make the whole asymmetrical key scheme rather useless :-) the argument is that the PRNG used by buggy versions is predictable and so someone could observe the communication and brute-force attack the handshake, deciphering the key in the process. David Lang___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel