In the true tradition of previous years, this years 31c3 in Hamburg revealed another bummer about surveillance capacities:
The brief summary is that viable attacks are available to surveillance agencies for PPTP, IPSEC, SSL/TLS and SSH. New papers reveal that as of 2012, OTR and PGP seem to have resisted decryption attempts.
A related "Spiegel" article provides more details and the leaked papers that contain this information: Inside The Nsa War On Internet Security.
Several vulnerabilities regarding SSL/TLS have been discovered and fixed in the past years since these papers were created. But at the very least, for state agencies the possibility remains to decrypt individual connections with fake certificates via man-in-the-middle-attacks.
Claiming decryption of SSH caught me by surprise though, it’s a tool deeply ingrained into my daily workflow.
At the conference, I got a chance to discuss this with Jacob after studying some of the Spiegel revelations and since I’ve been asked about this so much I’ll wrap it up here:
The cited papers put an emphasis on breaking other crypto protocols like PPTP and IPSEC. That and even SSL enjoy much more focus than SSH attack possibilities.
Clearly, good attacks are possible against password protected sessions, given lots of computation power or (targeted) password collection databases.
Also 768bit RSA keys are probably nowadays breakable by surveillance agencies and 1024 bit key could be within reach based on revelations about their processing capacities.
Even 2048 bit keys could become approachable given future advances in mathematical attacks or weak random number generators used for key generation as was the case in Debian 2008 (CVE-2008-0166).
Additionally, there always remains the possibility of an undiscovered SSH implementation bug or protocol flaw that’s exploitable for agencies.
Fact is, we don’t yet know enough details about all possible attack surfaces against SSH available to the agencies and we badly need more information to know what infrastructure components remain save and reliable for our day to day work. However we do have an idea about the weak spots that should be avoided.
My personal take away is this:
Never allow password based SSH authentication ever:
/etc/ssh/sshd_config: PasswordAuthentication no
Use 4096bit keys for SSH authentication only, I have been doing this for more than 5 years and performance has not been a problem:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_HOSTNAME -C account@HOSTNAME
Turn to PGP and OTR for useful encryption.
Have a happy new year everyone…