Hi, I am not hopeful to secure much of anything against the likes of NSA or GCHQ. However, my curiousity woke up when the latest NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much of Internet encryption were accompanied by graphics like
http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html Now, NYT is hardly a technical authority, but I assume they have technically competent sources and advisers. The above page lists Cisco, Microsoft (I wonder if they were the ones who "outed" Skype - chuckle), and EFF as sources. I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The only part that is somewhat surprising (and particularly relevant to Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion justified? A glance at "man 5 ssh_config" (or "man 5 sshd_config") reveals the Ciphers section and the default preference list for v2 ciphers, with AES-128 in the leading position. Can any security/cryptography guru here (Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect? AES-256 still seems to be regarded as NSA-safe (but not RC4? http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/). Is it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment on performance impact of using AES-256 vs. AES-128 for the usual scenarios? I am not sure I quite understand the implications of AES-128 and AES-256 both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA assume that anything they can break others can break, too, so Type 1 product being defined as "endorsed by the NSA for securing classified and sensitive U.S. Government information, when appropriately keyed" hopefully means NSA cannot break it. However, there is also Type-1/Suite-A... Suite A being seemingly regarded as even more secure than Suite B (is it?) goes against the common cryptographic wisdom that says "disclosed algos deserve more trust". Is it an indication that (at least) AES-128 may be somewhat vulnerable? Or is is only because AES was not historically NSA-sourced that it is in Suite B and not in Suite A? http://en.wikipedia.org/wiki/Type_1_product http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography Back to NYT graphics: Another, more mundane possibility is that NSA's "partial success" against SSH (and/or OpenSSH implementation) means that SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That would not be a big surprise (at least the DES part). I am not changing the default SSHv2 Ciphers configuration unless someone I trust says AES-128 is suspect. And maybe not even then... But curiousity is killing this cat... -- Oleg Goldshmidt | p...@goldshmidt.org _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
