{"id":6453,"date":"2017-02-01T21:00:38","date_gmt":"2017-02-01T13:00:38","guid":{"rendered":"http:\/\/rmohan.com\/?p=6453"},"modified":"2017-02-01T21:00:38","modified_gmt":"2017-02-01T13:00:38","slug":"secure-secure-shell","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6453","title":{"rendered":"Secure Secure Shell"},"content":{"rendered":"
\n

Secure Secure Shell<\/h1>\n

\n<\/header>\n

You may have heard that the NSA can decrypt SSH at least some of the time. If you have not, then read the latest batch of Snowden documents<\/a> now. All of it. This post will still be here when you finish. My goal with this post here is to make NSA analysts sad.<\/p>\n

TL;DR: Scan this post for fixed width fonts, these will be the config file snippets and commands you have to use.<\/p>\n

Warning<\/em>: You will need a recent OpenSSH version. It should work with 6.5 but I have only tested 6.7 and connections to Github. Here is a good compatibility matrix<\/a>.<\/p>\n

The crypto<\/h1>\n

Reading the documents, I have the feeling that the NSA can 1) decrypt weak crypto and 2) steal keys. Let\u2019s focus on the crypto first. SSH supports different key exchange algorithms, ciphers and message authentication codes. The server and the client choose a set of algorithms supported by both, then proceed with the key exchange. Some of the supported algorithms are not so great and should be disabled completely. This hurts interoperability but everyone uses OpenSSH anyway. Fortunately, downgrade attacks are not possible because the supported algorithm lists are included in the key derivation. If a man in the middle were to change the lists, then the server and the client would calculate different keys.<\/p>\n

Key exchange<\/h2>\n

There are basically two ways to do key exchange: Diffie-Hellman<\/a> and Elliptic Curve Diffie-Hellman<\/a>. Both provide forward secrecy<\/a> which the NSA hates because they can\u2019t use passive collection and key recovery later. The server and the client will end up with a shared secret number at the end without a passive eavesdropper learning anything about this number. After we have a shared secret we have to derive a cryptographic key from this using a key derivation function. In case of SSH, this is a hash function. Collision attacks<\/a> on this hash function have been proven to allow downgrade attacks.<\/p>\n

DH works with a multiplicative group of integers modulo a prime. Its security is based on the hardness of the discrete logarithm problem<\/a>.<\/p>\n

Alice           Bob\r\n---------------------------\r\nSa = random\r\nPa = g^Sa   --> Pa\r\n                Sb = random\r\nPb          <-- Pb = g^Sb\r\ns = Pb^Sa       s = Pa^Sb\r\nk = KDF(s)      k = KDF(s)<\/code><\/pre>\n
ECDH works with elliptic curves over finite fields. Its security is based on the hardness of the elliptic curve discrete logarithm problem.<\/p>\n
Alice           Bob\r\n---------------------------\r\nSa = random\r\nPa = Sa * G --> Pa\r\n                Sb = random\r\nPb          <-- Pb = Sb * G\r\ns = Sa * Pb     s = Sb * Pa\r\nk = KDF(s)      k = KDF(s)<\/code><\/pre>\n
OpenSSH supports 8 key exchange protocols:<\/p>\n
    \n
  1. curve25519-sha256<\/a>: ECDH over Curve25519<\/a> with SHA2<\/li>\n
  2. diffie-hellman-group1-sha1<\/a>: 1024 bit DH with SHA1<\/li>\n
  3. diffie-hellman-group14-sha1<\/a>: 2048 bit DH with SHA1<\/li>\n
  4. diffie-hellman-group-exchange-sha1<\/a>: Custom DH with SHA1<\/li>\n
  5. diffie-hellman-group-exchange-sha256<\/a>: Custom DH with SHA2<\/li>\n
  6. ecdh-sha2-nistp256: ECDH over NIST P-256 with SHA2<\/li>\n
  7. ecdh-sha2-nistp384: ECDH over NIST P-384 with SHA2<\/li>\n
  8. ecdh-sha2-nistp521: ECDH over NIST P-521 with SHA2<\/li>\n<\/ol>\n
    We have to look at 3 things here:<\/p>\n