SoylentNews is people
SoylentNews
The Latacora firm has a blog post asserting that OpenSSH-portable has poor defaults for encrypting private RSA keys because of its reliance on OpenSSL. The blog goes into why this is a problem and how you can test it for yourself.
There is nothing wrong with the generated RSA keys themselves, however, just the encryption of the private RSA keys -- if made using current defaults. There are two ways of encrypting RSA keys, an old and apparently insecure way, and a new key format available but not default. Newer key types like Ed25519 use only the new key format and are not bothered by this problem.
Earlier on SN:
WikiLeaks Unveils CIA Implants That Steal SSH Credentials From Windows, Linux PCs (2017)
Upgrade Your SSH Keys (2016)
OpenSSH 6.8 Will Feature Key Discovery and Rotation for Easier Switching to DJB's Ed25519 (2015)
(Score: 4, Informative) by coolgopher on Monday August 06 2018, @07:03AM (10 children)
If you want to skip to the important bit, what you want to do is:
ssh-keygen -p -o -f ~/.ssh/id_rsa
The -o is the magic sauce that saves the key in the new format.
(Score: 1, Informative) by Anonymous Coward on Monday August 06 2018, @08:43AM
(Score: 2) by driverless on Monday August 06 2018, @09:15AM (3 children)
You also have to wonder about the title:
Since "plaintext" means no protection at all, what's "worse than plaintext"? Does OpenSSH proactively mail your key to the CIA, FSB, DDSI, Unit 8200, MSS, SEBIN, and Special Unit 731?
(Score: 2) by coolgopher on Monday August 06 2018, @10:57AM
They cover that in TFA. Essentially, due to ease of cracking and the likelihood of password reuse, it's worse because someone could get access to far more than ssh.
(Score: 2) by RS3 on Monday August 06 2018, @01:26PM (1 child)
It's also worse in the sense that you believe you're secure, so you're sending stuff you think is protected. If you know you're in plaintext mode, hopefully you're not going to pass an admin password, but you're more likely to if you think you have the most awesome encryption short of quantum computing.
(Score: 0) by Anonymous Coward on Tuesday August 07 2018, @07:17PM
Not really relevant for the passphrases in question. These passphrases are used to locally decrypt your private keys used in key-based authentication. The passphrase never leaves the local machine running ssh.
The purpose of encrypting the keys in this manner is if someone gains access to your files they don't automatically gain access to the private key. If your system is already compromised an attacker can probably snoop the key and/or passphrase when you decrypt it, so the threat is pretty much limited to scenarios where someone physically steals your backup tapes. That still may be worth worrying about: you probably don't want a stolen backup tape to mean the thief can now successfully authenticate on the live system.
(Score: 0) by Anonymous Coward on Monday August 06 2018, @09:28AM (2 children)
If you really want your key to be secure you can pipe the output of ssh-keygen to /dev/null
(Score: 4, Funny) by driverless on Monday August 06 2018, @10:10AM (1 child)
That's not really a web scale solution though, because /dev/null doesn't support sharding.
(Score: 0) by Anonymous Coward on Monday August 06 2018, @05:41PM
Sure it does, just create another partition:
(Score: 2) by chewbacon on Tuesday August 07 2018, @01:39AM (1 child)
You don't -b 4096?
(Score: 2) by coolgopher on Tuesday August 07 2018, @01:44AM
Not when I'm just changing the passphrase (and storage format) on an existing key, no...
(Score: 0) by Anonymous Coward on Monday August 06 2018, @06:47PM (3 children)
I haven't used RSA since ed25519 was supported. Libressl seems to be a better choice than OpenSSL too.
(Score: 2) by PocketSizeSUn on Tuesday August 07 2018, @05:09AM (2 children)
Hmmm... is ed25519 compromised?
https://research.kudelskisecurity.com/2017/10/04/defeating-eddsa-with-faults/ [kudelskisecurity.com]
(Score: 0) by Anonymous Coward on Tuesday August 07 2018, @04:48PM
No, that is an implementation problem of a particular signature scheme that uses Ed25519 as a primitive. In fact, if you look at the paper, they can fix the problem by making a slight backwards-compatible tweak to the algorithm, rather than a wholesale change to any of the primitives.
(Score: 1, Informative) by Anonymous Coward on Tuesday August 07 2018, @07:47PM
This article describes a fault injection attack, a type of side-channel attack. It's something you may need to worry about when designing a crypto system but not necessarily an inherent problem with the algorithms.
Note also that RSA, when using the very common CRT optimization, is also trivially vulnerable to similar attacks. The modulus M is the product of two primes p and q. In the CRT optimization, the signer computes two intermediate values, one modulo p and the other modulo q. If an attacker can induce a fault which corrupts one of those intermediate values (just one bit flip will suffice) but not the other, then the resulting signature reveals the prime factors p and q of the modulus, which is a total defeat of RSA.
There are various techniques to avoid fault injection. A simple but expensive method is to compute the signature more than once and only use it if all the computations match. This means the attacker now has to inject the exact same fault more than once; this is (in principle) more difficult for an attacker but it turns out to be ridiculously hard to actually defend against these sort of side channel attacks.