Stories
Slash Boxes
Comments

SoylentNews is people

How SSH Key Shielding Works

posted by Fnord666 on Thursday December 19 2019, @08:37PM   Printer-friendly
from the vibranium dept.

An Anonymous Coward writes:

On June 21, 2019, support for SSH key shielding was introduced into the OpenBSD tree, from which the OpenSSH releases are derived. SSH key shielding is a measure intended to protect private keys in RAM against attacks that abuse bugs in speculative execution that current CPUs exhibit.[0] This functionality has been part of OpenSSH since the 8.1 release. SSH private keys are now being held in memory in a shielded form; keys are only unshielded when they are used and re‐shielded as soon as they are no longer in active use. When a key is shielded, it is encrypted in memory with AES‐256‐CTR; this is how it works: [...]

https://xorhash.gitlab.io/xhblog/0010.html

Original Submission

 
This discussion has been archived. No new comments can be posted.
How SSH Key Shielding Works | Log In/Create an Account | Top | 11 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by VLM on Thursday December 19 2019, @10:48PM (2 children)

    by VLM (445) on Thursday December 19 2019, @10:48PM (#934418)

    Its a good idea although the best application of effort might be putting your keys on the end of a USB connector. Play with the keys in a better spot, not play with the keys in a better way.

    I have an use a yubico key for various auth. For some things like Amazon AWS its ridiculously simple to set up and even require for other users. Other applications somewhat harder.

    I'd like to see something like that merged with watch/fitbit in some magical bluetooth manner, or NFC, perhaps. Enter my pin (lame password) by hand, push a button on my watch, away I go.

    AFAIK there is no FIDO2, U2F compatible watch out there. I'd even wear a stylish sweatband wrist bracelet if necessary, if a watch would be impossible.

    Its actually kinda odd that there's so many novelty flash drive containers but the only FIDO2 U2F key format is little flash drive alike thingies.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by TheGratefulNet on Friday December 20 2019, @12:36AM

    by TheGratefulNet (659) on Friday December 20 2019, @12:36AM (#934454)

    the main idea is to keep things 'encrypted at rest' and only unlock them for the shortest period of time possible.

    --
    "It is now safe to switch off your computer."

  • (Score: 1, Insightful) by Anonymous Coward on Friday December 20 2019, @04:49AM

    by Anonymous Coward on Friday December 20 2019, @04:49AM (#934552)

    The problem with that is that compared to this is you'll be prompted for the key whenever the program needs it. For SSH, that would be a maximum of the rekey interval, which defaults to one hour, but could be decidedly less.