Understanding SSH: Large-scale measurements and notary-based - - PowerPoint PPT Presentation
Understanding SSH: Large-scale measurements and notary-based authentication Final Presentation Oliver Gasser Master Thesis Advisor: Ralph Holz Chair for Network Architectures and Services Faculty of Computer Science Technische Universit
Final Presentation Oliver Gasser
Master Thesis Advisor: Ralph Holz Chair for Network Architectures and Services Faculty of Computer Science Technische Universit¨ at M¨ unchen
March 19, 2013
Oliver Gasser (TU M¨ unchen) Understanding SSH 1
Outline
1
SSH Basics
2
Goals
3
Related Work
4
SSH Scanning
5
Evaluation
6
Notary-based Authentication
7
Summary
Oliver Gasser (TU M¨ unchen) Understanding SSH 2
Outline
1
SSH Basics
2
Goals
3
Related Work
4
SSH Scanning
5
Evaluation
6
Notary-based Authentication
7
Summary
Oliver Gasser (TU M¨ unchen) Understanding SSH 3
SSH Basics
SSH Protocol Client–server protocol Secure replacement for rsh, rlogin, telnet Two major protocol versions SSH-1.x SSH-2.0 Use: Server administration, tunneling Not utilized by everyday Internet user
Oliver Gasser (TU M¨ unchen) Understanding SSH 4
SSH Connection Establishment
SSH Client SSH Server Establish TCP connection (client connects to server on port 22) Exchange SSH identification string: "SSH-2.0-OpenSSH 5.9p1 Debian-5ubuntu1" Exchange supported algorithms: kex algorithms server host key algorithms enc algorithms client server enc algorithms server client mac algorithms client server mac algorithms server client compression algorithms client server compression algorithms server client languages client server languages server client Diffie Hellman key exchange with server authentication Protected Client authentication (e.g. by password or public key) Service communication (e.g. terminal login session)
Trust-On-First-Use principle
Oliver Gasser (TU M¨ unchen) Understanding SSH 5
SSH Connection Establishment
SSH Client SSH Server Establish TCP connection (client connects to server on port 22) Exchange SSH identification string: "SSH-2.0-OpenSSH 5.9p1 Debian-5ubuntu1" Exchange supported algorithms: kex algorithms server host key algorithms enc algorithms client server enc algorithms server client mac algorithms client server mac algorithms server client compression algorithms client server compression algorithms server client languages client server languages server client Diffie Hellman key exchange with server authentication Protected Client authentication (e.g. by password or public key) Service communication (e.g. terminal login session)
Trust-On-First-Use principle
Oliver Gasser (TU M¨ unchen) Understanding SSH 5
Outline
1
SSH Basics
2
Goals
3
Related Work
4
SSH Scanning
5
Evaluation
6
Notary-based Authentication
7
Summary
Oliver Gasser (TU M¨ unchen) Understanding SSH 6
Problem statement
Insufficient data about the SSH landscape available Perform IPv4-wide scans for SSH servers Trust-On-First-Use is strong assumption Provide notary-based authentication for SSH servers
Oliver Gasser (TU M¨ unchen) Understanding SSH 7
Problem statement
Insufficient data about the SSH landscape available Perform IPv4-wide scans for SSH servers Trust-On-First-Use is strong assumption Provide notary-based authentication for SSH servers
Oliver Gasser (TU M¨ unchen) Understanding SSH 7
Problem statement
Insufficient data about the SSH landscape available Perform IPv4-wide scans for SSH servers Trust-On-First-Use is strong assumption Provide notary-based authentication for SSH servers
Oliver Gasser (TU M¨ unchen) Understanding SSH 7
Problem statement
Insufficient data about the SSH landscape available Perform IPv4-wide scans for SSH servers Trust-On-First-Use is strong assumption Provide notary-based authentication for SSH servers
Oliver Gasser (TU M¨ unchen) Understanding SSH 7
Outline
1
SSH Basics
2
Goals
3
Related Work
4
SSH Scanning
5
Evaluation
6
Notary-based Authentication
7
Summary
Oliver Gasser (TU M¨ unchen) Understanding SSH 8
Related Work: Protocol Scanning
Provos and Honeyman (2001) Scanned 2 million IP addresses for SSH servers Analyzed only SSH version and server’s identification string Yilek et al. (2009) Debian OpenSSL vulnerability Analyzed X.509 certificate churn No SSH scans Holz et al. (2011) Active scans for Alexa Top 1 Million Hosts Passive monitoring of MWN traffic No SSH scans
Oliver Gasser (TU M¨ unchen) Understanding SSH 9
Related Work: Protocol Scanning
Provos and Honeyman (2001) Scanned 2 million IP addresses for SSH servers Analyzed only SSH version and server’s identification string Yilek et al. (2009) Debian OpenSSL vulnerability Analyzed X.509 certificate churn No SSH scans Holz et al. (2011) Active scans for Alexa Top 1 Million Hosts Passive monitoring of MWN traffic No SSH scans
Oliver Gasser (TU M¨ unchen) Understanding SSH 9
Related Work: Protocol Scanning
Provos and Honeyman (2001) Scanned 2 million IP addresses for SSH servers Analyzed only SSH version and server’s identification string Yilek et al. (2009) Debian OpenSSL vulnerability Analyzed X.509 certificate churn No SSH scans Holz et al. (2011) Active scans for Alexa Top 1 Million Hosts Passive monitoring of MWN traffic No SSH scans
Oliver Gasser (TU M¨ unchen) Understanding SSH 9
Related Work: Key Security
Lenstra et al. (2012) No active scanning, EFF SSL observatory and other sources 6.2 million X.509 certs and 5.5 million PGP keys 4 % of RSA keys shared modulus, 0.18 % shared one prime Conclusion: RSA keys less secure than DSA keys Heninger et al. (2012) Active scanning for TLS and SSH servers 5.8 million unique X.509 certs and 6.2 million unique SSH host keys Recovered private keys for RSA (0.03 %) and DSA keys (1 %) Conclusion:
Embedded devices do not have enough entropy DSA mode more vulnerable than RSA
Oliver Gasser (TU M¨ unchen) Understanding SSH 10
Related Work: Notary-based Authentication
Wendlandt et al. (2008) Perspectives Improve SSH authentication mechanism Crypto flaws Implementation not available Holz et al. (2012) Crossbear Detect Man-in-the-Middle attacks on SSL Localize the MitM using traceroutes No support for SSH
Oliver Gasser (TU M¨ unchen) Understanding SSH 11
Related Work: Notary-based Authentication
Wendlandt et al. (2008) Perspectives Improve SSH authentication mechanism Crypto flaws Implementation not available Holz et al. (2012) Crossbear Detect Man-in-the-Middle attacks on SSL Localize the MitM using traceroutes No support for SSH
Oliver Gasser (TU M¨ unchen) Understanding SSH 11
Outline
1
SSH Basics
2
Goals
3
Related Work
4
SSH Scanning
5
Evaluation
6
Notary-based Authentication
7
Summary
Oliver Gasser (TU M¨ unchen) Understanding SSH 12
SSH Scanning
Internet-wide scanning for SSH protocol Parallel scanning to improve performance Collect information and fetch SSH host key Full SSH handshake with OpenSSH Different scanning scenarios Modularity in software design Minimize intrusiveness Pseudorandom IP address generation Blacklist
Oliver Gasser (TU M¨ unchen) Understanding SSH 13
SSH Scanning
Internet-wide scanning for SSH protocol Parallel scanning to improve performance Collect information and fetch SSH host key Full SSH handshake with OpenSSH Different scanning scenarios Modularity in software design Minimize intrusiveness Pseudorandom IP address generation Blacklist
Oliver Gasser (TU M¨ unchen) Understanding SSH 13
SSH Scanning
Internet-wide scanning for SSH protocol Parallel scanning to improve performance Collect information and fetch SSH host key Full SSH handshake with OpenSSH Different scanning scenarios Modularity in software design Minimize intrusiveness Pseudorandom IP address generation Blacklist
Oliver Gasser (TU M¨ unchen) Understanding SSH 13
SSH Scanning
Internet-wide scanning for SSH protocol Parallel scanning to improve performance Collect information and fetch SSH host key Full SSH handshake with OpenSSH Different scanning scenarios Modularity in software design Minimize intrusiveness Pseudorandom IP address generation Blacklist
Oliver Gasser (TU M¨ unchen) Understanding SSH 13
SSH Scanning
Internet-wide scanning for SSH protocol Parallel scanning to improve performance Collect information and fetch SSH host key Full SSH handshake with OpenSSH Different scanning scenarios Modularity in software design Minimize intrusiveness Pseudorandom IP address generation Blacklist
Oliver Gasser (TU M¨ unchen) Understanding SSH 13
SSH Scanning
Internet-wide scanning for SSH protocol Parallel scanning to improve performance Collect information and fetch SSH host key Full SSH handshake with OpenSSH Different scanning scenarios Modularity in software design Minimize intrusiveness Pseudorandom IP address generation Blacklist
Oliver Gasser (TU M¨ unchen) Understanding SSH 13
SSH Scanning
Internet-wide scanning for SSH protocol Parallel scanning to improve performance Collect information and fetch SSH host key Full SSH handshake with OpenSSH Different scanning scenarios Modularity in software design Minimize intrusiveness Pseudorandom IP address generation Blacklist
Oliver Gasser (TU M¨ unchen) Understanding SSH 13
SSH Scanning
Internet-wide scanning for SSH protocol Parallel scanning to improve performance Collect information and fetch SSH host key Full SSH handshake with OpenSSH Different scanning scenarios Modularity in software design Minimize intrusiveness Pseudorandom IP address generation Blacklist
Oliver Gasser (TU M¨ unchen) Understanding SSH 13
sshscan Overview
Logging
[IpGenerator] 100 IPs generated [NmapScanner-02] 133.713.37.42 port 22 open . . . . . .
SIGUSR1 IP Blacklist
194.77.40.240/29 188.138.95.7 . . . . . .
IP Provider nmap Thread nmap Thread nmap Thread ssh Thread ssh Thread ssh Thread
File Queue
Modularity Scanner can be easily adapted to other protocols
Oliver Gasser (TU M¨ unchen) Understanding SSH 14
sshscan: The Coordinator
Logging
[IpGenerator] 100 IPs generated [NmapScanner-02] 133.713.37.42 port 22 open . . . . . .
SIGUSR1 IP Blacklist
194.77.40.240/29 188.138.95.7 . . . . . .
IP Provider nmap Thread nmap Thread nmap Thread ssh Thread ssh Thread ssh Thread
File Queue
Coordinator Main component that coordinates all others
Oliver Gasser (TU M¨ unchen) Understanding SSH 15
sshscan: The IP Provider
Logging
[IpGenerator] 100 IPs generated [NmapScanner-02] 133.713.37.42 port 22 open . . . . . .
SIGUSR1 IP Blacklist
194.77.40.240/29 188.138.95.7 . . . . . .
IP Provider nmap Thread nmap Thread nmap Thread ssh Thread ssh Thread ssh Thread
File Queue
IP Provider Generates IP addresses according to certain rules Random IP Provider: LCG, Xn+1 ≡ (a · Xn + c) (mod m)
Oliver Gasser (TU M¨ unchen) Understanding SSH 16
sshscan: The nmap Threads
Logging
[IpGenerator] 100 IPs generated [NmapScanner-02] 133.713.37.42 port 22 open . . . . . .
SIGUSR1 IP Blacklist
194.77.40.240/29 188.138.95.7 . . . . . .
IP Provider nmap Thread nmap Thread nmap Thread ssh Thread ssh Thread ssh Thread
File Queue
nmap Thread Get IP addresses from provider Check port TCP/22 Propagate results to File Queue
Oliver Gasser (TU M¨ unchen) Understanding SSH 17
sshscan: The File Queue
Logging
[IpGenerator] 100 IPs generated [NmapScanner-02] 133.713.37.42 port 22 open . . . . . .
SIGUSR1 IP Blacklist
194.77.40.240/29 188.138.95.7 . . . . . .
IP Provider nmap Thread nmap Thread nmap Thread ssh Thread ssh Thread ssh Thread
File Queue
File Queue Provides mutually exclusive access to nmap results Files containing results retrieved by ssh Threads
Oliver Gasser (TU M¨ unchen) Understanding SSH 18
sshscan: The ssh Threads
Logging
[IpGenerator] 100 IPs generated [NmapScanner-02] 133.713.37.42 port 22 open . . . . . .
SIGUSR1 IP Blacklist
194.77.40.240/29 188.138.95.7 . . . . . .
IP Provider nmap Thread nmap Thread nmap Thread ssh Thread ssh Thread ssh Thread
File Queue
ssh Thread Get potential SSH servers from File Queue Establish connection using OpenSSH
Oliver Gasser (TU M¨ unchen) Understanding SSH 19
sshscan: The IP Blacklist
Logging
[IpGenerator] 100 IPs generated [NmapScanner-02] 133.713.37.42 port 22 open . . . . . .
SIGUSR1 IP Blacklist
194.77.40.240/29 188.138.95.7 . . . . . .
IP Provider nmap Thread nmap Thread nmap Thread ssh Thread ssh Thread ssh Thread
File Queue
IP Blacklist Allows to ignore certain hosts or IP ranges Refresh triggered by SIGUSR1 signal
Oliver Gasser (TU M¨ unchen) Understanding SSH 20
Outline
1
SSH Basics
2
Goals
3
Related Work
4
SSH Scanning
5
Evaluation
6
Notary-based Authentication
7
Summary
Oliver Gasser (TU M¨ unchen) Understanding SSH 21
Conducted SSH Scans
Four scans Executed between September 2012 and January 2013 Duration: 3 to 7 days per scan
# IPs probed SSH hosts found SSH-1.x host keys 1 SSH-2.0 host keys 1 1 2.3 billion 2.3 million 189 k (115 k) 4 million (2 million) 2 3.3 billion 4.3 million 327 k (185 k) 7.6 million (3.6 million) 3 1.3 billion 1.5 million 106 k (76 k) 2.5 million (1.4 million) 4 3.7 billion 12 million 984 k (538 k) 20.9 million (9.3 million)
1 (distinct host keys in brackets)
Challenge Routing problems
Oliver Gasser (TU M¨ unchen) Understanding SSH 22
Conducted SSH Scans
Four scans Executed between September 2012 and January 2013 Duration: 3 to 7 days per scan
# IPs probed SSH hosts found SSH-1.x host keys 1 SSH-2.0 host keys 1 1 2.3 billion 2.3 million 189 k (115 k) 4 million (2 million) 2 3.3 billion 4.3 million 327 k (185 k) 7.6 million (3.6 million) 3 1.3 billion 1.5 million 106 k (76 k) 2.5 million (1.4 million) 4 3.7 billion 12 million 984 k (538 k) 20.9 million (9.3 million)
1 (distinct host keys in brackets)
Challenge Routing problems
Oliver Gasser (TU M¨ unchen) Understanding SSH 22
SSH Versions
0.001 % 0.01 % 0.1 % 1 % 10 % 100 % 2.0 1.99 1.5 Others Percentage SSH Versions
Invalid SSH versions SSH-2.99: Used by buggy Cisco devices SSH-2.37: Misconfigured OpenSSH
Oliver Gasser (TU M¨ unchen) Understanding SSH 23
SSH Versions
0.001 % 0.01 % 0.1 % 1 % 10 % 100 % 2.0 1.99 1.5 Others Percentage SSH Versions
Good ✓ Invalid SSH versions SSH-2.99: Used by buggy Cisco devices SSH-2.37: Misconfigured OpenSSH
Oliver Gasser (TU M¨ unchen) Understanding SSH 23
SSH Versions
0.001 % 0.01 % 0.1 % 1 % 10 % 100 % 2.0 1.99 1.5 Others Percentage SSH Versions
Good ✓ Invalid SSH versions SSH-2.99: Used by buggy Cisco devices SSH-2.37: Misconfigured OpenSSH
Oliver Gasser (TU M¨ unchen) Understanding SSH 23
SSH Servers
OpenSSH_4.3 OpenSSH_5.3 OpenSSH_5.5 OpenSSH_5.1 Dropbear_0.51 Cisco-1.25 OpenSSH_5.9 OpenSSH_5.8 Dropbear_0.52 OpenSSH_3.9 0 % 5 % 10 % 15 % 20 % 25 % Percentage
Oliver Gasser (TU M¨ unchen) Understanding SSH 24
SSH Servers
OpenSSH_4.3 OpenSSH_5.3 OpenSSH_5.5 OpenSSH_5.1 Dropbear_0.51 Cisco-1.25 OpenSSH_5.9 OpenSSH_5.8 Dropbear_0.52 OpenSSH_3.9 0 % 5 % 10 % 15 % 20 % 25 % Percentage
Old versions ✗
Oliver Gasser (TU M¨ unchen) Understanding SSH 24
SSH Servers
OpenSSH_4.3 OpenSSH_5.3 OpenSSH_5.5 OpenSSH_5.1 Dropbear_0.51 Cisco-1.25 OpenSSH_5.9 OpenSSH_5.8 Dropbear_0.52 OpenSSH_3.9 0 % 5 % 10 % 15 % 20 % 25 % Percentage
Old versions ✗ Supported by major distros ✓
Oliver Gasser (TU M¨ unchen) Understanding SSH 24
Algorithms (1)
Key Exchange Required: diffie-hellman-group1-sha1 (98 %) and diffie-hellman-group14-sha1 (77 %) Almost exclusively Diffie-Hellman and Elliptic Curve DH About 0.1 % offer RSA-style key exchange, no Perfect Forward Secrecy Encryption Required: 3des-cbc (97.5 % support it) Most prominent are 3DES, AES, RC4, Blowfish Since OpenSSH 5.2 CTR-mode is preferred 20 % just support discouraged CBC-mode
Oliver Gasser (TU M¨ unchen) Understanding SSH 25
Algorithms (1)
Key Exchange Required: diffie-hellman-group1-sha1 (98 %) and diffie-hellman-group14-sha1 (77 %) Almost exclusively Diffie-Hellman and Elliptic Curve DH About 0.1 % offer RSA-style key exchange, no Perfect Forward Secrecy Encryption Required: 3des-cbc (97.5 % support it) Most prominent are 3DES, AES, RC4, Blowfish Since OpenSSH 5.2 CTR-mode is preferred 20 % just support discouraged CBC-mode
Oliver Gasser (TU M¨ unchen) Understanding SSH 25
Algorithms (2)
Integrity Check Required: hmac-sha1 Almost all SSH servers offer HMAC, about half UMAC Discouraged md5-8 (0.0006 %) and sha1-8 (0.0001 %) are
Compression Required: none Mostly used are none and zlib@openssh.com 13 % of servers also offer discouraged zlib
Oliver Gasser (TU M¨ unchen) Understanding SSH 26
Algorithms (2)
Integrity Check Required: hmac-sha1 Almost all SSH servers offer HMAC, about half UMAC Discouraged md5-8 (0.0006 %) and sha1-8 (0.0001 %) are
Compression Required: none Mostly used are none and zlib@openssh.com 13 % of servers also offer discouraged zlib
Oliver Gasser (TU M¨ unchen) Understanding SSH 26
User Authentication
publickey password gssapi-with-mic keyboard-interactive gssapi-keyex hostbased gssapi none external-keyex 0 % 20 % 40 % 60 % 80 % 100 % Percentage
Oliver Gasser (TU M¨ unchen) Understanding SSH 27
User Authentication
publickey password gssapi-with-mic keyboard-interactive gssapi-keyex hostbased gssapi none external-keyex 0 % 20 % 40 % 60 % 80 % 100 % Percentage
Public Key: Good ✓
Oliver Gasser (TU M¨ unchen) Understanding SSH 27
User Authentication
publickey password gssapi-with-mic keyboard-interactive gssapi-keyex hostbased gssapi none external-keyex 0 % 20 % 40 % 60 % 80 % 100 % Percentage
Public Key: Good ✓ Password: Bad ✗
Oliver Gasser (TU M¨ unchen) Understanding SSH 27
SSH Host Keys
Used to identify server SSH-1.x Type: Only ssh-rsa1 189 k, 327 k, 106 k and 984 k fetched during four scans Between 30 % and 45 % of keys are duplicates SSH-2.0 Types: ssh-rsa, ssh-dss, ecdsa-sha2 4 million, 7.2 million, 2.5 million and 20.9 million fetched Between 45 % and 55 % of keys are duplicates
Oliver Gasser (TU M¨ unchen) Understanding SSH 28
SSH Host Keys
Used to identify server SSH-1.x Type: Only ssh-rsa1 189 k, 327 k, 106 k and 984 k fetched during four scans Between 30 % and 45 % of keys are duplicates SSH-2.0 Types: ssh-rsa, ssh-dss, ecdsa-sha2 4 million, 7.2 million, 2.5 million and 20.9 million fetched Between 45 % and 55 % of keys are duplicates
Oliver Gasser (TU M¨ unchen) Understanding SSH 28
SSH Host Keys
Used to identify server SSH-1.x Type: Only ssh-rsa1 189 k, 327 k, 106 k and 984 k fetched during four scans Between 30 % and 45 % of keys are duplicates SSH-2.0 Types: ssh-rsa, ssh-dss, ecdsa-sha2 4 million, 7.2 million, 2.5 million and 20.9 million fetched Between 45 % and 55 % of keys are duplicates
Oliver Gasser (TU M¨ unchen) Understanding SSH 28
Duplicate Host Keys
Duplicate SSH-2.0 host keys Single most often duplicated key accounted for more than 1 %
Autonomous Systems Duplicate key occurrence is clustered Autonomous Systems with many duplicate host keys:
1&1 Hetzner Chunghwa Telecom (Taiwan)
Duplicate host keys + password authentication: Man-in-the-Middle attacks
Oliver Gasser (TU M¨ unchen) Understanding SSH 29
Duplicate Host Keys
Duplicate SSH-2.0 host keys Single most often duplicated key accounted for more than 1 %
Autonomous Systems Duplicate key occurrence is clustered Autonomous Systems with many duplicate host keys:
1&1 Hetzner Chunghwa Telecom (Taiwan)
Duplicate host keys + password authentication: Man-in-the-Middle attacks
Oliver Gasser (TU M¨ unchen) Understanding SSH 29
Duplicate Host Keys
Duplicate SSH-2.0 host keys Single most often duplicated key accounted for more than 1 %
Autonomous Systems Duplicate key occurrence is clustered Autonomous Systems with many duplicate host keys:
1&1 Hetzner Chunghwa Telecom (Taiwan)
Duplicate host keys + password authentication: Man-in-the-Middle attacks
Oliver Gasser (TU M¨ unchen) Understanding SSH 29
Duplicate Keys: SSH Servers
OpenSSH_4.3 OpenSSH_5.3 OpenSSH_5.5 OpenSSH_5.1 Dropbear_0.52 OpenSSH_3.9 OpenSSH_5.9 Dropbear_0.46 OpenSSH_5.8 OpenSSH lancom 5 10 15 20 25 30 Percentage Duplicate Keys Unique Keys
Oliver Gasser (TU M¨ unchen) Understanding SSH 30
Duplicate Keys: SSH Servers
OpenSSH_4.3 OpenSSH_5.3 OpenSSH_5.5 OpenSSH_5.1 Dropbear_0.52 OpenSSH_3.9 OpenSSH_5.9 Dropbear_0.46 OpenSSH_5.8 OpenSSH lancom 5 10 15 20 25 30 Percentage Duplicate Keys Unique Keys
New servers: Good ✓
Oliver Gasser (TU M¨ unchen) Understanding SSH 30
Duplicate Keys: SSH Servers
OpenSSH_4.3 OpenSSH_5.3 OpenSSH_5.5 OpenSSH_5.1 Dropbear_0.52 OpenSSH_3.9 OpenSSH_5.9 Dropbear_0.46 OpenSSH_5.8 OpenSSH lancom 5 10 15 20 25 30 Percentage Duplicate Keys Unique Keys
New servers: Good ✓ E.g. lancom: Bad ✗
Oliver Gasser (TU M¨ unchen) Understanding SSH 30
SSH-1.x Host Key Analysis
Key length 91 % of all keys have 1024 or fewer bits They are not considered to be secure anymore 8.6 % of keys are 2048 bit long, only 0.02 % are 4096 bit keys No good reason to still use SSH-1.x in the first place!
Oliver Gasser (TU M¨ unchen) Understanding SSH 31
SSH-1.x Host Key Analysis
Key length 91 % of all keys have 1024 or fewer bits They are not considered to be secure anymore 8.6 % of keys are 2048 bit long, only 0.02 % are 4096 bit keys No good reason to still use SSH-1.x in the first place!
Oliver Gasser (TU M¨ unchen) Understanding SSH 31
SSH-2.0 Host Key Analysis
Key types Majority RSA (52 %) and DSA (44.5 %) type keys Elliptic curve DSA usage increased from 2.3 % to 3.5 % within four months Key length RSA: 69 % of all keys are 2048 bit long, 30 % are 1024 bit long DSA: 98 % of keys are 1024 bit long, 1 % is 2048 bit long, 0.5 % still uses 512 bit keys ECDSA: More than 99 % use 520 bit keys, the rest is longer The NIST recommends at least 2048 bits for RSA/DSA keys
Oliver Gasser (TU M¨ unchen) Understanding SSH 32
SSH-2.0 Host Key Analysis
Key types Majority RSA (52 %) and DSA (44.5 %) type keys Elliptic curve DSA usage increased from 2.3 % to 3.5 % within four months Key length RSA: 69 % of all keys are 2048 bit long, 30 % are 1024 bit long DSA: 98 % of keys are 1024 bit long, 1 % is 2048 bit long, 0.5 % still uses 512 bit keys ECDSA: More than 99 % use 520 bit keys, the rest is longer The NIST recommends at least 2048 bits for RSA/DSA keys
Oliver Gasser (TU M¨ unchen) Understanding SSH 32
SSH-2.0 Host Key Analysis
Key types Majority RSA (52 %) and DSA (44.5 %) type keys Elliptic curve DSA usage increased from 2.3 % to 3.5 % within four months Key length RSA: 69 % of all keys are 2048 bit long, 30 % are 1024 bit long DSA: 98 % of keys are 1024 bit long, 1 % is 2048 bit long, 0.5 % still uses 512 bit keys ECDSA: More than 99 % use 520 bit keys, the rest is longer The NIST recommends at least 2048 bits for RSA/DSA keys
Oliver Gasser (TU M¨ unchen) Understanding SSH 32
Outline
1
SSH Basics
2
Goals
3
Related Work
4
SSH Scanning
5
Evaluation
6
Notary-based Authentication
7
Summary
Oliver Gasser (TU M¨ unchen) Understanding SSH 33
Notary-Based Authentication
OpenSSH warning when connecting to host with unknown fingerprint
Oliver Gasser (TU M¨ unchen) Understanding SSH 34
OpenSSH interacting with CrossbearSSH
SSH Server OpenSSH Client CrossbearSSH Server SSH Key Exchange Unknown or not matching SSH host key fingerprint VerifyHostKeyNotary Display warning no yes FpVerifyRequest
Database
check FpVerifyResult MATCH Display warning no Continue connecting yes Oliver Gasser (TU M¨ unchen) Understanding SSH 35
CrossbearSSH and notary-enabled OpenSSH
CrossbearSSH Modified Crossbear server for SSH Verifies SSH fingerprint by comparing to database or doing a live lookup Sends result back to client Notary-enabled OpenSSH Patched version of OpenSSH 6.1 Proof-of-concept implementation Option to ask notary server when. . .
establishing the first connection to an SSH server, or fingerprint changed
Oliver Gasser (TU M¨ unchen) Understanding SSH 36
CrossbearSSH and notary-enabled OpenSSH
CrossbearSSH Modified Crossbear server for SSH Verifies SSH fingerprint by comparing to database or doing a live lookup Sends result back to client Notary-enabled OpenSSH Patched version of OpenSSH 6.1 Proof-of-concept implementation Option to ask notary server when. . .
establishing the first connection to an SSH server, or fingerprint changed
Oliver Gasser (TU M¨ unchen) Understanding SSH 36
Outline
1
SSH Basics
2
Goals
3
Related Work
4
SSH Scanning
5
Evaluation
6
Notary-based Authentication
7
Summary
Oliver Gasser (TU M¨ unchen) Understanding SSH 37
Summary
SSH scanning Scan complete IPv4 address space in one week Useful for other protocols, too State of SSH Weaknesses: SSH-1.x, outdated algorithms, short keys, password authentication Duplicated keys in AS’s CrossbearSSH Uses vast SSH host key collection Proof-of-concept implementation with OpenSSH Thwarts Man-in-the-Middle attacks
Oliver Gasser (TU M¨ unchen) Understanding SSH 38
Summary
SSH scanning Scan complete IPv4 address space in one week Useful for other protocols, too State of SSH Weaknesses: SSH-1.x, outdated algorithms, short keys, password authentication Duplicated keys in AS’s CrossbearSSH Uses vast SSH host key collection Proof-of-concept implementation with OpenSSH Thwarts Man-in-the-Middle attacks
Oliver Gasser (TU M¨ unchen) Understanding SSH 38
Summary
SSH scanning Scan complete IPv4 address space in one week Useful for other protocols, too State of SSH Weaknesses: SSH-1.x, outdated algorithms, short keys, password authentication Duplicated keys in AS’s CrossbearSSH Uses vast SSH host key collection Proof-of-concept implementation with OpenSSH Thwarts Man-in-the-Middle attacks
Oliver Gasser (TU M¨ unchen) Understanding SSH 38
The End. . .
Oliver Gasser (TU M¨ unchen) Understanding SSH 39