Slashdot Mirror
SSH v. SRP
A reader asks, "We've all heard of SSH. My question is whether SSH is really the best option, or the only option? Many security experts and cryptographers believe SSH users may be lulled into a false sense of security, because of some outstanding security issues. An open-source project based at Stanford purports to have solved these problems."
The Stanford group claims SRP to be safe against snooping and immune to reply attacks. SRP exchanges a session key in the process of authentication, provides mutual authentication to resist dictionary attacks, offers what is supposed to be perfect forward secrecy, and does not require the server host to keep any information secure. This comparison of these two technologies should provide food for thought. Can SRP replace SSH? Does it truly offer more security? Is it the better choice? In simple terms, what are *your* thoughts?
Telnet, unlike its "secure" counterparts, is the only communications program that lets you connect to any port of the destination computer, regardless of application protocol.
Therefore, the question:
Do we want to sacrifice our liberty for the sake of security? Not Thomas Jefferson, nor do I.
Fermat's Last Theorem is unprovable.
This counts a lot in my book, even if SRP is better in some areas, how well is it going to stand up when it starts getting banged arround.
Noel
RootPrompt.org -- Nothing but Unix
kayaking
I know SSH used properly can encrypt your entire session so your entire session would not be suseptible(sp?) to sniffing. Does SRP offer the same? And what about the openssh project?
SSH can protect connections to remote X clients. Can SRP do this too?
-- Mike Greaves
#man ssh
-L port:host:hostport
Specifies that the given port on the local (client)
host is to be forwarded to the given host and port
on the remote side. This works by allocating a
socket to listen to port on the local side, and
whenever a connection is made to this port, the
connection is forwarded over the secure channel,
and a connection is made to host:hostport from the
remote machine. Port forwardings can also be spec-
ified in the configuration file. Only root can
forward privileged ports.
-R port:host:hostport
Specifies that the given port on the remote
(server) host is to be forwarded to the given host
and port on the local side. This works by allocat-
ing a socket to listen to port on the remote side,
and whenever a connection is made to this port, the
connection is forwarded over the secure channel,
and a connection is made to host:hostport from the
local machine. Port forwardings can also be speci-
fied in the configuration file. Privileged ports
can be forwarded only when logging in as root on
the remote machine.
Add tuneling, and I think your points are easily addressed.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I would love to use SSH... problem is the machines I have to connect from. Is there any way to use SSH from a windows box. I would install SSH except all of the machines on campus are winblows boxes.
Even though I haven't used it often, telnet with S/Key login seems to be a great alternative to vanilla telnet.
From what I understand, it's only vulnerable to TCP hijacking (most things are) and dictionary attacks (which can be easily detected or accounts can be configured to be "locked out" after X bad login attempts).
The best one of these is OPIE which can provide a one time pad for telnet, FTP and even su.
Better yet, OpenBSD comes with this feature built into the OS.
What I CAN do is point out that the most dangerous security attitude is "It can't happen to me!" There is no substitute for watching the security web sites, making sure you have applied the latest security patches, and simply being aware of what is happening on your system.
ssh is a definite plus over telnet, and I use it routinely. It is now just as natural to me as using the telnet command was 10 years ago. I'll certainly keep an eye on any new ways of doing things, but it would take a little more than what I have seen so far to make a switch at this time
-----------------------------------------
-----------------------------------------
Computeri non cogitant, ergo non sunt
I would love to use SSH... problem is the machines I have to connect from. Is there any way to use SSH from a windows box. I would install SSH except all of the machines on campus are winblows boxes.
Actually if you look at your local tucows mirror you can get ssh type telnet shells. I know of at least one I saw being used but forgot the name.
Slashdot social engineering at it's finest
which are those? I've been ssh for quite a while, and the only thing I had heard about was a buffer overflow. Are there any questionable architecture design deciscions on ssh?
Also, does anybody have a mirror, it like this site is getting slashdotted already.
There's been how many bounce attacks and remote security issues with it? I know they designed it to be encrypted, but how about following up on the 'Secure' part of the name! I ended up not running it BECAUSE of the security issues it caused!
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Quick thought on SRP vs SSH. From the quick glance at the SRP web site, it seems to me that SRP only offers secure password transmission and forgoes on packet encryption, offered by SSH. The two solutions differ very much. Therefore I could still be able to sniff yyour traffic and possibly gleam other important info, after the login ( su anyone ??? ). Note, I did only glance at the site while munching my lunch at my desk while troubleshooting a networking issue and chatting on IRC.
47% of all statistics are made up on the spot.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Do a search for TeraTerm or TeraTermPro. Then get the add-on for ssh and the crypto (Blowfish, IDEA, RSA). No source for any of this, though. Binary only. But since it's for windows, how secure could it possible be at best? If your machine is on the net, MS can probably read your keystrokes anyway.
Check out mindterm (a Java SSH implementation) and PuTTY (a Free Windoze Telnet/SSH)
Debian: GNU/Linux done the Linux way
a false sense of security is worse than no security at all.
So you send your root password over the internet in cleartext? Now that's living on the edge... of stupidity. Have you ever used a packet sniffer? The output looks like this:
/]$ su -
/root]#
/etc/login.access or something like that you could just remove logins for root or anyone else from certain times. Bango you have removed the problem without expending any problems at all. Or perhaps you just use a complex C++ program that would analyze voice prints (ala Millenium "Forrest Green is People" *snicker*)?
Maybe there's nothing that you care about on the machine. I had a thought I don't know about you but perhaps if you security gets compromised and someone was doing one of these fabled attacks then perhaps you could just shut down the machine or turn it off in the first place?
[anonymous@coward
Password: ontheedge
[root@coward
Who transfers to the root partition as part of their normal access or for su'ing?
Next thing you know, you're taking part in a DDoS attack.
Assuming you edit the file
Slashdot social engineering at it's finest
Works like this... you're host A connecting to host B but the packets go through host C. So unless host A and B have an alternate method to exchange keys, you're vulnerable to having host C replace the key with it's own, so in reality you're talking to host C and it's using a simple form of IP masquarading to make it look as if it's B or A...
So long as host C is the only route between the two (which is suprisingly easy to accomplish) - or through icmp and bgp manipulation makes that the case - you can ensure that host C has access to all the data over the wire even though those two hosts think they now have a trusted connection! Unless you can bypass host C via another path you won't even know it's happening.
Now, let me make this clear: there is no method for you to ensure data integrity over a public network like the internet. You must exchange keys over a secure medium before you can communicate securely over any network unless you can ensure that the entire network is under the same (trusted) administrative domain and have verified that it has not been tampered with (very, very difficult).
So in short: Yeah, SSH has problems. But this new program isn't going to make any leaps forward. You really need a PGP-style distributed key server system where you can verify the key's integrity through a trust network and/or via multiple independent routes / hosts. Otherwise, the alternative is a Kerberos-style system. Unfortunately THAT system has a single point of failure - if the key server is compromised your entire network is compromised. I'm not an expert though on Kerberos, so feedback is appreciated.
That is all,
Why use SSH when OpenSSH is better, faster (at least at SSH 1.x stuff, which is what it does), open source, and free?
I wouldn't trust an SSH binary I didn't compile myself, particularly from an american company the NSA allows to exist.
Go to tucows, find the telnet app Tera Term Pro, go to the home site and there should be links for TTSSH an ssh plugin for it. It doesn't to port forwarding well, no host-specific config. I think you have to generate your key on a Unix box. Data-Fellows sells SSH for Win*. About $100, and the clients you buy now are v2 and are not backwards-compatible to v1, smells like a conspiracy. And the terminal emulation sucks big time. Almost as bad as windows telnet. It does handle host-specific config fairly well.
All true wisdom can be found in sigs.
Yes, SSH has weaknesses and the occasional buffer overflow, but the patches are made fairly quickly, and because of the high number of people using it, there is a high probability that other people will find a bug before it affects you.
SSH is a little more versatile in that it can do port forwarding to make
arbitrary TCP connections secured. It can even be used to support secure PPP
tunnels. SRP on the otherhand is less versatile. Only telnet and ftp seem to
be supported. Someone please correct me if I'm wrong, but as far as I know
SRP does not have any sort of connection forwarding like SSH does.
Another major difference is in licensing. SRP is under the GPL. No official
version of SSH is under a real open source licesense. SSH2 forbids any sort
of commercial use, even internally. SSH1 is slightly less restrictive in
that it allows for commercial use without paying them, but you can only use
it internally. These license restrictions are the reason SSH isn't found in
most linux distros.
However, there is an open source implementation of SSH being developed by
the OpenBSD people at http://www.openssh.org. It is ususably stable in its
current version.
The main thing SRP and SSH have in common is that they require no
infrastructure to be secure. In otherwords, you do not need any sort of key
distribution centers, or any other sort of software besides the daemon
itself and the client program to make everything work. Compare this to say,
Kerberos. Using kerberos, you can have secure connectivity to a machine,
however, there's a lot of additional infrastructure and complexity thrown
in, (such as KDC machines). You'll want to use Kerberos if you have a lot of
machines that will share a common user/password database. Kerberos will let
you log into one machine, say a kerberized workstation, and you'll be able
to securely log into any other machine (via telnet, rlogin, rsh, rcp, ssh,
ftp, pop3...) that's part of the same Kerberos realm without ever having to
type your password (assuming your client software supports Kerberos authentication).
SRP is arguably more secure than SSH, however SSH is a little more widely
implememnted and can be used for more things. If all you need is a secure
telnet and FTP, and the existing clients are suitable for you and you can
trust it (SRP is a litte newer), I'd give it a try.
From the SRP page:
"The Project's primary purpose is to improve network security from the ground up - by integrating secure password authentication into widely-used protocols instead of adding security as an afterthought."
Perhaps the maintainers would care to post something on bugtraq? announcing their new package.
Microsoft aggravates my tourettes syndrome.
SSH on the other hand is a very useful application offering secure communications to another host. Keep in mind that SSH's password authentication happens after the encrypted channel has been set up. This means that the password can only be intercepted if the crypto fails.
SRP's security is based on similar cypro primitives as SSH's, so if the magic crypto hack we're all looking for gets found both will be useless.
There are strange things done, under the midnight sun by the men who moil for gold - Robert Service
As I know it, this is based on the N=PQ public and secret key algorithmns.
As I posted a few weeks ago, I wrote that I was working on an algorithmn which can find primes fast.
If you have some patience, I'll put a binary on the web and post the download link in this thread.
The binary actually is on the web right now, but my provider hates heavy traffic.
Bizar technology?
your machine is on the net, MS can probably read your keystrokes anyway.
secureCRT form for download
zow Which also provides for ssh
Slashdot social engineering at it's finest
Erhm, actually, su -, unlike su generates a login shell, not just a regular subshell. This includes resetting your enviornment (as root) and chdiring to the /root directory. It's especially useful on systems where /sbin is only in root's path; with su -, you get /sbin in your path when you su.
I would gladly use SRP... as soon as sourceforge.net uses it on it's servers... as soon as I can use it to log into my shell accounts and cvs repositories instead of SSH. Even if this technology is far superior to SSH, I won't use it until it becomes more standardized.
SRP, along with most other public key authentication systems (and almost all password modification used today) appear to infringe on Carl Limsico's patent.
So if you run an ISP, or just a webserver, in a few years your 'lusers' will be able to put up their nifty HTML and links to their family and friends' websites without compromising your security ...
Although Win2k comes with IPSec, its not the most obvious of things to set up, so don't expect 'em to be using it right away! Hopefully a default configuration will come along in a few years and we will all be able to surf safely.
p.s. In the meantime, can anyone recommend some international software that I can install to secure my FTP connections? I don't live in America, so I am missing out on all the websites with "download my great secure software" with a .org extension in the URL, not mentioning where they are hosted, cos I don't want the FBI, NSA, or whatever you people have banging on my door one night! So tell me! p.s. I already use PuTTY.
It is free (only as in beer, but better than nothing), small, and stand-alone. That means there are no tied in dlls so you can just put it up on your webpage and pick 'open' so you can have a shell even on locked down windows boxes. Plus it does telnet sessions a lot nicer than windows telnet (yeah, I know, what doesn't) so it makes for a nice 2 in 1.
I have a crippled dummy account set up which I openly telnet or ftp into occasionally. There's no write permission for ftp, the shell does nothing but return a fortune cookie and exit. I do however track all logins and login attempts. I use this account to lure the packet sniffers out of hiding and report them to their ISP. Come and get it boyz. heh heh.
Sie sind ein dumbkopf. Warum mussen Sie troll? Ich verstehe nicht.
People I know use SSH to encrypt their connection. This is nothing but a replacement for RADIUS or TACACS - a means to encrypt your login but not your session.
>I am just wondering if PCAnywhere (and other related NT admining tools) have encryption features comparable to ssh and friends?
pcAnywhere (version 8 at least) provides four types of encryption: Public Key encryption, Symmetric encryption, PcANYWHERE encryption, and No encryption.
The public-key is as good as Windows is. It uses the Microsoft CryptoAPI, and can do 128-bit is your Windows has 128 bit installed (say you installed 128-bit IE, for example).. I haven't set this up, but you need a certificate authority in order to do it, according to their helpfiles.
Symmetric: no information available. Presumably it doesn't send the symmetric key across, but maybe it does. If so, then it's pretty worthless. If not, then how does each side know what the key is? Got me.
pcAnywhere encryption: minimal encryption, according to their own helpfiles. Probably something really simple and easily broken.
None: None, obviously.
Just a little FYI..
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
This is your lucky day. Buy yourself a candy bar.
First, download and install Tera Term from here.
Then, install the "TTSSH" SSH-module from here.
Instant bliss!The best part is, it costs nothing. Yessir, you can even find the sources. Installation is trivial point-and-clicking, and there are no export restrictions.
Happy happy joy joy!
By the way, I was not being sarcastic at all. Seriously.
Maybe there's nothing that you care about on the machine. I had a thought I don't know about you but perhaps if you security gets compromised and someone was doing one of these fabled attacks then perhaps you could just shut down the machine or turn it off in the first place?
/etc/login.access or something like that you could just remove logins for root or anyone else from certain times. Bango you have removed the problem without expending any problems at all.
If a single machine on a network is compromised, the entire network's security is greatly decreased. If someone cracks my machine, 600 other machines become hugely more vulnerable because the first thing any even vaguely competent script-kiddie is going to do is install a packet sniffer. As for turning machines off if they start being used for DoS attacks - great. I'm sure the remote site will be thrilled that it only took a few hours for you to wake up/get home/notice before pulling the plug. Security is not something that should be dealt with half-heartedly, and if you're not going to care about security then your machine should not be allowed anywhere near the internet.
Who transfers to the root partition as part of their normal access or for su'ing?
That's what su - does.
Assuming you edit the file
You mean block root access at certain times of day? But that would prevent me from doing remote administration at certain times of day, and still does nothing to prevent someone packet sniffing my root password when I do use it. From that point on, I've lost. You should never transmit your root password via telnet unless you trust all the other hosts on your network.
Secondly, if you followed security lists at all, you'd know that encryption attacks are the least succesful way to hack a security tool.
I'm not sure if anyone's mentioned it, but my favorite use for ssh's arbitrary port forwarding is setting up secure X connections. It's a fast, easy, secure way to use all my cool graphical applications while diddling away on the SPARCs in lab. It's also the easiest way I can find to get remote X sessions to tunnel through a masquerading firewall.
The punchline: When srp can automatically do secure X, it'll be ready to replace ssh.
Tetris rules.
This isn't aimed at anyone in particular - yes, I'm replying to a message, but it applies to the whole forum.
But you people are still easier to troll than a school of starving tuna. From the very first comment here to the last.
Check for the "<HEE HEE HEE>" "</HEE HEE HEE>" tags before replying.
ssh has a name far too similar to rsh. *shiver*
Feed The Need[goatse.cx]
PuTTY is great. It's open source, works well and includes an SCP client so you don't have to use FTP to transfer files and send your password unencrypted anyway. Did I mention how great it is?
The protocol works this way:
1) A sends B his public key
2) B sends A his public key
3) A encrypts using B's public key and sends half the message to B
4) B encrypts using A's public key and sends half the message to B
5) A sends the other half to B
6) B sends the other half to A
7) Both A and B put the two halves together and decrypt the message with their private keys
If someone is in the middle, he can change the public keys by its own keys, but then in points 3 and 4 he will not be able to pass the real message because it has not been transmitted yet; he will have to invent a completely new message and though the "conversation" will be completely different. This is not a perfect solution since, in fact, he will be able to intercept at least the first messages exchange, but his presence would be detected quickly.
As you pointed, the good solution is to use some kind of trusted third party authentication.
Is there a way to encrypt a windows net drive connect to a samba client? I know ssh and variants allow secure telnet and ftp sessions, but what about secure drive mounting (both windows and nfs)?
We've used telnet over the Internet for over two years as our initial ASP offering (we're readying our web-based application to replace it). That is, we're able to deliver our *nix based enterprise application over the Internet via telnet (as long as we have a maximmum latency of 500 ms, that is). These issues of securing login and packet data had to be addressed for us to convince our Fortune 500 customers to buy into our Internet-based solution.
Combining SRP, for password transmission, and CIPE for complete packet encryption, we're able to provide a reliably secure telnet session.
If we didn't have SRP and CIPE, we'd be SOL.
P.S. At the project's inception in 1996 we could not cost-justify any solution that required a per-user license fee. This threw us into Open Source solutions (and the ability to hack at the source code has proven a marvellous benefit since then).
-- @rjamestaylor on Ello
Wasn't it "soylent green is people"?
Anyhow, repeat after me: telnet is bad, mmmkay.
First of all, I'm absolutely no security expert, the only thing I know is that finding large primes is very hard. So this part of the whole thing kept me busy, I posted it here to get some reactions, maybe some ideas.
Secondly, the binary I posted is not factoring primes, it does a numerical determination, so it won't find them right away, it must search.
Althoug it searches, this searching is done very fast.
Thirdly, I don't care what critics say, as I'll be working on this program to get it even faster, and I will support larger integers in future. I just hope somebody enjoys it.
Bizar technology?
I never denied that SSH suffers occasional buffer overflows - like I said - they get fixed.
SRP has a tiny userbase- you should assume that it also has an equal number of issues waiting to be discovered anf fixed.
Your only other alternatives are telnet/rsh or take your box off the web.
Given those choices, I'll stick with SSH.
I know this is a troll...however...I just need
to correct the glaring error...
> SSH is an American product. Don't touch it. It's
> bound to be of wretchedly poor quality, because
> US workers are wage slaves with no personal or
> civil rights, and slaves always do lousy work.
Well most of that is somewhat true...no civil
rights, wage slaves (often)...low quality work...
yup that too sometimes...
However... the person you reply to was talking
about OpenSSH. A free software product, which
was developed in Canada, not the US.
> Ever heard of the Greater Fool Theory?
> Capitalism is the Greater Fool Economy. Don't
> be the fool.
I suspect you don't actually believe this.
However, here I have to agree with you...
Capitalism is a pretty pitiful system (though
most people don't understand the beauty of
the alternatives).
Which of course has nothing to do with the topic.
Especially considering OpenSSH exists and was
not (AFAIK) written with capitalist goals in
mind.
"I opened my eyes, and everything went dark again"
But er, Fermat's Last Theorem *was* proven. I got the file.
--==Tandem the Spoony rides on!==--
> SSH is an American product.
SSH is a Finnish product. It was developed originally in Helsinki University of Technology by Tatu Ylönen.
The algorithm you're suggesting is mostly a precursor of the current PKIs (I haven't read its reference paper, and don't really have the time to find it, but I wouldn't be surprised to find that it dates back ~RSA publication times).
By definition, at it's worst, a man-in-the-middle attack cannot be blocked/prevented: if A has never met B, there is no way for A to be convinced that she is really talking to B and not to C. If B is in the same situation (having never met A) and is also really speaking with C then although their communication may get from one to the other, it will always be possible for C to see all of it (since C can simply pretend to each of them to be the other player and then decrypt/reencrypt the message).
For trust to be achieved perfectly you will always need an additional piece of information (or mean of identification) in which you can trust... PKI's are one of the possible solutions. In the case of the Rivest-Shamir you're describing both parties must have common knowledge of the message's content prior to starting the algorithm otherwise a middleman could switch messages for it's own. In essence the protocol becomes dependant on the messages's nature and the fact that both players must know it... Two complete strangers could not use it.
But then again, there can't exist a protocol for two complete strangers to identify themselves to one another...
it broke 16-bit prime codes in less than 0.64 seconds,
Umm, this doesn't say much about the algorithm itself. (See below) Besides, I bet that even bruteforce-factoring a 16-bit prime is faster...
By complexity I meant how the running time grows as a function of the input size, regardless of the speed of the processor you are using. I don't want to scare you with maths or anything, but a place to grasp the idea of the classes of computational complexity would be for example the slide show in here. The concept is simple, really. Scroll back and forth the slides and grab the interesting bits. Knowing thy Ordo is very useful, and helps prevent a lot of unnecessary head/wall-interaction involving large amounts of kinetic energy.
Regardless of whether your algorithm works or not, I would be interested in seeing the source code, if at all possible.
Could you please at least post the inner loop to the web page?
s/USA/Finland/g
No problem!
I hadn't known SSH was Finnish when I wrote that, but that makes it even better, doesn't it?
"It is free (only as in beer, but better than nothing), small, and stand-alone."
You can download the source code. What else do you want?
All this chatter about mystical snake oil binary-only software that cracks keys....
OK. There is only one way to guess the passphrase of an ssh identity, and that is brute force trial and error. ADM has something to do just this (takes dictionary lists as input).
Take your snake oil software and shove it.
From a purely technical point of view, SSH, when using public key cryptography, is as secure as SRP. In the following list, I don't claim that SRP doesn't do any of these things; I'm merely clarifying what SSH does do.
- SSH keeps a "known hosts" file on the client, to thwart middlemen attacks. SSH warns the user if the server fails to authenticate itself properly.
- SSH encrypts each session with a randomly generated key, which it communicates through a secure connection. Therefore, if a single session key is somehow compromised, all other sessions are still secure.
- Authentication is done either with public/private keys or with a server side authentication mechanism, such as PAM. In the second case, any passwords or other information is transmitted encrypted, and so is secure. In the first case, the password is never transmitted and there is no chance of the user's password on the server being compromised through SSH. The user's password is never used to encrypt a session.
- OpenSSH, OpenSSL, and LSH are all open source, non-commercial projects.
- SSH allows securing of arbitrary ports, and provides extensive port forwarding capabilities. Therefore, any service on a server running SSHD can be secured, as long as the client program can alter the port of the service it is requesting. As an example, to secure an IMAP connection, one would issue: ssh -L 1442:servername:143 servername and then connect with their email client to localhost:1442.
- Although most users of OpenSSH are unaware of the fact, OpenSSL, which is required for OpenSSH, provides a powerful tool for dealing with X.509 certificates. With OpenSSL, you can encrypt, generate hashes, generate certificates, generate certificate requests, and perform a large number of other security-related actions. OpenSSL documentation is extremely sparce, and due to the complexity of X.509, using OpenSSL tools can be difficult; this is probably the primary reason why most people are oblivious to OpenSSL capabilities.
- OpenSSL is the basis for a number of port wrapping tools, such as sslwrap. With these tools, you can provide secure sockets to services such as HTTP, IMAP, telnet, and POP. Many clients, such as Netscape, understand secure sockets, and several ports are defined as "well known ports" for these secure services. (EG: IMAP's secure port is 993, and Netscape Communicator knows and can take advantage of this).
- Using public keys with SSH simplifies accessing services, so that 'ssh' and 'scp' are as easy to use as 'rsh' and 'rcp'. This is slightly less secure on a shared client, because the private key is held in the client memory during a login session, and is subject to core dump attacks. If the client machine is not shared, this is not an issue.
- OpenSS[HL] doesn't require using RSA algorithms; in fact, you can choose from any number of non-commercial algorithms.
The SRP site claims that there are several "advantages" to using SRP, but never says what these advantages are in relation to. In particular, the SRP site does not claim that SRP is more secure than SSH. SRP is certainly more secure that vanilla telnet, but I see no advantage to using SRP over SSH. The obvious advantage to using SSH over SRP is that SSH is ubiquitous, and well tested.Please, if anyone knows any way in which SRP is superior to SSH, I'd like to know.
Does anyone have succeeded compiling SSH under SCO? If yes I need to know how! please tell send me an email I will be please to discuss to you thanks. ep@linux-mandrake.com
Actually, we're not talking about data integrity here (Integrity being the assurance that the data is the same when it gets there as it was when it was sent).
That would be nice, and can be done via digital signing (w/ a known public/private key configuration), but isn't (as far as I know) actually implemented in ssh. I may be wrong on this aspect.
What _is_ implemented is confidentiality, the assurance that someone (such as a man in the middle) cannot read/understand what is being sent across the connection.
Under the current (default) ssh scheme, this is assured ONLY when it is granted that the very first time your ssh client talked to the server on that machine, no one was sitting in the middle to compromise things.
The way to fix this is to use a trusted-third-party distribution scheme such as SSL or Kerberos in order to make sure that each end is who they say they are. I don't believe SSH has this functionality built in yet-- it's one of the things I'm hoping to do as a final security project in a class this year. Trusted Third Party protocols allow a way around the man-in-the middle attacks, by parlaying a shared secret between the third party and each of the client and server.
Hope that helps clear things up a little.
Disclaimer: The author has been known to be wrong before, and will probably be wrong again some time in the future. The author is also non-deterministic. Deal with it.
The comment above that shares the below disclaimer is actually from me. What I get for playing with the anonymous button... sigh. Disclaimer: The author has been known to be wrong before, and will probably be wrong again some time in the future. The author is also non-deterministic. Deal with it.
Disclaimer: The author has been known to be wrong before, and will probably be wrong again some time in the future.
No, you're wrong. Finding large primes is quite easy. If it weren't, we'd have an awful hard time doing many of the current encryption algorithms.
What's hard is factoring large composite numbers that are the product of two large primes.
It's not clear what you're saying your program does: does it factor numbers, or is it a program that searches for prime numbers? It would be pretty hard to believe that you've got anything efficient for the first, and the second is just not too hard to do (although to be blunt it doesn't sound like you know enough math to make something efficient for this one either...).
Most methods of crashing or hacking NT don't go this route.
... Unix can and has done the same thing.
NT's remote admin tools are better than most unixophiles care to know. The problem is they aren't included in the already staggering cost of Win2000 Server (the argument NT is cheaper is completely out the window on per seat costs now) and they aren't "native" to MS.
But MS will buy a company that provides these tools and roll them into a release in the future. Unlike something like the citrix winframe stuff, adding good remote admin tools won't harm sales of NT or Win2k server or whatever. They'll use that startling new breakthrough technology only available on Windows - Active Directory Services!!
ADS is actually LDAP - securitized a bit
I could block serverxyz from the network, rename my server to serverxyz and be able to do a spoof because there are no pre-defined keys that could be authenticated otherwise to show that I'm not.
You're thinking of TTSSH. When I have to use a random Windows box and I need SSH, this is what I download and use.
-----
The real meaning of the GNU GPL:
The real meaning of the GNU GPL:
"The Source will be with you... Always."
SRP does the first step of keeping the initial authentication secret. Since both sides then have a secret random number as a side effect of SRP, it would be possible to use a collision resistent one-way hash to "sign" future packets. However, as far as I can tell, no implimentation of SRP currently accomplish signing of future packets. The last point can't be addressed while still meeting SRP's goals of not using encryption. This becomes a problem when legacy authenitication methods are used withen the SRP authenticated session. For example, withen an SSH encrypted stream, the "su" application can be run without revealing the password in clear text and without the application needing to be altered. SRP on the other hand only can address this if your willing to replace the "su" application and all other authentication applications to be used withen the session (passwd, DBA tools, etc.) via SRP based ones. In some cases, such as with database tools, an SRP replacement may not be possible. Therefore, SRP has it's own political problem of: is all your authentication application vendors accepting enough of SRP to provide you with an SRP aware version of their application? You may find that depending on what country you live in, the politics of SRP acceptence is far worse problem then the politics behind encryption.
That all having been said, I am impressed by SRP and would like to see it submitted to the W3C for use in future revisions in the HTTP standard. There are several cases that I'm aware of that keeping the password private is important but the data isn't sensative enough to warrent the overhead of SSL.
The main advantage to SRP is that it uses a simple password to authenticate, instead of requiring the user to carry around a public/private keypair with them as they move around (in other words, there's no client-side setup required beyond the installation of an SRP-capable client app). This can be the same password as the regular UNIX account password, although it's hashed in a different format and so SRP can't be used with existing password files. I've written a plugin crypt module for a replacement to FreeBSD's libcrypt which teaches crypt() how to speak SRP hashed passwords, so if you do something like this then everything else (non-SRP apps like login) will authenticate just fine. There's also an SRP PAM module floating around.
/etc/tpasswd file and brute-force attack that.
Security-wise, the authentication protocol has been well investigated, and as far as I know it's stood up fine so far - no serious weaknesses have been discovered.
On the other hand, the SSH v1 protocol as implemented by OpenSSH and all other SSH v1 implementations has an insertion attack which allows the insertion of data into the stream because of insecure integrity protection (it uses a weak checksum). The SSH2 protocol fixes the design flaws in SSH1 (as well as allowing other key exchange schemes than RSA) but OpenSSH doesn't speak it (since it's based on an old SSH 1.x distribution). Hopefully this will change in the near future.
As part of the SRP authentication handshake, a session key can be shared which allows the rest of the session to be encrypted. So SRP provides for authentication as well as secrecy, like SSH does.
SRP is just an algorithm - there's nothing preventing someone from creating a SSH-like app which authenticates using SRP, and then provides all of the port-forwarding features which SSH does. This would be quite useful, actually, and is something I'm hoping to do when I get around to bringing native SRP capability into FreeBSD.
The major downside to SRP is that the authentication is only as strong as your passphrase. But on the other hand, this is true as well in SSH if you can get a hold of someone's encrypted private key (if they carry it around with them on a floppy so they can log in from random hosts, for example). This can be mitigated by enforcing strong passphrase selection on the SRP server. An attacker sniffing the authentication exchange cannot obtain any data which is useful for determining the passphrase, even by a brute-force dictionary attack - you have to obtain access to the
The Stanford SRP distribution is distributed under a BSD-style license. This is good for most people (e.g. commercial users who want to add SRP support to their products, etc), but it may prohibit the code from being incorporated into a larger GPLed program (because of the GPL's "no other restrictions" clause and the BSDL's "must give acknowledgement" clause). Consult your lawyer..
On the whole, SRP is more practical to implement because it doesn't require per-user client-side configuration. In most ways it seems to be a superior solution which is just awaiting wider adoption.
So, why can't I get my university to install SSH clients on all the desktops that we use to connect to our unix servers?
:(
Telnet is the only supported solution, and anything else gets wiped from lab machines
-- Ender, Duke_of_URL
Now, is forcing someone to *only* allow logins when using a key really solving any problem? If you need to get in to your box from somewhere and you don't have time to do so otherwise, then login using password. If you have something so secure on your box that password is not acceptable (your paraniod and should never use ecom either 8-}) then just configure sshd so that it doesn't allow password logins.
Besides, in most systems, the cyrpto that you use for remote administration is surely the least of your worries. Why not switch to OpenBSD so that you can sleep at night?
OpenBSD: Secure by Default... Ships with SSH
It was proven some time ago. Get out of the office once in a while will ya?
It's not complete, and it's not meant to be.
Maybe this will help make it more so: homepages for some of the software you discuss.
Anyone interested in the software mentioned above, or even just general UNIX security, would do good do take a gander at OpenBSD (http://www.openbsd.org). It's based on 4.4 BSD, like most of the Freenixes, and is designed with security foremost in mind. Think of it as FreeBSD after reading "1984". ;-)
It comes with OpenSSH. And Kerberos.
Ooh, and also... stickers! Put them on your box, and maybe the MiBs that break into your house while you're at work won't even bother trying to crack yer system.
Remember: paranoia is good. Anyone with doubts regarding the truth of that statement should check out the Echelon links that have been appearing here lately.
Ciao.
I am the Lord.
I am the Lord.
God Hates Moderators.
Any list, no matter how short, should include a reference to two-party vs. three-party authentication.
SSH and (IIRC) IPsec use two-party authentication. That means anyone can talk to anyone else, but as another article pointed out it also opens the door to "man-in-the-middle" attacks.
Kerberos, digital-certificates and some government sponsored systems use three-party authentication. This puts some limitations on your use, but these are generally reasonable restrictions if you think about it. (E.g., do you really want John Cracker to be able to remote mount your files?) Third-party authentication got a bad rep after some clumsy government posturing with the clipper chip, but it seems that a lot of people lost track of the many places where it's appropriate.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Kerberos is also available for both Red Hat and Debian. Debian has at least three implementations - two European implementations are on non-US, and I've packaged MIT Kerberos 5. (Still no word on when MIT will drop the export nag page, unfortunately.)
OpenSSH is still an excellent choice, but not because it alone supports Kerberos.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Umm. SRP is a password scheme. The OpenSSH people are working on a version of SSH that will use SRP.
That said, SRP by itself provides you no secrect and no protection from TCP connection hijacking.
Note to everyone: People, please don't make references to the "comment above" or derivatives thereof. There are many different modes for showing comments, such as Threaded, Nested, Flat, etc.
They can be sorted Newest First, Oldest First, or Highest Scores first. There are different levels you can set before it spills into index mode. You can change the threshold from -1 to 5. You can have different thresholds for replies. And it goes on and on. Besides, posts accumulate quickly - even with the same settings, it may not be "the one above" if you wait too long before hitting "submit".
So please, if you're going to refer to a post, and it's not one you're replying to, it helps to give the post's ID. That makes things much easier to follow.
Thanks.
There's an SSH version of NiftyTelnet that's really nice. You can't use it in the US, though, due to greedy patent nonsense.
Because the majority of the routers in the default-free zone, don't use IP based auth on SNMP, it's trivial to run a SNMP cracker against them.
Furthermore, there is a 'release' of the IOS 12.x source.
There are dozens of important routers already cracked (some with a modded OS to hide it), even a router or two in MAE-EAST. There are SSH middleman daemons written into hacked IOS bins. The internet is already rooted. These attackers are good, but they still sometimes make mistakes.. It's fun to watch the BGP routes.
This is actually a German translation of this article made with babelfish.altavista.com.
.`?
Trolls aren't very creative these day I must say.
What do we get next?
`strings netscape.core`?
`fortune -a -m
SRP is a protocol, but implementing it is a pain in the ass. You need special versions of login, telnetd, su, and whatever else does authentication. PAM modules fix some of these problems though.
As far as authentication protocols go, SRP is much nicer than ssh because in addition to authenticating the user to the computer, it authenticates the computer to the user. The SSH implementation does have some resistance to man-in-the-middle attacks, by keeping a cache of known host keys, but this doesn't help much the first time you connect. SRP lets you verify that computer you connect to does indeed have an account with your name and password, it doesn't allow man-in-the-middle attacks.
SRP also has this nice session key lying around afterwards that lets you encrypt, but I know of no programs that actually use it.
Anyway, rootshell.com may have been hacked because of an SSH overflow. They've never stated it publicly (don't they believe in full disclosure?), but they clearly implied it and ranted about how SSH Communications lied about this attack.
-----------------------
[10/28/98 8:44AM PDT -- Rootshell Defaced]
On Wed Oct 28th at 5:12AM PST the main Rootshell page was defaced by a group of crackers. Rootshell was first informed of this incident at 6:00 AM PST and the site was immediately brought offline. The site was back up and operational by 8:00AM PST.
We are still in the process of investigating the exact methods that were used. The paranoid MAY want to disable ssh 1.2.26. Rootshell runs Linux 2.0.35, ssh 1.2.26, qmail 1.03, Apache 1.3.3 and nothing else. The attackers used further filesystem corruption to make it harder to remove the damaged HTML files.
More information about SSH may be found at http://www.ssh.fi/sshprotocols2/index.ht ml
rootshell.com - Archive of defaced site.
rootshell.com - Security bulletin #25
----------------------
[11/2/98 8:07AM PST -- IBM ERS responds to Rootshell Security Bulletin #25]
The following was received this morning by Rootshell. IBM maintains that distributing their advisory was irresponsible as no proof of an actual exploit has been found. We maintain that information of a POSSIBLE exploit is still doing a service to our readers and will continue to make information such as this available. This is one of the differences between a service like ERS and Rootshell. Rootshell comments are enclosed in []'s. Since you irresponsibly distributed a draft of our advisory to further your own agenda, perhaps you will now responsibly distribute the following.
A simple telephone call from you before you issued this could have saved us all a lot of hassle.
[ Apparently you do not believe in full disclosure then. ]
--Dave
On Friday, Oct. 30th, IBM-ERS sent out a draft advisory to be released on Monday, Nov. 2nd that described a buffer overflow condition in Version 1.2.x "sshd." This draft was sent to the Forum of Incident Response and Security Teams, and also to the "ssh-bugs" list for their comment/review. The draft was identified as ERS-SVA-E01-1998:005.1.
Rootshell has unfortunately chosen to include a copy of this draft advisory in their recent newsletter, apparently for the purposes of defending itself against charges that it was unfairly disparaging "sshd." Use of IBM-ERS's draft advisory in this manner was not approved or authorized by IBM-ERS, and does a disservice to all.
[ Making the facts known to the public is hardly a disservice. To quote your own advisory. "The material in this security alert may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM-ERS." ]
Here are the facts about this advisory:
1. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was never issued publicly by IBM.
[ Neither was the Rootshell advisory by your standards. The Rootshell advisory was sent to a private collection of 26,000+ members of the security profession. ]
2. In response to a telephone query from Kit Knox of Rootshell, IBM-ERS attempted to contact Kit on Friday evening, and was unable to reach him. Specific contact information for IBM-ERS, as well as a brief status update, were left on Mr. Knox's voice mail. Mr. Knox never contacted IBM-ERS after that time.
[ Note: Not a single e-mail was received. We live in the digital age folks. My PGP key is also in the key servers if security was a concern. Or don't you trust PGP? ]
3. IBM has been working closely with Tatu Ylonen, author of "ssh," to make sure that the potential vulnerability described in the advisory is not exploitable. Upon further investigation, the problem originally described appears to have been influenced by outside factors and does not appear to be an exploitable problem in "sshd."
[ Rootshell NEVER has made any claims of an actual exploit. ]
4. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was CANCELLED on the morning of Sunday, Nov. 1st, *before* Mr. Knox issued his newsletter.
[ Cancelled to your PRIVATE ~61 member list at FIRST. ]
5. At this time, IBM-ERS has NO KNOWLEDGE of any security vulnerabilities, exploitable or otherwise, in the "sshd" program.
[ We have never said otherwise. ]
We hope that this clarifies IBM's involvement in this situation.
The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, complete- ness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes.
rootshell.com - Security bulletin #25
------------------
[11/5/98 8:44AM -- SSH Admits Buffer Overflow in 1.2.26 client]
This morning SSH Communications Security LTD. released information about a buffer overflow in its ssh 1.2.26 client kerberos code. This came as quite a surprise after SSH was very bullish about there being no buffer overflows in their code. While it is VERY hard to exploit and only works under certain conditions, it is still a valid security hole. PLEASE REMEMBER, ROOTSHELL HAS NEVER STATED THAT THE BREAK-IN WE HAD WAS FROM A SECURITY HOLE IN SSH. Anyone who believes otherwise has read too far into what we have said.
rootshell.com - Official statement from SSH
-
Interesting, that so many folks believe in telnet.
I thought I was the only one.
Now I would like to test my configuration, because I think it's bulletproof.
There is no encryption, no nothing. telnetd operates like "out of the box".
However, I added a security mechanism, that a some (older?) guys may know as the "wizard code".
With a one-letter-password,
I still believe no-one will be able to actually do an "ls" or whatever.
If there is interest, I can explain how it works and how you can install it (on a Linux/Unix system).
Even if you know the code in advance (with 2 lines left out), you will still have problems to successfully login on my main machine.
Anyone willing to take the challenge ?
Nice day Everybody,
george./
Hello, my name is Justin Chapweske and I developed a system called Natz, which is very similar to SRP.
The biggest weakness with Strong Password Authentication protocols like SRP, Natz, and B-SPEKE is that they are vulnerable to a man-in-the-middle attack if the password is known before hand. Thus these systems are worthless for encrypting data to a public resource, like public/anon FTP or a web site.
My biggest issue with SSH is very similar, a man-in-the-middle attack can performed when the server is sending its certificate to the client for the first time.
So basically they both suck, and to this end I have been working on a solution that combines the strengths of both to significantly minimize the cases where a man-in-the-middle attack could be employed.
Oh, BTW, you people that are comparing SRP to SSH based on features don't know what you're talking about. It would be trivial to use SRP allong with SSH or TLS's transport protocols, just using SRP for the authentication/key generation...so quit yacking about SRP not having X-windows tunneling support and whatnot....screw features, its the security thats important.
If you are interested in this, please email me at justin@cyrus.net or continue this thread.
There's one called PuTTY written by some guy named Simon Tatham. I don't remember the URL of where you can get it, but I'm sure a search for putty or an ftp search for putty.exe will turn something up.
Oh yes, it's free, even for commercial use.
Kerberos is also available for both Red Hat and Debian.
. . . and almost every other UNIX or UNIX-like OS, not to mentioned Win32. It's not a system for the undedicated, but if you really need (or think you need) that much security, IMHO it's one of the best solutions.
Debian has at least three implementations - two European implementations are on non-US
Yes, unfortunately most Kerberos uses DES, which will continue to be cumbersome unless the US relaxes their cryto policy. We keep hearing about how this is being discussed (or at least I do; I'm in DC), but we've yet to see any concrete results. Alas...
OpenSSH is still an excellent choice, but not because it alone supports Kerberos.
I never meant to imply that that is why OpenSSH is Good Thing(TM). I mentioned the fact that OpenBSD is packaged with this software because I think that is one reason it's a good OS for learning about "paranoid" (read: good) UNIX security. Of course, you can set up most any *BSD to perform similarly, but OpenBSD prides itself on being secure "out-of-the-box". I am not affiliated with the OpenBSD project, but I do use their OS and value the same things they appear to: free UNIX, strong cryto, and the right to privacy.
Speaking of rights, FREE KEVIN! (What?! He did...? When? Why wasn't I notified? Dammit.) Did I say Free Kevin? I meant... FREE WILLY!
I am the Lord.
I am the Lord.
God Hates Moderators.
Thats called a honeypot.
I did that all the time when I was on the @home cable network. Fake smb shares, fake back orifice (and netbus) server, and a dummy account. I was emailing @home about malicious break-in attempts and c:\ deletion about twice a week. I'm not sure if they took any action though.
Lars -
Dieses ist wirklich eine deutsche Übersetzung dieses Artikels, der mit babelfish.altavista.com gebildet wird.
Trolls sind nicht sehr kreative diese Tag, den ich sagen muß. Was erhalten wir zunächst?
`strings netscape.core`?
`fortune - a - m-. `?
-- ich Unterzeichnung nicht benötige keines stinkin '
Problems with this:
(1) You can't or shouldn't be shutting the machine down. Hell, I get pissed off about rebooting for kernel revs. I'll be damned if I'm taking down a box when I know I can avoid it!
(2) The real problem with breakins is not losing confidential data, but that it gives an intruder more resources to launch further attacks. Every machine that gets owned makes more problems for everyone else out there. Your confidential info should be nowhere close to any unsecured network.
(3) If you have to do any useful work remotely, you need some decent encryption. I'll take exploitable (and fixable) encryption over cleartext seven days a week.
I've hacked boxes before from simple sniffer attacks, grabbing POP3 or telnet logins to gain access, and from there compromising the rest of the box. If you don't have packet-level hardware encryption on your network or WAN, for god's sake, use SSH or some other secure app anytime that you're passing logins & passwords around.
It doesn't matter how much you restrict the rest of the system, if a random box on your network (or any point along your communications route) can see your cleartext going by, you're going to get hit hard.
------------------
"We can categorically state that we have not released man-eating badgers into the area." - Major Mike Shearer, UK
This is exactly what the program does.
Your doubts are justified, I wouldn't believe the whole thing myself. The used algorithmn is at least interesting, but I'd like to do some more work te get it faster before I release the basic priciples
doesn't sound like you know enough math
I'm an educated IT-engeneer, I know enough math for my proffesion. For math advice I go to a guy who does know math better than me, but this guy isn't a programmer.
Bizar technology?
It isn't very hard. Finding primes has little to do with factoring though...
Cheers,
Ben
PS Here is a moderately efficient algorithm in an unefficient language:
#!/usr/bin/perl -w
# primes - generate primes
# Written for the PPT initiative by Jonathan Feinberg.
# The algorithm was substantially modified by Benjamin Tilly.
# See docs for license.
use strict;
#use integer; # faster, but cuts the maxint down
$|++;
my @primes = (2, 3, 5, 7, 11); # None have been tested
my @next_primes = (); # Avoid redoing work
my $VERSION = '1.002';
END {
close STDOUT || die "$0: can't close stdout: $!\n";
$? = 1 if $? == 255; # from die
}
chomp(my $start = @ARGV ? $ARGV[0] : <STDIN>);
my $end = $ARGV[1] || 2**32 - 1;
for ($start, $end) {
s/^\s*\+?(\d{1,10}).*/$1/ || die "$0: $_: illegal numeric format\n";
$_ > 2**32 - 1 && die "$0: $_: Numerical result out of range\n";
}
primes ($start, $end);
exit 0;
sub primes {
my ($start, $end) = @_;
return if $end <= $start;
if ($start <= 2 and 2 < $end) {
print "2\n";
}
$start = 3 if $start == 1; # Don't report 1 as a prime
$end--; # Reindex
# Initialize the list of primes
&more_primes($primes[-1]+1, int(2 * sqrt($end)));
while (scalar @next_primes) {
push @primes, @next_primes;
# Careful, we need to ensure that
# we get a prime past sqrt($end)...
&more_primes($primes[-1]+1, int(2 * sqrt($end)));
}
my $from = $start-1;
my $to = $from;
until ($to == $end) {
$from = $to + 1;
$to = $from + 99999; # By default do 100,000
$to = $end if $end < $to; # Unless I can finish in one pass
&more_primes($from, $to);
print map {"$_\n"} @next_primes; # Print primes
}
}
sub more_primes {
# This adds to the list of primes until it reaches $max
# or the square of the largest current prime (assumed odd)
my $base = shift;
my $max = shift;
my $square = $primes[-1] * $primes[-1];
$max = $square if $square < $max; # Determine what to find primes to
$base++ unless $base % 2; # Make the base odd
$max-- unless $max %2; # Make the max odd
$max = ($max - $base)/2; # Make $max into a count of odds
return @next_primes = () if $max < 0; # Sanity check
my @more = map {0} 0..$max; # Initialize array of 0's for the
# odd numbers in our range
shift @primes; # Remove 2
foreach my $p (@primes) {
my $start;
if ($base < $p * $p) {
$start = ($p * $p - $base)/2; # Start at the square
if ($max < $start) { # Rest of primes don't matter!
last;
}
}
else { # Start at first odd it divides
$start = $base % $p; # Find remainder
$start = $p - $start if $start; # Distance to first thing it divides
$start += $p if $start %2; # Distance to first odd it divides
$start = $start/2; # Reindex for counting over odd!
}
for (my $i = $start; $i <= $max; $i += $p) {
$more[$i] = 1;
}
}
unshift @primes, 2; # Replace 2
# Read off list of primes
@next_primes = map {$_ + $_ + $base} grep {$more[$_] == 0} 0..$max;
}
__END__
=head1 NAME
B<primes> - generate primes
=head1 SYNOPSIS
B<primes> [I<start> [I<stop>]]
=head1 DESCRIPTION
The B<primes> utility prints primes in ascending order, one per line,
starting at or above I<start> and continuing until, but not including
I<stop>. The I<start> value must be at least 0 and not greater than
stop. The I<stop> value must not be greater than 4294967295. The
default value of I<stop> is 4294967295.
When the primes utility is invoked with no arguments, I<start> is read
from standard input. I<stop> is taken to be 4294967295. The I<start>
value may be preceded by a single C<+>. The I<start> value is
terminated by a non-digit character (such as a newline).
=head1 BUGS
B<primes> has no known bugs.
=head1 AUTHOR
The Perl implementation of I<factor> was written by Jonathan Feinberg,
I<jdf@pobox.com> and Benjamin Tilly, I<ben.tilly@alumni.dartmouth.org>.
=head1 COPYRIGHT and LICENSE
This program is copyright (c) Jonathan Feinberg and Benjamin Tilly (1999).
This program is free and open software. You may use, modify, distribute,
and sell this program (and any modified variants) in any way you wish,
provided you do not restrict others from doing the same.
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
As a point of comparison, standard general-purpose math programs such as Mathematica can factor ~20 digit numbers (e 70 bits) on commodity hardware in a fraction of a second.
If you cannot come within shouting range of that, your algorithm is not likely to be interesting. If it does then it would be interesting is to know how your algorithm scales to, say, 30 digit numbers...
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
>Fermat's Last Theorem is unprovable.
This is not correct. It is a statement about the integers which can be formalised in a first order language, so [by Godel's completeness theorem] there is either a proof that it is true, or a proof that it is false. You could write a program which exhaustively searches all possible proofs (and disproofs). Eventually the program must terminate.
perl -e 'fork||print for split//,"hahahaha"'
SSH is to PGP what SSL is to S/MIME, at least as far as key management goes. With SSL & S/MIME, the management is done via a centralized signing authority; with SSH & PGP you build your own database of public keys. All are variants of the public-key cryptography idea. SRP is something new. It is still *asymetric* cryptography, but this time, *both* keys are *secret*. One key is derived directly from the other and is used in a prover/verifier construction (as in zero-knowledge proofs). New with SRP: it is feasible to use the same password on multiple machines because a compromised server, no matter how egregiously compromised, cannot get your password. You do not need to go through the "verify host key" step of SSH -- the host verification hinges off the password! No state is maintained on the client. You get something like the security available with RSA keys in SSH, but using a passphrase you can store in your head. The verifier database is reasonably backward compatible with the traditional /etc/passwd mechanism. (It aims to ultimately replace /etc/passwd, authenticating *users* instead of *client machines* (a la RSA). It simultaneously solves the problems of dictionary attacks (very strongly -- you cannot sniff passwords off the wire for reasons almost as strong as the one-time pad. (You need to do a discrete log for each password checked!) The host does not actually have enough information to log into itself (unlike SSH where the host has to maintain a secret key). SRP is practically bulletproof so long as the /etc/tpasswd file is not compromised. After an /etc/tpasswd compromise (analogous to /etc/passwd) all that can happen is that the attacker can masquerade as the host (which can't be fixed anyway -- if you can't keep a secret you can't be authenticated cryptographically); you still can't masquerade as a client (although a dictionary attack is now weakly feasible). Finally, in the event of a total compromise, you *still* can't recover session data! Thomas Wu has not achieved this by applying conventional asymmetric cryptographic techniques. Actually read his paper before spouting off. (And yes, all this is possible. Read his paper!)
>>With brute force you must have all primes available for checking
/36 ). I'll look into the size of c.
No you don't. A brute force search can just try all possible factors of n up to sqrt(n). BFI is very bad, as it runs in sqrt(n) time (so for a 1024 bit key that's ~ 2^512 computations).
>>The order of searches is about O( c* ( Q - (P+1) )
Even if your analysis of your algorithm is accurate (I doubt it), it's still hideously poor. That's not any better than the BFI in big-oh notation. Also, the 'c' and the '36' don't matter worth a hill of beans in big-oh. Big-oh doesn't care about constant multipliers of the function. So, it would be more proper to say it's "O(Q-(P+1))".
The best factoring algorthim around is the general number field sieve, which runs in
e^(1.923 * (ln n)^(1/3) * (ln(ln n))^(2/3))
time. The e^ part makes it look bad, but the ln's about cancel it out. That's damn fast for factoring, but damn slow for an algorithm, as it still works out to ~ exponential time if you do it off of the # of bits in the key. It's way better than 2^(#bits/2), though.
#define RANT
This is stuff from freshman year CS. There is no magic factoring algorithm. A lot of people way smarter than anybody on slashdot have spent a shitload of time working on this crap. I've heard that under a hundred people in the whole world understand the math behind the number field theory. You certianly ain't one of them.
#undefine RANT
Not that implementation (clearly) but the same program works. It is quite fast per prime found. In fact it is so fast that storing long lists of primes is not done any more - it is faster to calculate them than to read them out of storage!
The barrier is that the number of primes out to n is about n/log(n), and so no matter how quickly you list primes, there are just too many primes to list.
So it is utterly useless for cryptographic purposes.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
I should fix that.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
You can run Terminal Server in admin mode for no additional cost on Windows2000. End-of-the-road for PCAnywhere.
Don't know about the security of this solution -- probably no worse than the other remote admin tools, but Win2K also has the IPSec stuff if you are worried.
Please look into the ease with which a buffer overflow can be exploited. Its extremely, extremely difficult.
Buffer overflows should be fixed, but by no means should you remove an entire security suite due to the suspicion of a buffer overflow.
SSH is secure only if the client has the server's public key with which to authenticate it - and even then there are problems. SSH works in three stages:
1) negotiate an encrypted session with the other party
2) authenticate the other party
3) the client sends the password in the encrypted session.
Clearly, if you can spoof the server you can get the Holy Grail: the real, plaintext password. This is why SSH flashes up big warnings saying "THIS SERVER IS UNAUTHENTICATED: REALLY PROCEED?" when you log on to a server the client hasn't seen before. To which everyone just presses "yes", defeating the so-called security. You can also get the Holy Grail if you can subvert a server to which the target logs on.
Contrariwise, SRP offers real network password security. SRP was designed around the assumption that the normal situation for network security was that people went up to new, vanilla clients and used only their passwords to log on to servers the clients had never seen before, and any protocl that wasn't secure under these assumptions just wasn't secure. SRP does damn cunning public key manipulations to allow the password to be used to verify both the client *and the server*, while only storing a password verifier on the server. Eavesdropping real connections, spoofing clients, or spoofing servers will leave you no better off than when you started; you can't even launch a dictionary attack, in contrast to disastrous protocols like CHAP which don't work for the low-entropy passphrases used in the real world. You can mount a dictionary attack if you subvert the server (this is unavoidable), but that's still more work than just reading the plaintext-equivalent phrase from the password file as is the case with challenge-response protocols; even subverting the server doesn't help.
SRP (and its cousin, B-SPEKE) solved the real, difficult problems of network password security. Accept no substitutes.
I only wish Slashdot didn't prioritise being first over being right so much, so more people could see the good information...
--
Xenu loves you!
The university I went to had a problem with people attaching sniffer's to ports, so they went to a completely switched ethernet network topology for all of the lab terminals. Problem solved. :)
Security always comes down to trust. Do you trust the guy at the other end of the line or not? Can you really not trust ISP networks?
For example, if I am on a cable-modem, and my target is on the same cable-modem network, isn't the data already encrypted end-to-end?
JasonIf I ever find two lifes, I promise, I will give one to you. (fingers crossed)
And to babelfish something back:
And for our French friends:I don't know why, but this site wasn't turning up on my searches. I've been looking for where putty came from from a number of months now.
As a vote of confidence for this particular ssh client, it's a great little program, i've found *no* bugs in it, it's easy to use, and (best of all?) it's open source.
>(though most people don't understand the beauty
> of the alternatives).
A nice cheeseburger is beautiful too, but I wouldn't want to try and deposit one in my bank account.
bullshit I know for a fact of a certian search engine that is a top 25 web site that got hacked through pcAnywhere
OK, thought about this a little.
SRP essentially combines the concept of "Hashed Password" and "Secret Key" into one small, low entropy object: The stored password.
"Dictionary attack" difficulties aside, it's not hard to imagine an intruder running a pre-computation attack against a password file. *However*, the password file *can be* much more secure--crypt() is far less secure than SHA-1, though SHA-1 isn't drastically better than the MD5 passwords deployed on most Linux boxen.
It is moderately unclear through the documentation how the "public verifier" gets distributed; more emphasis should be placed on this. The public verifier, distributed via OOB mechanisms, is *the only* way to get around "first contact" problems. Now, the public verifier can be shared, extended, chained, and so on, but at some point there has to be a Out Of Band(OOB) contact.
Of course, the problem with chains is Entropy Erosion and Failure Amplification--your original entropy never increases, but your risk of compromise *does*.
Another brought up a good point--SSH ideally requires compromise of both a private key(what you have) *and* passphrase(what you know) to experience a critical failure; SRP only requires one. One nice thing is that SRP can mandate that a user have a passphrase; I don't believe SSH has a truly secure method(not client based) to make sure that they don't.
More later, if anyone's still alive in this thread. (Gotta go.)
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
I am. I'm merging NFS into OpenSSH as a final security project. Email me if you need more info.
(Due to the author's total ineptitude in getting Slashdot to acknowledge his existence as a non-AC, the below post is being repeated. After all, a post that says 'email me' without an email link is useless... unless you're a psychic.)
I'm planning on implementing one as a final project. We'll see how fast we can get it, and whether or not it will be functional.
Disclaimer: The author has been known to be wrong before, and will probably be wrong again some time in the future.
You Have Been Trolled.
You Have Lost.
Have A Nice Day.
You can set up ssh to have per-host keys and shared user ID space. Sure -- just like rlogin with encryption.
But you can use per-user keys just as easily. It's all a matter of choice , which is a Good Thing.
Since SRP isn't about encryption anyway (their website says so), but "only" authentication, then why would I want to use it? If somebody can watch me type and they see my screen output, they don't need a login on my system anyway.
I am suprised this hasn't come up, but it would be more fair to compare srp to kerberos and ssl. Then compare apps based off of those to ssh(like stunnel and kermit.)
Joe
When and only when nice graphical interfaces for Windows, MacOS, etc (ala TeraTerm SSH, SecureCRT, DataFellows SSH, etc) exist for SRP will it be possible for be possible for it to replace SSH: face it fellas, most clients are Windows boxes, and if the clients can't connect to the server securely because either clients don't exist for the OS or the users won't use them because the interfaces suck, who cares if it's secure? Also, SSH is, as far as system integration is concerned, very easy to do.
I used to do things like that when I was inexperienced, and had nothing else better to do.
Now I actually have real security methods.
And, using traps just to report people to ISP's is gay. You sound like a fag who gets his panties in a bundle for getting port scanned.
There are obviously lots of people here who have used the various UN*X and Windoze implementations of SSH. But I have yet to find a tutorial/documentation that _I_ understand about how to set things up so that these generated keys are used (I have OpenSSH installed). Does someone have a link to a less obtuse set of docs?
See Godel's Incompleteness Theorem.
You're right, though, from what I've heard, FLT was proved.
"is there a place where i might read more about ssh -- particularly w/ regard to the above issues and the like -- so that i can 'enlighten' myself :-)"
my first minor issue, is the source is out there and he could very easily obtain it. While I agree that ssh can create a security dogma, ssh does have a few problems that he submited but mainly things like retriveing past sessions once the private key is recovered. And other things that really arnt a direct problem with ssh mainly its a problem with post-intrustion dammage. Just my thoughts.
The only time a man-in-the-middle attack would work with SSH is the first time you connect to a host. Any time after that your SSH client will compare the host's key to what it has stored in ~/.ssh/known_hosts.
Nope, not joking. Goedel also had a Completeness Theorem, which states what the original poster says it does -- that first-order predicate logic is complete. However, I disagree with the poster that you can construct FLT as a sentence of first-order predicate calculus, because I don't think you can get the operation of power, among others, out of FOPC. Therefore, FLT is a sentence of elementary number theory which is not a sentence of FOPC, and is therefore, in principle, the sort of thing which might be unprovable.
To prove I'm not smoking crack, I'll note that there are Diophantine representations of FLT and that Greg Chaitin has shown that there are Diophantine equations which are unprovable in Goedel's sense. FLT is clearly not one of them, but Turing's work shows us that we can't actually prove unprovability about a given theorem. So, FLT might have been unprovable.
BTW, it's difficult to give old KG his umlaut, but at least leave him the dignity of an 'e' after the 'o'. Otherwise the English speaking world will start pronouncing him as "Go - dell", which is already beginning to become a problem.
http://srp.stanford.edu/ states (apparently incorrectly) that http://srp.stanford.edu/srp/
i tical claims that "SRP does not use any RSADSI intellectual property" - nothing about other
"is currently limited to Stanford users pending resolution of patent negotiations"
http://srp.stanford.edu/srp/advantages.html#pol
intellectual property.
I would interpret this as an indication that there might be a patent problem with the SRP algorithm.
This won't work for all man in the middle cases. Consider this:
1)A sends B is public key
C intercepts that key can changes it to his public key
3)B sends A his public key
4)C intercpets and changes
5)A sends C a message encrypted with C's public key.
6)C decrypts and recrypts with B`s public key
7) B sends half the message encrypted.
You get the idea
Remember for this to work A and B have to have no non-seceret knowledge of the other that C does not share, and C needs compete high speed access to the entire data stream. Of course if any step is accomplished where C cannot get it (snail mail? federal crime, but doable. Meeting face to face can be fixed too, with impersonators.)
In the end you have to take some risk. Then again, if A and B know so little about each other and are doing buisness that is sensitive enough to encrypt they probably don't trust each other at all anyway.
Wow. by Anonymous Coward hirself, citing reliable sources on a reliable target, slashdot credibility at its best...
(Not that I have too much faith in the named software...)
"Ten years from now, they could do it in a few seconds." -- The Racketeer of the Hellfire Club, 1993, Phrack 42
Those who actually tried to stay within a quasi-legal standing in compiling SSH1 with RSAREF ended up with an insecure implementation. The thing to consider here is... did it buy them much? There is still some question whether using RSAREF actually allows one to avoid licensing issues. I wouldn't be suprised to find more installations of SSH1 today compiled by admins who got fed up with the whole situation.
As a side note, admins working for the US Government have no need to worry about RSA licenses. The US Gov't has an open license to RSA since Government money was used in developing RSA at MIT.
As you can see, the slashdot environment can be very hostile, so I have no reason to publish the source codes.
You just don't get it, do you? You expect Slashdotters to download your binaries off a Geocities site, when you can't even give a decent explanation of what your program does. Then several people with obviously a much greater quantity of brains than you go on to show how your "algorithm" (and I use the term very loosely) is not only logically flawed, but is completely irrelevant, due to the fact that much better programs already exist.
The enviroment isn't "hostile" at all. We tried to have a very rational discussion with you. You lack the mathematical knowledge to clearly explain your "algorithm", so you call us hostile? What gives? A previous poster had a good point: with all of the genius mathematicians and computer scientists that spend their lives studying number theory and cryptoanalysis, an self-proclaimed "IT engineer" (who could be little more than a haughty MSCE) had better be prepared to explain himself when he claims to have discovered an algorithm which can "find primes fast" (bold yours).
"Fast" is relative. "Fast" implies that it's fast compared to modern existing programs. Your examples were piss-poor. Signed 16- and 32-bit numbers are hardly crytographically relevant anymore. Then, you say that you gave the best times out of a few trials. Wow, how scientific of you.
You "have no reason to publish the source codes?" No-one wants them! The only reason someone asked you to post the loops is because you couldn't explain your own concept.
"Hey, guys, I have this really fast algorithm I came up with! You can try my l337 Linux binaries, 'cause I'm so generous! What does it do and how does it work? Well, I can't really explain it... and I don't want to let you see the code, because when top university scientists from around the world discover what a genius I am, I want to be able to talk all the credit. Hey, stop using big words and intelligent sentences, you meanies! Forget it, I'm taking my amazing program and it's amazing source elsewhere!" What a fucking dipshit.
I am the Lord.
I am the Lord.
God Hates Moderators.
I see little evidence for this, and there are lots of hints otherwise. Previous versions of the SRP license contained the warning
The page http://srp.stanford.edu/ says "This link is currently limited to Stanford users pending resolution of patent negotiations. Sorry!"Two years ago I sent email to Thomas Wu asking if it was patented and got no response. Other people I've talked to also are concerned about this.
So while I can't point to clear evidence of patents, I urge great caution with SRP until a definitive answer on this question is provided. I like SRP, but the advantages over SSH are marginal enough that the intellectual property questions are far more important.
On another front, SRP is promoted because it allows users to choose their own easily-remembered passwords. But Bruce Schneier notes that computers are already fast enough to basically search the entire space of passwords that are easy for humans to remember. So if the password file on an SRP server is compromised, the passwords can be cracked if you try hard enough. I'm sure it is very expensive now, but over time the cost of doing this will drop since human memory capacity is not increasing.
--Neal
--Neal
Go IETF!
> I hope you have tongue firmly in cheek [...]
> See Godel's Incompleteness Theorem
Ah, these are two different results. Godel's Completeness Theorem says that any *first order* statement which is true can be proved. "First order statements" are, essentially, mathematical statements which only talk about certain things. Amongst other things, first order statements can't talk about "For all sets such that blah".
On the other hand, there are statements which do include things like "for all sets such that blah " - called second order statements. Godel's *Incompleteness* Theorem says that there are some second order statements which are true but cannot be proven.
My comment was that FLT fits into the first category, so an automated proof is (theoretically) possible. Of course, it would take ages to run!
perl -e 'fork||print for split//,"hahahaha"'
perl -e 'fork||print for split//,"hahahaha"'