Slashdot Mirror
SSH v. SRP
A reader asks, "We've all heard of SSH. My question is whether SSH is really the best option, or the only option? Many security experts and cryptographers believe SSH users may be lulled into a false sense of security, because of some outstanding security issues. An open-source project based at Stanford purports to have solved these problems."
The Stanford group claims SRP to be safe against snooping and immune to reply attacks. SRP exchanges a session key in the process of authentication, provides mutual authentication to resist dictionary attacks, offers what is supposed to be perfect forward secrecy, and does not require the server host to keep any information secure. This comparison of these two technologies should provide food for thought. Can SRP replace SSH? Does it truly offer more security? Is it the better choice? In simple terms, what are *your* thoughts?
This counts a lot in my book, even if SRP is better in some areas, how well is it going to stand up when it starts getting banged arround.
Noel
RootPrompt.org -- Nothing but Unix
kayaking
I know SSH used properly can encrypt your entire session so your entire session would not be suseptible(sp?) to sniffing. Does SRP offer the same? And what about the openssh project?
SSH can protect connections to remote X clients. Can SRP do this too?
-- Mike Greaves
#man ssh
-L port:host:hostport
Specifies that the given port on the local (client)
host is to be forwarded to the given host and port
on the remote side. This works by allocating a
socket to listen to port on the local side, and
whenever a connection is made to this port, the
connection is forwarded over the secure channel,
and a connection is made to host:hostport from the
remote machine. Port forwardings can also be spec-
ified in the configuration file. Only root can
forward privileged ports.
-R port:host:hostport
Specifies that the given port on the remote
(server) host is to be forwarded to the given host
and port on the local side. This works by allocat-
ing a socket to listen to port on the remote side,
and whenever a connection is made to this port, the
connection is forwarded over the secure channel,
and a connection is made to host:hostport from the
local machine. Port forwardings can also be speci-
fied in the configuration file. Privileged ports
can be forwarded only when logging in as root on
the remote machine.
Add tuneling, and I think your points are easily addressed.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Telnet, unlike its "secure" counterparts, is the only communications program that lets you connect to any port of the destination computer, regardless of application protocol.
I would think that SSH is limiting in that manner if you wish to test some daemon or something in security than it would be good. Also each and every public type machine that I have ever used and all unix machines I have never used have never either made ssh avaible or it was not really practal. SSH is only useful if you regularly connect to remote unix machines that support it or you have multiple machines with shell access.
That is simply not an option for me.
Therefore, the question:
Do we want to sacrifice our liberty for the sake of security? Not Thomas Jefferson, nor do I
*partial sarcasm*
Well considering how probably most of the people on slashdot are most likely on the FBI's most wanted list or are agents of the Iranian government trying to export 128 bit RSA I would think that they like it.
*end partial sarcasm*
Slashdot social engineering at it's finest
Even though I haven't used it often, telnet with S/Key login seems to be a great alternative to vanilla telnet.
From what I understand, it's only vulnerable to TCP hijacking (most things are) and dictionary attacks (which can be easily detected or accounts can be configured to be "locked out" after X bad login attempts).
The best one of these is OPIE which can provide a one time pad for telnet, FTP and even su.
Better yet, OpenBSD comes with this feature built into the OS.
What I CAN do is point out that the most dangerous security attitude is "It can't happen to me!" There is no substitute for watching the security web sites, making sure you have applied the latest security patches, and simply being aware of what is happening on your system.
ssh is a definite plus over telnet, and I use it routinely. It is now just as natural to me as using the telnet command was 10 years ago. I'll certainly keep an eye on any new ways of doing things, but it would take a little more than what I have seen so far to make a switch at this time
-----------------------------------------
-----------------------------------------
Computeri non cogitant, ergo non sunt
I would love to use SSH... problem is the machines I have to connect from. Is there any way to use SSH from a windows box. I would install SSH except all of the machines on campus are winblows boxes.
Actually if you look at your local tucows mirror you can get ssh type telnet shells. I know of at least one I saw being used but forgot the name.
Slashdot social engineering at it's finest
which are those? I've been ssh for quite a while, and the only thing I had heard about was a buffer overflow. Are there any questionable architecture design deciscions on ssh?
Also, does anybody have a mirror, it like this site is getting slashdotted already.
I look at SSH and I wonder if the protocol is generic enough to encrypt any stream. If it is, then why not write a ENFS(Encrypted NFS) file system for the kernel? You could theoretically use SSH-like schemes to authenticate and encrypt.
There's been how many bounce attacks and remote security issues with it? I know they designed it to be encrypted, but how about following up on the 'Secure' part of the name! I ended up not running it BECAUSE of the security issues it caused!
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Quick thought on SRP vs SSH. From the quick glance at the SRP web site, it seems to me that SRP only offers secure password transmission and forgoes on packet encryption, offered by SSH. The two solutions differ very much. Therefore I could still be able to sniff yyour traffic and possibly gleam other important info, after the login ( su anyone ??? ). Note, I did only glance at the site while munching my lunch at my desk while troubleshooting a networking issue and chatting on IRC.
47% of all statistics are made up on the spot.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Yes, SecureCRT from VanDyke implements SSH protocol as well as Telnet. Very good terminal emulator.
There is an SSH-Plugin for TeraTerm Pro.
-- "Tradition is the illusion of permanence."
Check out mindterm (a Java SSH implementation) and PuTTY (a Free Windoze Telnet/SSH)
Debian: GNU/Linux done the Linux way
Get TeraTerm Pro (FREE) from any tucows.com site, then go to the TeraTerm homepage, and follow links for a FREE SSH addon for TeraTerm. I've been using it for several years and have not been disappointed.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
For windows, grab Tera Term Pro (which is free), then grab and apply the SSH patch. Like magic you can now ssh from your windows boxes.
-Erik -- --This message was written using 73% post-consumer electrons--
If you want to send data to arbitrary ports, that's what netcat is for. You don't need telnet.
This is the readme of what we use here :
:-)))
= ==================== = ==================== = ====================
$Id: readme.txt 1.13 1998/06/30 13:36:45 c.igaly Exp c.igaly $
SSH Windows Client, version 24-June-1998
PLEASE, READ THIS TEXT. I DO NOT WANT TO SPEND TIME REPEATING SAME THINGS ALL OVER AGAIN.
DISCLAIMER
--------------------
THIS PROGRAM IS FREE. IF YOU ARE NOT HAPPY WITH CONDITIONS OF ITS USE, PLEASE DO NOT USE IT.
Source: You can freely use this program. Source is not available and I am ignoring all e-maill messages with request for it. If you dislike such policy, please feel free not to use it.
This program is distributed AS IS, and as such the author shall not be held liable for any loss of data, down time, loss of revenue or any other direct or indirect damage or claims caused by this program.
This program is not supported and there is no warranty or claim of fitness or reliability. I am trying to fix obvious bugs or improve it from time to time but I have no plans to do this on regular basis.
Bugs: This version is not crashing my system. At least not more than compiler(s) I've used to make it
Crypto Library: This program is using Peter Gutmann's Cryptlib. You can download last version (2.0) from ftp://garbo.uwasa.fi/pc/security/cryptl20.zip. You can alse use older version but this one is not available on garbo.uwasa.fi. Try to look at http://www.doc.ic.ac.uk/~ci2/ssh for alternative location. Beta version 2.1 can also be used. At this moment Blowfish is not working because implementations in SSH and Cryptlib are not compatible. Remember that cryptlib 2.0 is using ODBC so you must have it installed. If you do not want to do that, use cryptlib 1.1 (16- and 32-bit versions) or 2.1 beta version (32-bit version).
===============================================
Cedomir Igaly e-mail: c.igaly@doc.ic.ac.uk
Department of Computing
Imperial College of Science, Technology and Medicine
180 Queen's Gate London SW7 2BZ
United Kingdom
===============================================
pub 1024/DA5CB241 1994/12/19 Cedomir Igaly
Key fingerprint = 73 F2 6D 64 75 13 FE F2 D8 12 10 D4 9C C2 F4 3D
Cedomir Igaly
===============================================
So you send your root password over the internet in cleartext? Now that's living on the edge... of stupidity. Have you ever used a packet sniffer? The output looks like this:
/]$ su -
/root]#
/etc/login.access or something like that you could just remove logins for root or anyone else from certain times. Bango you have removed the problem without expending any problems at all. Or perhaps you just use a complex C++ program that would analyze voice prints (ala Millenium "Forrest Green is People" *snicker*)?
Maybe there's nothing that you care about on the machine. I had a thought I don't know about you but perhaps if you security gets compromised and someone was doing one of these fabled attacks then perhaps you could just shut down the machine or turn it off in the first place?
[anonymous@coward
Password: ontheedge
[root@coward
Who transfers to the root partition as part of their normal access or for su'ing?
Next thing you know, you're taking part in a DDoS attack.
Assuming you edit the file
Slashdot social engineering at it's finest
Works like this... you're host A connecting to host B but the packets go through host C. So unless host A and B have an alternate method to exchange keys, you're vulnerable to having host C replace the key with it's own, so in reality you're talking to host C and it's using a simple form of IP masquarading to make it look as if it's B or A...
So long as host C is the only route between the two (which is suprisingly easy to accomplish) - or through icmp and bgp manipulation makes that the case - you can ensure that host C has access to all the data over the wire even though those two hosts think they now have a trusted connection! Unless you can bypass host C via another path you won't even know it's happening.
Now, let me make this clear: there is no method for you to ensure data integrity over a public network like the internet. You must exchange keys over a secure medium before you can communicate securely over any network unless you can ensure that the entire network is under the same (trusted) administrative domain and have verified that it has not been tampered with (very, very difficult).
So in short: Yeah, SSH has problems. But this new program isn't going to make any leaps forward. You really need a PGP-style distributed key server system where you can verify the key's integrity through a trust network and/or via multiple independent routes / hosts. Otherwise, the alternative is a Kerberos-style system. Unfortunately THAT system has a single point of failure - if the key server is compromised your entire network is compromised. I'm not an expert though on Kerberos, so feedback is appreciated.
That is all,
Sure telnet can connect to any port, this is really great for testing out service "by hand" or to see if xyz host can connect to port xx on host zyx though the firewall. Sure telnet is invaulable for some things, but it is still unsecure.
For example, if you telnet into a server, su to root, do some root work, exit root account, read your email, exit the telnet session. If someone was sniffing your network they would have
1) you login and password
2) ROOTS! login and passowrd!!
3) the IP of the machine your telneted into
4) A rough idea of how you work, what "major" logs, info you check when you fist log on
5) that you girlfriend is pissed at you (via the email)
6) that your boss is pissed at you (via the email)
7) that pretty much anyone that emails you has some bitching to do about something (via the email)
8) how good of a typist you are.
Sure telnet is convent, but is insecure. If you do anytype of remote rooting(TM) you need SSH. I would highly suggest you use SSH for normal remote logs and ALWAYS use SSH when doing remote rooting(TM).
True story, I know a freind that used to go to college part time, and did Jr. level admin stuff for a local company. At school one day he was chilling at the computer lab after class, he got an email at his school's email account saying that their was problems with XYZ on the server at work and all hell was breaking loose. He quickly fired up Windows 95 Telnet, hoped over to the site in normal user mode, looked around and firgured out the problem. The problem needed root access, he shoved up the SU command without a thought, entered the password, fixed the problem, the bosses where happy.
The thing he didn't know was that there was a group of college security nerd playing around in the computer lab at the time, they where developing a Windows 95 ethernet sniffer. It was still beta, but it sure enough grab his password and also ROOT's password!!! They told him about it, and he promptly called an admin on site that changed root's password from the console, but if these security nerds in the computer lab where script kids or malice mother fuckers, who knows what would of happened!!
Sniffing is easy, try sniffit, a easy to use packet sniffer for Linux. When I was on help desk I used to sniff the admin computer and come up with all kinda of neat things. The thing I didn't want to find out though is that %90 of his day was involed in IRC chatting under the #lesbains channel with the nick Amy34Blonde (he was male).
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Yes, SSH has weaknesses and the occasional buffer overflow, but the patches are made fairly quickly, and because of the high number of people using it, there is a high probability that other people will find a bug before it affects you.
SSH is a little more versatile in that it can do port forwarding to make
arbitrary TCP connections secured. It can even be used to support secure PPP
tunnels. SRP on the otherhand is less versatile. Only telnet and ftp seem to
be supported. Someone please correct me if I'm wrong, but as far as I know
SRP does not have any sort of connection forwarding like SSH does.
Another major difference is in licensing. SRP is under the GPL. No official
version of SSH is under a real open source licesense. SSH2 forbids any sort
of commercial use, even internally. SSH1 is slightly less restrictive in
that it allows for commercial use without paying them, but you can only use
it internally. These license restrictions are the reason SSH isn't found in
most linux distros.
However, there is an open source implementation of SSH being developed by
the OpenBSD people at http://www.openssh.org. It is ususably stable in its
current version.
The main thing SRP and SSH have in common is that they require no
infrastructure to be secure. In otherwords, you do not need any sort of key
distribution centers, or any other sort of software besides the daemon
itself and the client program to make everything work. Compare this to say,
Kerberos. Using kerberos, you can have secure connectivity to a machine,
however, there's a lot of additional infrastructure and complexity thrown
in, (such as KDC machines). You'll want to use Kerberos if you have a lot of
machines that will share a common user/password database. Kerberos will let
you log into one machine, say a kerberized workstation, and you'll be able
to securely log into any other machine (via telnet, rlogin, rsh, rcp, ssh,
ftp, pop3...) that's part of the same Kerberos realm without ever having to
type your password (assuming your client software supports Kerberos authentication).
SRP is arguably more secure than SSH, however SSH is a little more widely
implememnted and can be used for more things. If all you need is a secure
telnet and FTP, and the existing clients are suitable for you and you can
trust it (SRP is a litte newer), I'd give it a try.
From the SRP page:
"The Project's primary purpose is to improve network security from the ground up - by integrating secure password authentication into widely-used protocols instead of adding security as an afterthought."
I use PuTTY. a win32 ssh client and have found it works great. Supports color terminals, resizable windows, multiple connections, etc. Plus it's 1 file. No .dll's and it fits on a floppy.... Click here for the home page..... jeff_C
Perhaps the maintainers would care to post something on bugtraq? announcing their new package.
Microsoft aggravates my tourettes syndrome.
SSH on the other hand is a very useful application offering secure communications to another host. Keep in mind that SSH's password authentication happens after the encrypted channel has been set up. This means that the password can only be intercepted if the crypto fails.
SRP's security is based on similar cypro primitives as SSH's, so if the magic crypto hack we're all looking for gets found both will be useless.
If you have an SSL web server(acually you don't need it, but you open yourself to attack if you use plain http)you can use a java ssh applet from MindBright I've been using this for about a year now and it has worked in most recent browsers. It makes life as an admin easy, now I don't have to hand out ssh clients for every OS under the sun, just an URL.
There are strange things done, under the midnight sun by the men who moil for gold - Robert Service
your machine is on the net, MS can probably read your keystrokes anyway.
secureCRT form for download
zow Which also provides for ssh
Slashdot social engineering at it's finest
The main reason I like it is because it's just one .exe file. I always find when I'm in need of ssh there is no ssh-client installed on the machine I'm working on...
PuTTY doesn't waste my time with fancy installshields: you download it and you start it. That's it.
I must admit most of the time I'm working on unix machines, PuTTY is just to fill the gap... :-)
http://www.chiark.greenend.o rg.uk/~sgtatham/putty.html
Erhm, actually, su -, unlike su generates a login shell, not just a regular subshell. This includes resetting your enviornment (as root) and chdiring to the /root directory. It's especially useful on systems where /sbin is only in root's path; with su -, you get /sbin in your path when you su.
If you want to remotely admin a box using an insecure protocol, you're an idiot. Please come back when you have a clue.
I am just wondering if PCAnywhere (and other related NT admining tools) have encryption features comparable to ssh and friends?
Slashdot social engineering at it's finest
I would gladly use SRP... as soon as sourceforge.net uses it on it's servers... as soon as I can use it to log into my shell accounts and cvs repositories instead of SSH. Even if this technology is far superior to SSH, I won't use it until it becomes more standardized.
fixed
So if you run an ISP, or just a webserver, in a few years your 'lusers' will be able to put up their nifty HTML and links to their family and friends' websites without compromising your security ...
Although Win2k comes with IPSec, its not the most obvious of things to set up, so don't expect 'em to be using it right away! Hopefully a default configuration will come along in a few years and we will all be able to surf safely.
p.s. In the meantime, can anyone recommend some international software that I can install to secure my FTP connections? I don't live in America, so I am missing out on all the websites with "download my great secure software" with a .org extension in the URL, not mentioning where they are hosted, cos I don't want the FBI, NSA, or whatever you people have banging on my door one night! So tell me! p.s. I already use PuTTY.
It is free (only as in beer, but better than nothing), small, and stand-alone. That means there are no tied in dlls so you can just put it up on your webpage and pick 'open' so you can have a shell even on locked down windows boxes. Plus it does telnet sessions a lot nicer than windows telnet (yeah, I know, what doesn't) so it makes for a nice 2 in 1.
I have a crippled dummy account set up which I openly telnet or ftp into occasionally. There's no write permission for ftp, the shell does nothing but return a fortune cookie and exit. I do however track all logins and login attempts. I use this account to lure the packet sniffers out of hiding and report them to their ISP. Come and get it boyz. heh heh.
Console run you must type ./pfa where is a product of two primes. Disclaimer is that is only works for signed 64-bit numbers only.
enjoy!
Bizar technology?
People I know use SSH to encrypt their connection. This is nothing but a replacement for RADIUS or TACACS - a means to encrypt your login but not your session.
>I am just wondering if PCAnywhere (and other related NT admining tools) have encryption features comparable to ssh and friends?
pcAnywhere (version 8 at least) provides four types of encryption: Public Key encryption, Symmetric encryption, PcANYWHERE encryption, and No encryption.
The public-key is as good as Windows is. It uses the Microsoft CryptoAPI, and can do 128-bit is your Windows has 128 bit installed (say you installed 128-bit IE, for example).. I haven't set this up, but you need a certificate authority in order to do it, according to their helpfiles.
Symmetric: no information available. Presumably it doesn't send the symmetric key across, but maybe it does. If so, then it's pretty worthless. If not, then how does each side know what the key is? Got me.
pcAnywhere encryption: minimal encryption, according to their own helpfiles. Probably something really simple and easily broken.
None: None, obviously.
Just a little FYI..
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
By the way, I was not being sarcastic at all. Seriously.
Maybe there's nothing that you care about on the machine. I had a thought I don't know about you but perhaps if you security gets compromised and someone was doing one of these fabled attacks then perhaps you could just shut down the machine or turn it off in the first place?
/etc/login.access or something like that you could just remove logins for root or anyone else from certain times. Bango you have removed the problem without expending any problems at all.
If a single machine on a network is compromised, the entire network's security is greatly decreased. If someone cracks my machine, 600 other machines become hugely more vulnerable because the first thing any even vaguely competent script-kiddie is going to do is install a packet sniffer. As for turning machines off if they start being used for DoS attacks - great. I'm sure the remote site will be thrilled that it only took a few hours for you to wake up/get home/notice before pulling the plug. Security is not something that should be dealt with half-heartedly, and if you're not going to care about security then your machine should not be allowed anywhere near the internet.
Who transfers to the root partition as part of their normal access or for su'ing?
That's what su - does.
Assuming you edit the file
You mean block root access at certain times of day? But that would prevent me from doing remote administration at certain times of day, and still does nothing to prevent someone packet sniffing my root password when I do use it. From that point on, I've lost. You should never transmit your root password via telnet unless you trust all the other hosts on your network.
Secondly, if you followed security lists at all, you'd know that encryption attacks are the least succesful way to hack a security tool.
I'm not sure if anyone's mentioned it, but my favorite use for ssh's arbitrary port forwarding is setting up secure X connections. It's a fast, easy, secure way to use all my cool graphical applications while diddling away on the SPARCs in lab. It's also the easiest way I can find to get remote X sessions to tunnel through a masquerading firewall.
The punchline: When srp can automatically do secure X, it'll be ready to replace ssh.
Tetris rules.
putty is nice.. html
Simple, doesn't do port forwarding, just does ssh-terminal connections interface is brain dead, Source available, and it' only a ~210k binary (unextracted- run it right from the floppy)
http://www.chiark.greenend.org.uk/~sgtatham/putty
Why aren't you encrypting your e-mail?
The plug in for tera term is here.
-- Solaris Central - http://w
PuTTY is great. It's open source, works well and includes an SCP client so you don't have to use FTP to transfer files and send your password unencrypted anyway. Did I mention how great it is?
The protocol works this way:
1) A sends B his public key
2) B sends A his public key
3) A encrypts using B's public key and sends half the message to B
4) B encrypts using A's public key and sends half the message to B
5) A sends the other half to B
6) B sends the other half to A
7) Both A and B put the two halves together and decrypt the message with their private keys
If someone is in the middle, he can change the public keys by its own keys, but then in points 3 and 4 he will not be able to pass the real message because it has not been transmitted yet; he will have to invent a completely new message and though the "conversation" will be completely different. This is not a perfect solution since, in fact, he will be able to intercept at least the first messages exchange, but his presence would be detected quickly.
As you pointed, the good solution is to use some kind of trusted third party authentication.
Is there a way to encrypt a windows net drive connect to a samba client? I know ssh and variants allow secure telnet and ftp sessions, but what about secure drive mounting (both windows and nfs)?
telnet is fine as a tool, but telnetd is banned forever in my domain...
We've used telnet over the Internet for over two years as our initial ASP offering (we're readying our web-based application to replace it). That is, we're able to deliver our *nix based enterprise application over the Internet via telnet (as long as we have a maximmum latency of 500 ms, that is). These issues of securing login and packet data had to be addressed for us to convince our Fortune 500 customers to buy into our Internet-based solution.
Combining SRP, for password transmission, and CIPE for complete packet encryption, we're able to provide a reliably secure telnet session.
If we didn't have SRP and CIPE, we'd be SOL.
P.S. At the project's inception in 1996 we could not cost-justify any solution that required a per-user license fee. This threw us into Open Source solutions (and the ability to hack at the source code has proven a marvellous benefit since then).
-- @rjamestaylor on Ello
First of all, I'm absolutely no security expert, the only thing I know is that finding large primes is very hard. So this part of the whole thing kept me busy, I posted it here to get some reactions, maybe some ideas.
Secondly, the binary I posted is not factoring primes, it does a numerical determination, so it won't find them right away, it must search.
Althoug it searches, this searching is done very fast.
Thirdly, I don't care what critics say, as I'll be working on this program to get it even faster, and I will support larger integers in future. I just hope somebody enjoys it.
Bizar technology?
I never denied that SSH suffers occasional buffer overflows - like I said - they get fixed.
SRP has a tiny userbase- you should assume that it also has an equal number of issues waiting to be discovered anf fixed.
Your only other alternatives are telnet/rsh or take your box off the web.
Given those choices, I'll stick with SSH.
You don't have to -- SSH happens to be from Finland. <grin>
ObURL: http://www.ssh.com/about/company/
Cheers,
-j.
It doesn't use much memory (i.e. I think less than 4k)
I'll won't post the source code as I think I'm on to something (and maybe it fails in the end, you never know), if I do succeed, I'll be taking all credits for it.
I'm still doing all sorts of mathematical research to get the program faster, so complexity is growing.
At the moment, complexity is quite low (well it is for me anyway), but it's hard to explain the principle to somebody else (and boy, I tried!)
Bizar technology?
> Also each and every public type machine that I
> have ever used and all unix machines
> I have never used have never either made ssh
> avaible or it was not really practal. SSH is
> only useful if you regularly connect to remote
> unix machines that support it or you have
> multiple machines with shell access.
Well yes of course... ssh is only useful when
connecting to a host that has sshd installed.
Personally, here at work, ALL of our machines
use ssh. Also, any machine that is mine to
administer as I see fit, doesn't even support
telnet...I turn it off.
I think anyone who runs a unix server should
install ssh, and encourage all users to use it.
In fact, wherever even remotely feasable...telnet
should be turned off.
ssh is too easy to use to not support. plaintext
passwords are too easy to sniff to allow.
(I should note that we recently had a user acount
compromised, which we believe was the result of
a password sniff when one of our users was out
of the country and telnet'd in internationally)
-Steve
"I opened my eyes, and everything went dark again"
OpenSSH is a pain in the ass to build/install on many systems especialy those, like Solaris, that have no /dev/random. I have it working at home but there's no way I'm going to install it on all the machines at work.
And, BTW, ssh comes in source form.
As well a firewall shouldn't. The firewall itself has to understand how SSH works. No firewall should just blindly redirect connections. :-) Or is that not what you mean?
Seriously, for machine to machine connection, both of which have SSH clients and servers on them, it works great.
I know this is a troll...however...I just need
to correct the glaring error...
> SSH is an American product. Don't touch it. It's
> bound to be of wretchedly poor quality, because
> US workers are wage slaves with no personal or
> civil rights, and slaves always do lousy work.
Well most of that is somewhat true...no civil
rights, wage slaves (often)...low quality work...
yup that too sometimes...
However... the person you reply to was talking
about OpenSSH. A free software product, which
was developed in Canada, not the US.
> Ever heard of the Greater Fool Theory?
> Capitalism is the Greater Fool Economy. Don't
> be the fool.
I suspect you don't actually believe this.
However, here I have to agree with you...
Capitalism is a pretty pitiful system (though
most people don't understand the beauty of
the alternatives).
Which of course has nothing to do with the topic.
Especially considering OpenSSH exists and was
not (AFAIK) written with capitalist goals in
mind.
"I opened my eyes, and everything went dark again"
BackOrifice provides a secure method of remotely administering a Windows-based PC. It's free, too.
-dan
--Be human.
I too use tera term pro with the ssh add on and it's great. the only problem I find with it is I can't use the ^c ^v cut and paste, you have to use the menus, but that's a minor quibble. Overall I find ttermpro to be very useful.
"A witty saying proves nothing." -Voltaire
The algorithm you're suggesting is mostly a precursor of the current PKIs (I haven't read its reference paper, and don't really have the time to find it, but I wouldn't be surprised to find that it dates back ~RSA publication times).
By definition, at it's worst, a man-in-the-middle attack cannot be blocked/prevented: if A has never met B, there is no way for A to be convinced that she is really talking to B and not to C. If B is in the same situation (having never met A) and is also really speaking with C then although their communication may get from one to the other, it will always be possible for C to see all of it (since C can simply pretend to each of them to be the other player and then decrypt/reencrypt the message).
For trust to be achieved perfectly you will always need an additional piece of information (or mean of identification) in which you can trust... PKI's are one of the possible solutions. In the case of the Rivest-Shamir you're describing both parties must have common knowledge of the message's content prior to starting the algorithm otherwise a middleman could switch messages for it's own. In essence the protocol becomes dependant on the messages's nature and the fact that both players must know it... Two complete strangers could not use it.
But then again, there can't exist a protocol for two complete strangers to identify themselves to one another...
The firewall is a separate issue. I think the original poster is talking about ssh port forwarding which is very handy indeed:
/etc/motd
ssh -L 1234:somehost.com:21 somehost.com tail -f
then
ftp localhost 1234
Voila! Instant secure ftp connection to somehost.com. (passive only). This is a silly example, but it's very handy for Windows boxes that might not have scp.
Perhaps I'm just in a bad mood today, but debunking this sounds fun.
First, the code you posted below, apparently never outputs anything but:
f1 :
f2 :
not a good cypher
cancelled
way :
pfa 0.1 by Frank Joppe (C) Copyright 2000
Usage:
pfa
pfa
--x Hexadecimal input, use lowercase only!
--help This screen
help
from a look at the binary. I'm not quite silly enough to try to run it, but I'm sure someone here on a scratch box will.
Secondly... Define fast? Faster than, say, http://www.entropia.net/prime? They're using a massive distributed effort to factor prime numbers, and it still takes a serious amount of time.
My PIII 600 takes a few weeks to look for factors of (2^8858987)-1 using Lucas-Lehmer's algorithm. If you've got something that can top this, I'm sure a lot of people would like to know....
People like The EFF especially, who is offering up to $250,000 for large prime numbers.
How about some benchmarks, or some documentation on how it works? Or why you're using geocities to distribute it?
- Kevin
Your post is totally off subject. You can use telnet -application- to acconect to any TCP port. When people say telnet is insecure the refer to the telnet -protocol-. You can even use telnet program to connect to the -ssh- port on some host and conduct all your transactions in a secure way if you could just encrypt and decrypt all the data in your head. No one is saying that the application should go away, but people who know about ssh and still use telnet for remote logins should be shot.
The link's broken. Do you by any chance mean GIMPS?
From a purely technical point of view, SSH, when using public key cryptography, is as secure as SRP. In the following list, I don't claim that SRP doesn't do any of these things; I'm merely clarifying what SSH does do.
- SSH keeps a "known hosts" file on the client, to thwart middlemen attacks. SSH warns the user if the server fails to authenticate itself properly.
- SSH encrypts each session with a randomly generated key, which it communicates through a secure connection. Therefore, if a single session key is somehow compromised, all other sessions are still secure.
- Authentication is done either with public/private keys or with a server side authentication mechanism, such as PAM. In the second case, any passwords or other information is transmitted encrypted, and so is secure. In the first case, the password is never transmitted and there is no chance of the user's password on the server being compromised through SSH. The user's password is never used to encrypt a session.
- OpenSSH, OpenSSL, and LSH are all open source, non-commercial projects.
- SSH allows securing of arbitrary ports, and provides extensive port forwarding capabilities. Therefore, any service on a server running SSHD can be secured, as long as the client program can alter the port of the service it is requesting. As an example, to secure an IMAP connection, one would issue: ssh -L 1442:servername:143 servername and then connect with their email client to localhost:1442.
- Although most users of OpenSSH are unaware of the fact, OpenSSL, which is required for OpenSSH, provides a powerful tool for dealing with X.509 certificates. With OpenSSL, you can encrypt, generate hashes, generate certificates, generate certificate requests, and perform a large number of other security-related actions. OpenSSL documentation is extremely sparce, and due to the complexity of X.509, using OpenSSL tools can be difficult; this is probably the primary reason why most people are oblivious to OpenSSL capabilities.
- OpenSSL is the basis for a number of port wrapping tools, such as sslwrap. With these tools, you can provide secure sockets to services such as HTTP, IMAP, telnet, and POP. Many clients, such as Netscape, understand secure sockets, and several ports are defined as "well known ports" for these secure services. (EG: IMAP's secure port is 993, and Netscape Communicator knows and can take advantage of this).
- Using public keys with SSH simplifies accessing services, so that 'ssh' and 'scp' are as easy to use as 'rsh' and 'rcp'. This is slightly less secure on a shared client, because the private key is held in the client memory during a login session, and is subject to core dump attacks. If the client machine is not shared, this is not an issue.
- OpenSS[HL] doesn't require using RSA algorithms; in fact, you can choose from any number of non-commercial algorithms.
The SRP site claims that there are several "advantages" to using SRP, but never says what these advantages are in relation to. In particular, the SRP site does not claim that SRP is more secure than SSH. SRP is certainly more secure that vanilla telnet, but I see no advantage to using SRP over SSH. The obvious advantage to using SSH over SRP is that SSH is ubiquitous, and well tested.Please, if anyone knows any way in which SRP is superior to SSH, I'd like to know.
Actually we as a country all sacrifice liberty for security. Do you have locks on your doors. Passwords into your computers? I thought so. Any company is going to use the most secure option available. That's just a fact of living in a capitalistic country. BTW throwing quotes around like that defintitely makes me question the validity of you being in Guiness. And another thing, Fermant's last theorem HAS been proven.
I'm the big fish in the big pond bitch.
The comment above that shares the below disclaimer is actually from me. What I get for playing with the anonymous button... sigh. Disclaimer: The author has been known to be wrong before, and will probably be wrong again some time in the future. The author is also non-deterministic. Deal with it.
Disclaimer: The author has been known to be wrong before, and will probably be wrong again some time in the future.
No, you're wrong. Finding large primes is quite easy. If it weren't, we'd have an awful hard time doing many of the current encryption algorithms.
What's hard is factoring large composite numbers that are the product of two large primes.
It's not clear what you're saying your program does: does it factor numbers, or is it a program that searches for prime numbers? It would be pretty hard to believe that you've got anything efficient for the first, and the second is just not too hard to do (although to be blunt it doesn't sound like you know enough math to make something efficient for this one either...).
Huh, I say, Huh?!?
When you telnet to a specific port you are just connecting a socket to it and passing stdin to it and passing what comes out of it to stdout. If you had to write this from scratch it would be about 150 lines of C code (and many fewer lines of perl or Java code). You aren't "sacrificing telnet" to use ssh!
The rest of telnet is support for terminal emulation and some terminal capabilties negotiation at start up, all of which works only when talking to telnetd, and none of which comes into play when connecting to any other port (unless, of course, you're connecting to telnetd on another port).
A later poster complains that ssh is only useful for shell accounts. Absurd. You can do arbitrary port forwarding through ssh, turning ANY network service into an encrypted service. It is a VERY handy way to create a secure opening through a firewall:
Machine A is behind a firewall that forbids incoming connections.
Machine B is out on the internet.
You want to use a service on machine A from machine C (another machine out on the internet).
Machine A can make an outbound ssh connection to machine B and tell machine B to open port 3500 on B for listen and to "tunnel" it to port 80 on machine A.
Machine C can then type this URL into his browser:
http://[machine B's address]:3500/
This will connect to port 3500 on machine B (obviously), but less obvious is that machine B will forward all traffic encrypted over the SAME ssh socket Machine A has open to B. No one observing the traffic between A and B will know that machine C sent traffic to machine A, nor will they be able to tell that more than one "conversation" is taking place over the single link.
SSH is not sacrificing freedom, it is enabling freedom. No, I won't use SSH2 (which is a close commercial product), but I certainly will use SSH1 and OpenSSH.
SSH is a major tool for flexibility,
rsync can transfer files over encrypted ssh connections. (http://rsync.samba.org)...an NFS would be too slow..however secure NFS (via secure ports) has been developed and is available for linux..its included in my distro (redhat).
That's just a fact of living in a capitalistic country.
No, it is a fact of living in ANY human society in which man's life is not valued. Therefore, it is a fact of life in socialist, communist, fascist, dictatorships, theocracies, and in the U.S., which is in fact a mixed economy -- not a true capitalistic country. In fact, of all these, capitalism is the only one that comes close to respecting men's lives and their rights to control their lives and their work.
--
I could block serverxyz from the network, rename my server to serverxyz and be able to do a spoof because there are no pre-defined keys that could be authenticated otherwise to show that I'm not.
You're thinking of TTSSH. When I have to use a random Windows box and I need SSH, this is what I download and use.
-----
The real meaning of the GNU GPL:
The real meaning of the GNU GPL:
"The Source will be with you... Always."
SRP does the first step of keeping the initial authentication secret. Since both sides then have a secret random number as a side effect of SRP, it would be possible to use a collision resistent one-way hash to "sign" future packets. However, as far as I can tell, no implimentation of SRP currently accomplish signing of future packets. The last point can't be addressed while still meeting SRP's goals of not using encryption. This becomes a problem when legacy authenitication methods are used withen the SRP authenticated session. For example, withen an SSH encrypted stream, the "su" application can be run without revealing the password in clear text and without the application needing to be altered. SRP on the other hand only can address this if your willing to replace the "su" application and all other authentication applications to be used withen the session (passwd, DBA tools, etc.) via SRP based ones. In some cases, such as with database tools, an SRP replacement may not be possible. Therefore, SRP has it's own political problem of: is all your authentication application vendors accepting enough of SRP to provide you with an SRP aware version of their application? You may find that depending on what country you live in, the politics of SRP acceptence is far worse problem then the politics behind encryption.
That all having been said, I am impressed by SRP and would like to see it submitted to the W3C for use in future revisions in the HTTP standard. There are several cases that I'm aware of that keeping the password private is important but the data isn't sensative enough to warrent the overhead of SSL.
The main advantage to SRP is that it uses a simple password to authenticate, instead of requiring the user to carry around a public/private keypair with them as they move around (in other words, there's no client-side setup required beyond the installation of an SRP-capable client app). This can be the same password as the regular UNIX account password, although it's hashed in a different format and so SRP can't be used with existing password files. I've written a plugin crypt module for a replacement to FreeBSD's libcrypt which teaches crypt() how to speak SRP hashed passwords, so if you do something like this then everything else (non-SRP apps like login) will authenticate just fine. There's also an SRP PAM module floating around.
/etc/tpasswd file and brute-force attack that.
Security-wise, the authentication protocol has been well investigated, and as far as I know it's stood up fine so far - no serious weaknesses have been discovered.
On the other hand, the SSH v1 protocol as implemented by OpenSSH and all other SSH v1 implementations has an insertion attack which allows the insertion of data into the stream because of insecure integrity protection (it uses a weak checksum). The SSH2 protocol fixes the design flaws in SSH1 (as well as allowing other key exchange schemes than RSA) but OpenSSH doesn't speak it (since it's based on an old SSH 1.x distribution). Hopefully this will change in the near future.
As part of the SRP authentication handshake, a session key can be shared which allows the rest of the session to be encrypted. So SRP provides for authentication as well as secrecy, like SSH does.
SRP is just an algorithm - there's nothing preventing someone from creating a SSH-like app which authenticates using SRP, and then provides all of the port-forwarding features which SSH does. This would be quite useful, actually, and is something I'm hoping to do when I get around to bringing native SRP capability into FreeBSD.
The major downside to SRP is that the authentication is only as strong as your passphrase. But on the other hand, this is true as well in SSH if you can get a hold of someone's encrypted private key (if they carry it around with them on a floppy so they can log in from random hosts, for example). This can be mitigated by enforcing strong passphrase selection on the SRP server. An attacker sniffing the authentication exchange cannot obtain any data which is useful for determining the passphrase, even by a brute-force dictionary attack - you have to obtain access to the
The Stanford SRP distribution is distributed under a BSD-style license. This is good for most people (e.g. commercial users who want to add SRP support to their products, etc), but it may prohibit the code from being incorporated into a larger GPLed program (because of the GPL's "no other restrictions" clause and the BSDL's "must give acknowledgement" clause). Consult your lawyer..
On the whole, SRP is more practical to implement because it doesn't require per-user client-side configuration. In most ways it seems to be a superior solution which is just awaiting wider adoption.
Now, is forcing someone to *only* allow logins when using a key really solving any problem? If you need to get in to your box from somewhere and you don't have time to do so otherwise, then login using password. If you have something so secure on your box that password is not acceptable (your paraniod and should never use ecom either 8-}) then just configure sshd so that it doesn't allow password logins.
Besides, in most systems, the cyrpto that you use for remote administration is surely the least of your worries. Why not switch to OpenBSD so that you can sleep at night?
OpenBSD: Secure by Default... Ships with SSH
It's not complete, and it's not meant to be.
Maybe this will help make it more so: homepages for some of the software you discuss.
Anyone interested in the software mentioned above, or even just general UNIX security, would do good do take a gander at OpenBSD (http://www.openbsd.org). It's based on 4.4 BSD, like most of the Freenixes, and is designed with security foremost in mind. Think of it as FreeBSD after reading "1984". ;-)
It comes with OpenSSH. And Kerberos.
Ooh, and also... stickers! Put them on your box, and maybe the MiBs that break into your house while you're at work won't even bother trying to crack yer system.
Remember: paranoia is good. Anyone with doubts regarding the truth of that statement should check out the Echelon links that have been appearing here lately.
Ciao.
I am the Lord.
I am the Lord.
God Hates Moderators.
I was being quite serious. BackOrifice is a more secure way of remote administering a machine than PCAnywhere, if only because it is open source.
Security through obscurity is not security at all.
--Be human.
Any list, no matter how short, should include a reference to two-party vs. three-party authentication.
SSH and (IIRC) IPsec use two-party authentication. That means anyone can talk to anyone else, but as another article pointed out it also opens the door to "man-in-the-middle" attacks.
Kerberos, digital-certificates and some government sponsored systems use three-party authentication. This puts some limitations on your use, but these are generally reasonable restrictions if you think about it. (E.g., do you really want John Cracker to be able to remote mount your files?) Third-party authentication got a bad rep after some clumsy government posturing with the clipper chip, but it seems that a lot of people lost track of the many places where it's appropriate.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Kerberos is also available for both Red Hat and Debian. Debian has at least three implementations - two European implementations are on non-US, and I've packaged MIT Kerberos 5. (Still no word on when MIT will drop the export nag page, unfortunately.)
OpenSSH is still an excellent choice, but not because it alone supports Kerberos.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
> So, why can't I get my university to install SSH
>clients on all the desktops that we use to
> connect to our unix servers?
If the desktops are unix boxen...then they
should get their asses in gear and install
openssh (IMHO)
however...for Windows boxes...licencing can be
expensive. Here we have a SecureCRT licence pool
and ar eletting students and faculty get copies...
I have no idea what its costing the
University though.
Hopefully someday telnet will fall into disuse and
we can stop supporting it.
"I opened my eyes, and everything went dark again"
Note to everyone: People, please don't make references to the "comment above" or derivatives thereof. There are many different modes for showing comments, such as Threaded, Nested, Flat, etc.
They can be sorted Newest First, Oldest First, or Highest Scores first. There are different levels you can set before it spills into index mode. You can change the threshold from -1 to 5. You can have different thresholds for replies. And it goes on and on. Besides, posts accumulate quickly - even with the same settings, it may not be "the one above" if you wait too long before hitting "submit".
So please, if you're going to refer to a post, and it's not one you're replying to, it helps to give the post's ID. That makes things much easier to follow.
Thanks.
The program i use that is quite nice is puTTY. It does telnet and ssh connections, and has a windows secure copy available called pscp that i use instead of ftp all the time.. i'm not sure what the web site address is, but i know if you search for "putty ssh"o an altavista you'll find it.
There's an SSH version of NiftyTelnet that's really nice. You can't use it in the US, though, due to greedy patent nonsense.
I too use tera term pro with the ssh add on and it's great. the only problem I find with it is I can't use the ^c ^v cut and paste, you have to use the menus, but that's a minor quibble
Strangely enough, the Cut and Paste shortcut keys in Tera Term are... Alt-C, and Alt-V. Can be kind of confusing when you're switching back and forth cutting and pasting..
--- Where's my X.400 protocol decoder?
This is actually a German translation of this article made with babelfish.altavista.com.
.`?
Trolls aren't very creative these day I must say.
What do we get next?
`strings netscape.core`?
`fortune -a -m
SRP is a protocol, but implementing it is a pain in the ass. You need special versions of login, telnetd, su, and whatever else does authentication. PAM modules fix some of these problems though.
As far as authentication protocols go, SRP is much nicer than ssh because in addition to authenticating the user to the computer, it authenticates the computer to the user. The SSH implementation does have some resistance to man-in-the-middle attacks, by keeping a cache of known host keys, but this doesn't help much the first time you connect. SRP lets you verify that computer you connect to does indeed have an account with your name and password, it doesn't allow man-in-the-middle attacks.
SRP also has this nice session key lying around afterwards that lets you encrypt, but I know of no programs that actually use it.
-
Interesting, that so many folks believe in telnet.
I thought I was the only one.
Now I would like to test my configuration, because I think it's bulletproof.
There is no encryption, no nothing. telnetd operates like "out of the box".
However, I added a security mechanism, that a some (older?) guys may know as the "wizard code".
With a one-letter-password,
I still believe no-one will be able to actually do an "ls" or whatever.
If there is interest, I can explain how it works and how you can install it (on a Linux/Unix system).
Even if you know the code in advance (with 2 lines left out), you will still have problems to successfully login on my main machine.
Anyone willing to take the challenge ?
Nice day Everybody,
george./
Hello, my name is Justin Chapweske and I developed a system called Natz, which is very similar to SRP.
The biggest weakness with Strong Password Authentication protocols like SRP, Natz, and B-SPEKE is that they are vulnerable to a man-in-the-middle attack if the password is known before hand. Thus these systems are worthless for encrypting data to a public resource, like public/anon FTP or a web site.
My biggest issue with SSH is very similar, a man-in-the-middle attack can performed when the server is sending its certificate to the client for the first time.
So basically they both suck, and to this end I have been working on a solution that combines the strengths of both to significantly minimize the cases where a man-in-the-middle attack could be employed.
Oh, BTW, you people that are comparing SRP to SSH based on features don't know what you're talking about. It would be trivial to use SRP allong with SSH or TLS's transport protocols, just using SRP for the authentication/key generation...so quit yacking about SRP not having X-windows tunneling support and whatnot....screw features, its the security thats important.
If you are interested in this, please email me at justin@cyrus.net or continue this thread.
i am afraid of lab machines. even if an implementation of ssh were available, that's no guarantee of any security. how could you tell that there isn't a keystroke logger installed on the machine?
- pal
Putty (http://www.chiark.greenend.org.uk/~sgtatham/putt
Not perfect, but good.
--
--
The Internet is the Suppository of All Knowledge. You get it in the end.
Kerberos is also available for both Red Hat and Debian.
. . . and almost every other UNIX or UNIX-like OS, not to mentioned Win32. It's not a system for the undedicated, but if you really need (or think you need) that much security, IMHO it's one of the best solutions.
Debian has at least three implementations - two European implementations are on non-US
Yes, unfortunately most Kerberos uses DES, which will continue to be cumbersome unless the US relaxes their cryto policy. We keep hearing about how this is being discussed (or at least I do; I'm in DC), but we've yet to see any concrete results. Alas...
OpenSSH is still an excellent choice, but not because it alone supports Kerberos.
I never meant to imply that that is why OpenSSH is Good Thing(TM). I mentioned the fact that OpenBSD is packaged with this software because I think that is one reason it's a good OS for learning about "paranoid" (read: good) UNIX security. Of course, you can set up most any *BSD to perform similarly, but OpenBSD prides itself on being secure "out-of-the-box". I am not affiliated with the OpenBSD project, but I do use their OS and value the same things they appear to: free UNIX, strong cryto, and the right to privacy.
Speaking of rights, FREE KEVIN! (What?! He did...? When? Why wasn't I notified? Dammit.) Did I say Free Kevin? I meant... FREE WILLY!
I am the Lord.
I am the Lord.
God Hates Moderators.
16-bit composites can be decomposed into prime factors in much, much, much less than a second. Assuming that the worst case scenario of two 8-bit prime factors holds, a naive brute force test all primes up to sqrt() factoring algorithm takes about 8000 cycles to factor the number (checked using the pentium RTDSC instruction).
Thats called a honeypot.
I did that all the time when I was on the @home cable network. Fake smb shares, fake back orifice (and netbus) server, and a dummy account. I was emailing @home about malicious break-in attempts and c:\ deletion about twice a week. I'm not sure if they took any action though.
Lars -
With brute force you must have all primes available for checking, this algorithmn doesn't have these available. It's just a very directive search.
Could you please at least post the inner loop to the web page
There are actually two inner loops (this is a four-way search). Posting either of the loops, or even posting both is pointless as long as you don't know the basic idea behind it.
The most outer loop is the slowest one (and this is the point I'm still working on).
I've done a web site on the explanation of the algorithmn, if I have time, I'll rewrite the thing in more cold-blooded manner (it's too enthousiastic now), and mirror it on a geocities web-site, or any other site which is free.
The order of searches is about O( c* ( Q - (P+1) ) /36 ). I'll look into the size of c.
Bizar technology?
tera term pro
Lars -
The concept of stronger security through Open Source is strange to some, but in time we will be vindicated. Closed-source security stagnates. That's why M$ will *still* be releasing security patches for NT4 long after Linux security problems will have become almost a nonissue (on the OS side).
Jesus says, "If a thousand monkey coders hacked for a thousand years, the monkey coder community would produce a Secure OS. This is the power of Open-Source."
I'm going to stop ranting now. I'm starting to sound like ESR on [more] crack.
I am the Lord.
I am the Lord.
God Hates Moderators.
Problems with this:
(1) You can't or shouldn't be shutting the machine down. Hell, I get pissed off about rebooting for kernel revs. I'll be damned if I'm taking down a box when I know I can avoid it!
(2) The real problem with breakins is not losing confidential data, but that it gives an intruder more resources to launch further attacks. Every machine that gets owned makes more problems for everyone else out there. Your confidential info should be nowhere close to any unsecured network.
(3) If you have to do any useful work remotely, you need some decent encryption. I'll take exploitable (and fixable) encryption over cleartext seven days a week.
I've hacked boxes before from simple sniffer attacks, grabbing POP3 or telnet logins to gain access, and from there compromising the rest of the box. If you don't have packet-level hardware encryption on your network or WAN, for god's sake, use SSH or some other secure app anytime that you're passing logins & passwords around.
It doesn't matter how much you restrict the rest of the system, if a random box on your network (or any point along your communications route) can see your cleartext going by, you're going to get hit hard.
------------------
"We can categorically state that we have not released man-eating badgers into the area." - Major Mike Shearer, UK
1. The primes were 16-bit, not the composites
2. The algorithmn starts 4 threads, take the time for this startup in account.
Bizar technology?
This is exactly what the program does.
Your doubts are justified, I wouldn't believe the whole thing myself. The used algorithmn is at least interesting, but I'd like to do some more work te get it faster before I release the basic priciples
doesn't sound like you know enough math
I'm an educated IT-engeneer, I know enough math for my proffesion. For math advice I go to a guy who does know math better than me, but this guy isn't a programmer.
Bizar technology?
It isn't very hard. Finding primes has little to do with factoring though...
Cheers,
Ben
PS Here is a moderately efficient algorithm in an unefficient language:
#!/usr/bin/perl -w
# primes - generate primes
# Written for the PPT initiative by Jonathan Feinberg.
# The algorithm was substantially modified by Benjamin Tilly.
# See docs for license.
use strict;
#use integer; # faster, but cuts the maxint down
$|++;
my @primes = (2, 3, 5, 7, 11); # None have been tested
my @next_primes = (); # Avoid redoing work
my $VERSION = '1.002';
END {
close STDOUT || die "$0: can't close stdout: $!\n";
$? = 1 if $? == 255; # from die
}
chomp(my $start = @ARGV ? $ARGV[0] : <STDIN>);
my $end = $ARGV[1] || 2**32 - 1;
for ($start, $end) {
s/^\s*\+?(\d{1,10}).*/$1/ || die "$0: $_: illegal numeric format\n";
$_ > 2**32 - 1 && die "$0: $_: Numerical result out of range\n";
}
primes ($start, $end);
exit 0;
sub primes {
my ($start, $end) = @_;
return if $end <= $start;
if ($start <= 2 and 2 < $end) {
print "2\n";
}
$start = 3 if $start == 1; # Don't report 1 as a prime
$end--; # Reindex
# Initialize the list of primes
&more_primes($primes[-1]+1, int(2 * sqrt($end)));
while (scalar @next_primes) {
push @primes, @next_primes;
# Careful, we need to ensure that
# we get a prime past sqrt($end)...
&more_primes($primes[-1]+1, int(2 * sqrt($end)));
}
my $from = $start-1;
my $to = $from;
until ($to == $end) {
$from = $to + 1;
$to = $from + 99999; # By default do 100,000
$to = $end if $end < $to; # Unless I can finish in one pass
&more_primes($from, $to);
print map {"$_\n"} @next_primes; # Print primes
}
}
sub more_primes {
# This adds to the list of primes until it reaches $max
# or the square of the largest current prime (assumed odd)
my $base = shift;
my $max = shift;
my $square = $primes[-1] * $primes[-1];
$max = $square if $square < $max; # Determine what to find primes to
$base++ unless $base % 2; # Make the base odd
$max-- unless $max %2; # Make the max odd
$max = ($max - $base)/2; # Make $max into a count of odds
return @next_primes = () if $max < 0; # Sanity check
my @more = map {0} 0..$max; # Initialize array of 0's for the
# odd numbers in our range
shift @primes; # Remove 2
foreach my $p (@primes) {
my $start;
if ($base < $p * $p) {
$start = ($p * $p - $base)/2; # Start at the square
if ($max < $start) { # Rest of primes don't matter!
last;
}
}
else { # Start at first odd it divides
$start = $base % $p; # Find remainder
$start = $p - $start if $start; # Distance to first thing it divides
$start += $p if $start %2; # Distance to first odd it divides
$start = $start/2; # Reindex for counting over odd!
}
for (my $i = $start; $i <= $max; $i += $p) {
$more[$i] = 1;
}
}
unshift @primes, 2; # Replace 2
# Read off list of primes
@next_primes = map {$_ + $_ + $base} grep {$more[$_] == 0} 0..$max;
}
__END__
=head1 NAME
B<primes> - generate primes
=head1 SYNOPSIS
B<primes> [I<start> [I<stop>]]
=head1 DESCRIPTION
The B<primes> utility prints primes in ascending order, one per line,
starting at or above I<start> and continuing until, but not including
I<stop>. The I<start> value must be at least 0 and not greater than
stop. The I<stop> value must not be greater than 4294967295. The
default value of I<stop> is 4294967295.
When the primes utility is invoked with no arguments, I<start> is read
from standard input. I<stop> is taken to be 4294967295. The I<start>
value may be preceded by a single C<+>. The I<start> value is
terminated by a non-digit character (such as a newline).
=head1 BUGS
B<primes> has no known bugs.
=head1 AUTHOR
The Perl implementation of I<factor> was written by Jonathan Feinberg,
I<jdf@pobox.com> and Benjamin Tilly, I<ben.tilly@alumni.dartmouth.org>.
=head1 COPYRIGHT and LICENSE
This program is copyright (c) Jonathan Feinberg and Benjamin Tilly (1999).
This program is free and open software. You may use, modify, distribute,
and sell this program (and any modified variants) in any way you wish,
provided you do not restrict others from doing the same.
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Takes 0.27 seconds on my Celeron 466 (best time after a couple of retrials).
Note, 4 threads are started here, so I don't know the exact computing time. I'm deeply ashamed, but just found out there's an infinite loop in the prog. This shouldn't happen too often though, but I'll look into it.
Bizar technology?
Stop posting anonymously, give me your E-mail, do this thing quiet.
Bizar technology?
As a point of comparison, standard general-purpose math programs such as Mathematica can factor ~20 digit numbers (e 70 bits) on commodity hardware in a fraction of a second.
If you cannot come within shouting range of that, your algorithm is not likely to be interesting. If it does then it would be interesting is to know how your algorithm scales to, say, 30 digit numbers...
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
>Fermat's Last Theorem is unprovable.
This is not correct. It is a statement about the integers which can be formalised in a first order language, so [by Godel's completeness theorem] there is either a proof that it is true, or a proof that it is false. You could write a program which exhaustively searches all possible proofs (and disproofs). Eventually the program must terminate.
perl -e 'fork||print for split//,"hahahaha"'
Nobody says you have to get rid of telnet. Just telnetd.
--
"L'IT c'est moi!"
>>With brute force you must have all primes available for checking
/36 ). I'll look into the size of c.
No you don't. A brute force search can just try all possible factors of n up to sqrt(n). BFI is very bad, as it runs in sqrt(n) time (so for a 1024 bit key that's ~ 2^512 computations).
>>The order of searches is about O( c* ( Q - (P+1) )
Even if your analysis of your algorithm is accurate (I doubt it), it's still hideously poor. That's not any better than the BFI in big-oh notation. Also, the 'c' and the '36' don't matter worth a hill of beans in big-oh. Big-oh doesn't care about constant multipliers of the function. So, it would be more proper to say it's "O(Q-(P+1))".
The best factoring algorthim around is the general number field sieve, which runs in
e^(1.923 * (ln n)^(1/3) * (ln(ln n))^(2/3))
time. The e^ part makes it look bad, but the ln's about cancel it out. That's damn fast for factoring, but damn slow for an algorithm, as it still works out to ~ exponential time if you do it off of the # of bits in the key. It's way better than 2^(#bits/2), though.
#define RANT
This is stuff from freshman year CS. There is no magic factoring algorithm. A lot of people way smarter than anybody on slashdot have spent a shitload of time working on this crap. I've heard that under a hundred people in the whole world understand the math behind the number field theory. You certianly ain't one of them.
#undefine RANT
Not that implementation (clearly) but the same program works. It is quite fast per prime found. In fact it is so fast that storing long lists of primes is not done any more - it is faster to calculate them than to read them out of storage!
The barrier is that the number of primes out to n is about n/log(n), and so no matter how quickly you list primes, there are just too many primes to list.
So it is utterly useless for cryptographic purposes.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
I should fix that.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Please look into the ease with which a buffer overflow can be exploited. Its extremely, extremely difficult.
Buffer overflows should be fixed, but by no means should you remove an entire security suite due to the suspicion of a buffer overflow.
SSH is secure only if the client has the server's public key with which to authenticate it - and even then there are problems. SSH works in three stages:
1) negotiate an encrypted session with the other party
2) authenticate the other party
3) the client sends the password in the encrypted session.
Clearly, if you can spoof the server you can get the Holy Grail: the real, plaintext password. This is why SSH flashes up big warnings saying "THIS SERVER IS UNAUTHENTICATED: REALLY PROCEED?" when you log on to a server the client hasn't seen before. To which everyone just presses "yes", defeating the so-called security. You can also get the Holy Grail if you can subvert a server to which the target logs on.
Contrariwise, SRP offers real network password security. SRP was designed around the assumption that the normal situation for network security was that people went up to new, vanilla clients and used only their passwords to log on to servers the clients had never seen before, and any protocl that wasn't secure under these assumptions just wasn't secure. SRP does damn cunning public key manipulations to allow the password to be used to verify both the client *and the server*, while only storing a password verifier on the server. Eavesdropping real connections, spoofing clients, or spoofing servers will leave you no better off than when you started; you can't even launch a dictionary attack, in contrast to disastrous protocols like CHAP which don't work for the low-entropy passphrases used in the real world. You can mount a dictionary attack if you subvert the server (this is unavoidable), but that's still more work than just reading the plaintext-equivalent phrase from the password file as is the case with challenge-response protocols; even subverting the server doesn't help.
SRP (and its cousin, B-SPEKE) solved the real, difficult problems of network password security. Accept no substitutes.
I only wish Slashdot didn't prioritise being first over being right so much, so more people could see the good information...
--
Xenu loves you!
The university I went to had a problem with people attaching sniffer's to ports, so they went to a completely switched ethernet network topology for all of the lab terminals. Problem solved. :)
Security always comes down to trust. Do you trust the guy at the other end of the line or not? Can you really not trust ISP networks?
For example, if I am on a cable-modem, and my target is on the same cable-modem network, isn't the data already encrypted end-to-end?
JasonIf I ever find two lifes, I promise, I will give one to you. (fingers crossed)
And to babelfish something back:
And for our French friends:I don't know why, but this site wasn't turning up on my searches. I've been looking for where putty came from from a number of months now.
As a vote of confidence for this particular ssh client, it's a great little program, i've found *no* bugs in it, it's easy to use, and (best of all?) it's open source.
OK, thought about this a little.
SRP essentially combines the concept of "Hashed Password" and "Secret Key" into one small, low entropy object: The stored password.
"Dictionary attack" difficulties aside, it's not hard to imagine an intruder running a pre-computation attack against a password file. *However*, the password file *can be* much more secure--crypt() is far less secure than SHA-1, though SHA-1 isn't drastically better than the MD5 passwords deployed on most Linux boxen.
It is moderately unclear through the documentation how the "public verifier" gets distributed; more emphasis should be placed on this. The public verifier, distributed via OOB mechanisms, is *the only* way to get around "first contact" problems. Now, the public verifier can be shared, extended, chained, and so on, but at some point there has to be a Out Of Band(OOB) contact.
Of course, the problem with chains is Entropy Erosion and Failure Amplification--your original entropy never increases, but your risk of compromise *does*.
Another brought up a good point--SSH ideally requires compromise of both a private key(what you have) *and* passphrase(what you know) to experience a critical failure; SRP only requires one. One nice thing is that SRP can mandate that a user have a passphrase; I don't believe SSH has a truly secure method(not client based) to make sure that they don't.
More later, if anyone's still alive in this thread. (Gotta go.)
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
(Due to the author's total ineptitude in getting Slashdot to acknowledge his existence as a non-AC, the below post is being repeated. After all, a post that says 'email me' without an email link is useless... unless you're a psychic.)
I'm planning on implementing one as a final project. We'll see how fast we can get it, and whether or not it will be functional.
Disclaimer: The author has been known to be wrong before, and will probably be wrong again some time in the future.
You can set up ssh to have per-host keys and shared user ID space. Sure -- just like rlogin with encryption.
But you can use per-user keys just as easily. It's all a matter of choice , which is a Good Thing.
Since SRP isn't about encryption anyway (their website says so), but "only" authentication, then why would I want to use it? If somebody can watch me type and they see my screen output, they don't need a login on my system anyway.
Not to mention that these days, unless you have a massive investment in security, if a hacker gets the login/password of a non-root account, that is pretty much equivalent of having root on just about any version of UNIX. In my experience it is very hard to get into a well-protected machine from the outside, but once you're on, there's always a way to get root that can be found in 5 or 10 minutes of poking around. If your machine is pretty tightly locked down from the outside, and you always use SSH or some similar sniffer-proof method of logging in, you're in pretty good shape. If on the other hand, you use telnet or some other insecure form of logging in, you might as well not have passwords on any accounts including roots. It's probably also worth mentioning at this point that having your host on a switched network make some people think they are impervious to sniffing, but if you are going over a WAN to the switched media, it makes no difference, and if your switch has a monitor port and the switch is not well protected you're just as vulernable. Might as well write your passwords on yellow stickies and put them on the top of your monitor.
When and only when nice graphical interfaces for Windows, MacOS, etc (ala TeraTerm SSH, SecureCRT, DataFellows SSH, etc) exist for SRP will it be possible for be possible for it to replace SSH: face it fellas, most clients are Windows boxes, and if the clients can't connect to the server securely because either clients don't exist for the OS or the users won't use them because the interfaces suck, who cares if it's secure? Also, SSH is, as far as system integration is concerned, very easy to do.
See Godel's Incompleteness Theorem.
You're right, though, from what I've heard, FLT was proved.
The only time a man-in-the-middle attack would work with SSH is the first time you connect to a host. Any time after that your SSH client will compare the host's key to what it has stored in ~/.ssh/known_hosts.
I suggest following the authors's advice: Do not use that. This policy stinks
Check Out Teraterm with the ttssh module. Nice, Stable, complete, widely in use, and all the source is available.
--f
(Seriously, though: I use ssh for work, TinyFugue for play and netcat for scripts. =)
This won't work for all man in the middle cases. Consider this:
1)A sends B is public key
C intercepts that key can changes it to his public key
3)B sends A his public key
4)C intercpets and changes
5)A sends C a message encrypted with C's public key.
6)C decrypts and recrypts with B`s public key
7) B sends half the message encrypted.
You get the idea
Remember for this to work A and B have to have no non-seceret knowledge of the other that C does not share, and C needs compete high speed access to the entire data stream. Of course if any step is accomplished where C cannot get it (snail mail? federal crime, but doable. Meeting face to face can be fixed too, with impersonators.)
In the end you have to take some risk. Then again, if A and B know so little about each other and are doing buisness that is sensitive enough to encrypt they probably don't trust each other at all anyway.
Wow. by Anonymous Coward hirself, citing reliable sources on a reliable target, slashdot credibility at its best...
(Not that I have too much faith in the named software...)
"Ten years from now, they could do it in a few seconds." -- The Racketeer of the Hellfire Club, 1993, Phrack 42
SunWorld had a two part tutorial on setting up and running ssh a while back. Check it out.
Those who actually tried to stay within a quasi-legal standing in compiling SSH1 with RSAREF ended up with an insecure implementation. The thing to consider here is... did it buy them much? There is still some question whether using RSAREF actually allows one to avoid licensing issues. I wouldn't be suprised to find more installations of SSH1 today compiled by admins who got fed up with the whole situation.
As a side note, admins working for the US Government have no need to worry about RSA licenses. The US Gov't has an open license to RSA since Government money was used in developing RSA at MIT.
As you can see, the slashdot environment can be very hostile, so I have no reason to publish the source codes.
You just don't get it, do you? You expect Slashdotters to download your binaries off a Geocities site, when you can't even give a decent explanation of what your program does. Then several people with obviously a much greater quantity of brains than you go on to show how your "algorithm" (and I use the term very loosely) is not only logically flawed, but is completely irrelevant, due to the fact that much better programs already exist.
The enviroment isn't "hostile" at all. We tried to have a very rational discussion with you. You lack the mathematical knowledge to clearly explain your "algorithm", so you call us hostile? What gives? A previous poster had a good point: with all of the genius mathematicians and computer scientists that spend their lives studying number theory and cryptoanalysis, an self-proclaimed "IT engineer" (who could be little more than a haughty MSCE) had better be prepared to explain himself when he claims to have discovered an algorithm which can "find primes fast" (bold yours).
"Fast" is relative. "Fast" implies that it's fast compared to modern existing programs. Your examples were piss-poor. Signed 16- and 32-bit numbers are hardly crytographically relevant anymore. Then, you say that you gave the best times out of a few trials. Wow, how scientific of you.
You "have no reason to publish the source codes?" No-one wants them! The only reason someone asked you to post the loops is because you couldn't explain your own concept.
"Hey, guys, I have this really fast algorithm I came up with! You can try my l337 Linux binaries, 'cause I'm so generous! What does it do and how does it work? Well, I can't really explain it... and I don't want to let you see the code, because when top university scientists from around the world discover what a genius I am, I want to be able to talk all the credit. Hey, stop using big words and intelligent sentences, you meanies! Forget it, I'm taking my amazing program and it's amazing source elsewhere!" What a fucking dipshit.
I am the Lord.
I am the Lord.
God Hates Moderators.
I see little evidence for this, and there are lots of hints otherwise. Previous versions of the SRP license contained the warning
The page http://srp.stanford.edu/ says "This link is currently limited to Stanford users pending resolution of patent negotiations. Sorry!"Two years ago I sent email to Thomas Wu asking if it was patented and got no response. Other people I've talked to also are concerned about this.
So while I can't point to clear evidence of patents, I urge great caution with SRP until a definitive answer on this question is provided. I like SRP, but the advantages over SSH are marginal enough that the intellectual property questions are far more important.
On another front, SRP is promoted because it allows users to choose their own easily-remembered passwords. But Bruce Schneier notes that computers are already fast enough to basically search the entire space of passwords that are easy for humans to remember. So if the password file on an SRP server is compromised, the passwords can be cracked if you try hard enough. I'm sure it is very expensive now, but over time the cost of doing this will drop since human memory capacity is not increasing.
--Neal
--Neal
Go IETF!
Regardless of whether or not a patent is issued, SRP will be available under the current Open Source-friendly license. There are *no* patent problems using SRP - enabling strong Open Source authentication was one of the major reasons I invented SRP.
> I hope you have tongue firmly in cheek [...]
> See Godel's Incompleteness Theorem
Ah, these are two different results. Godel's Completeness Theorem says that any *first order* statement which is true can be proved. "First order statements" are, essentially, mathematical statements which only talk about certain things. Amongst other things, first order statements can't talk about "For all sets such that blah".
On the other hand, there are statements which do include things like "for all sets such that blah " - called second order statements. Godel's *Incompleteness* Theorem says that there are some second order statements which are true but cannot be proven.
My comment was that FLT fits into the first category, so an automated proof is (theoretically) possible. Of course, it would take ages to run!
perl -e 'fork||print for split//,"hahahaha"'
Lovely,
apparently this post was is the same category as "PERL sucks! Python Rulez!".
Hillarious.
perl -e 'fork||print for split//,"hahahaha"'