OpenSSH No Longer Has To Depend On OpenSSL

ConstantineM writes: "What has been planned for a long time now, prior to the infamous heartbleed fiasco of OpenSSL (which does not affect SSH at all), is now officially a reality — with the help of some recently adopted crypto from DJ Bernstein, OpenSSH now finally has a compile-time option to no longer depend on OpenSSL. `make OPENSSL=no` has now been introduced for a reduced configuration OpenSSH to be built without OpenSSL, which would leave you with no legacy SSH-1 baggage at all, and on the SSH-2 front with only AES-CTR and chacha20+poly1305 ciphers, ECDH/curve25519 key exchange and Ed25519 public keys."

Nooooooooo

[sholdowa]

Sorry, I'll take OpenSSL over any DJBness any time!

Re:Nooooooooo

[lgw]

DJB is the worst kind of asshole too: he's almost always right. So you shouldn't just ignore him. Meh, justified arrogance still annoys.

Now, what we really need is a cage match between DJB and Theo de Raanter. I'd buy that on PPV!

Re:Nooooooooo

[bill_mcgonigle]

Now, what we really need is a cage match between DJB and Theo de Raanter. I'd buy that on PPV!

Might be kinda boring, actually - they're both usually harsh on people who are wrong. So, in this case...

You'd have to get DJB talking about large systems integrations (awesome, qmail is a secure system that doesn't meet real world needs without patches of unknown quality) and Theo talking about people's motivations (especially 'linux people').

Re:Nooooooooo

[mcrbids]

I would argue, it's not that he's *right*, it's that he's right in a way that still doesn't help.

Wife: "Honey, do you know where my keys are?"

Husband: "Pretty sure they're right where you left them!".

Technically correct, completely unhelpful.

And that's how QMail is. (or was, I stopped using it years ago) Qmail is a nightmare I'd rather forget. Sure, it is/was very secure, modularly written with strong privilege separation, built-in clustering support, etc. But because of the horribly restrictive license it was under, you had to download it and apply a half dozen patches in order to get it to do what you wanted. Worse, the patches were often somewhat in conflict, so you end up doing patches in a specific order to get what you want, and/or manually editing files. And then, when you are done, you have something that not only has its own init system, it actually conflicts with the standard init system so you have to pretty much disable every other service on the said server.

But you know what seems like the most asshole part of all? Updates are infrequent at best, and the license doesn't allow you to distribute updated versions. It just isn't going to get any better. Everywhere else, you run a single command (EG: yum install postfix) but to get qmail going takes weeks.

I'm a big fan of DJB's code quality, and the new Crypto being released as LGPL means I would actually get behind using his code. I'm just glad that heartbleed means that the critical security infrastructure will finally get somewhere near the attention it deserves...

Re:Nooooooooo

[gmack]

Your suggested fix to disable bounce messages with the side affect that the sender then has no way to know that the mail never arrived? Not going to happen. If I ever did something that stupid, my clients would drop me.

In the meantime I've switched to Postfix which manages to do things correctly by refusing the message in the initial connection if the user doesn't exist so the sending mail server gets to generate the bounce message instead. And yes I know there are now patches and Qmail forks that cause Qmail to do things correctly but there really weren't at the time and my point remains that DJB never cared that his software could be misused this way.

Vetting the replacement libraries?

[mlts]

Now, here is the secondary question: How well vetted/audited will the replacement libraries end up? Disconnecting OpenSSH from OpenSSL does help isolate things, but it also means that there is twice the cryptographic code to sift through in order to ensure security.

I trust the OpenBSD developers and Theo, so IMHO, this is a net security gain.

Maybe for the lost ciphers, it might be good to implement LibreSSL?

Re:Vetting the replacement libraries?

[Noryungi]

LibreSSL will indeed, by used by OpenSSH.

See here for more details: http://undeadly.org/cgi?action...

Re:Vetting the replacement libraries?

[chriscappuccio]

There are no replacement libraries. The ED25519, ECDH, ChaCha20 and AES-CTR code is all part of OpenSSH itself. And the code is very, very tight and compact and very easy to audit. Entirely the opposite of OpenSSL!!!

Good news! Now get it FIPS certified.

[sinij]

Get this version of OpenSSH FIPS certified and it will be default industry standard for the next decade.

Re: Good news! Now get it FIPS certified.

You can't certify source code. You can only certify binaries. That makes FIPS certification a challenge for most users and implementers.

Re:Good news! Now get it FIPS certified.

[DougOtto]

While your points are certainly valid, they do little to mitigate the need for FIPS when dealing with things like FBI CJIS data. Either you're in compliance or they disconnect you. It's sort of like arguing with a TSA agent; it'll make you feel a little better but it won't actually change anything.

Re:Good news! Now get it FIPS certified.

[Noryungi]

Or, as the fortune used to read: The good thing with standards is that there are so many of them to choose from...

Re:Good news! Now get it FIPS certified.

[TechyImmigrant]

FIPS 140-2 is a spec about boundaries. You draw a boundary and the spec talk about how data passed through the boundary and about the stuff that allowed inside the boundary.

One the primary things is asks is that the crypto algorithms are NIST approved. E.G. AES or SP800-90 or SHA1/2/3.

So to build a FIPS140-2 compliant thing, you first determine the box (the boundary) and the function. Then implement that function using crypto algorithms from the list of NIST approved algorithms.

Curve 25519, chacha20 and poly1305 do not appear in any NIST published specification.

Re:Good news! Now get it FIPS certified.

[TechyImmigrant]

Not all of them. For example in SP800-90 the AES-CTR-DRBG has publicly published proofs of its security. Also I understand the hash and hmac DRBGs to be secure but I've never read the proofs.

The sore thumb was the Dual-EC-DRBG which was suspect from day one and shown to have a back door in 2006.

I myself pointed out the back door in FIPS140-2 section 4.9.2 that I call the "FIPS Entropy Destroyer" and I refused to implement it and I've submitted comments to NIST to fix it in the spec.

SHA1 is broken. SHA2 is suspect. SHA3 seems good, but Skein would have been more secure and faster and easier to implement since the algorithm is so dividable that you can make small iterative implementations or really fast parallel implementations. So I'm suspect about the choice of Keccak.

HMAC-x seem fine, but block cipher MACs seem to have better foundations. SHA1 fell because it has a nasty block cipher in its core. Basing a MAC on a well analyzed block cipher seems to be far more sensible. So again, I'm suspect of the SHAs.

No RSA?

[TechyImmigrant]

Can we have it with Normal RSA for key agreement/key exchange?

Elliptic Curves are a minefield you need a degree in math to navigate. I prefer my crypto to be tractable.

How about reducing problems

[cheesybagel]

Just create a crypto library and make OpenSSH and LibreSSL depend on that instead of duplicating hard to debug code everywhere.

Re:How about reducing problems

[TechyImmigrant]

If you pick only one variant of one algorithm for each of the algorithms types, the code is very small and simple and doesn't need to be in a library, that typically needs to support many configurations for many consumers.

If you have a crypto application, write your algorithm one way, once with no configuration or runtime variation. It will serve you well.

Re:Compiler option

[adisakp]

Yes it did. You were not vulnerable if you have built OpenSSL with the feature disabled.

Except that OpenSSL actually didn't run with the "feature disabled" (internal freelist-based memory allocator) due to uninitialized memory bugs in OpenSSL that required newly allocated blocks of certain types to have memory set in them from previously freed blocks. See details here.

Re:Not a bad thing, but not that important

[swillden]

Grr.. s/exactly which/exactly why/

If only there were some way to, you know, see your post before you post it. Like a "preview" button or something.

AES-CTR

[TechyImmigrant]

I don't like AES-CTR as a privacy mode for online communications and I don't like this

void
aesctr_keysetup(aesctr_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
{
        x->rounds = rijndaelKeySetupEnc(x->ek, k, kbits);
}

The AES key schedule can be computed inline with the round function, both for encrypt and decrypt.
Computing the key schedule inline means that the state isn't left laying around in memory.
Also, the majority of side channel attacks against key schedule rely on repeated behaviors. A simple principle that is a good mitigation is to never use the same key twice.
Pre-computing the key schedule is only an optimization when you are using the same key repeatedly.
So AES-CTR encourages both sins. Using the same key multiple times and then optimizing by keeping the key schedule state laying around.

The CTR mode is just a non-ideal PRF to generate bits that are XORed with the data. On each block the key is the same but the IV changes.
The PRF is non ideal because no block will match (since AES or any other block cipher, with a fixed key is a bijective mapping) whereas in true random data, blocks may match with the usual statistical probability.

So if we picked a better block cipher based PRF, like say the SP800-90 AES-CTR-DRBG, both key and IV change on each step, so the output looks more like a real PRF and the key isn't used twice and so there's no incentive to optimize with a pre computed key schedule.

The inline computation is nice and simple and constant time. This is a particularly inefficient implementation, you can do better:
void next_key(unsigned char *key, int round)
{
        unsigned char rcon;
        unsigned char sbox_key[4];
        unsigned char rcon_table[12] =
        {
                0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80,
                0x1b, 0x36, 0x36, 0x36
        };

        sbox_key[0] = sbox(key[13]);
        sbox_key[1] = sbox(key[14]);
        sbox_key[2] = sbox(key[15]);
        sbox_key[3] = sbox(key[12]);

        rcon = rcon_table[round];

        xor_32(&key[0], sbox_key, &key[0]);
        key[0] = key[0] ^ rcon;

        xor_32(&key[4], &key[0], &key[4]);
        xor_32(&key[8], &key[4], &key[8]);
        xor_32(&key[12], &key[8], &key[12]);
}

Re:AES-CTR

[TechyImmigrant]

Because when you invoke AES with the same key many times, you leave yourself more vulnerable to side channel and fault injection attacks.

Re:symbolism over substance in the realm of secury

I like it how you listed it as Obama's Legacy. TSA was put in under Bush's reign of stupidity and the NSA has been around since sometime after WWII.

Re:OPENSSL_NO_HEARTBEATS

[Em+Adespoton]

In reality, the heartbeats had no place in OpenSSL; if you want a heartbeat, you can implement it on the next layer up the stack, and this should be enough to hold the connection open. In the few instances where a heartbeat has helped me, there was a better way to handle the situation (as it was usually required due to bad router configuration in the first place). Implementing transport connection quality monitoring code inside a transport encryption library just leads to stuff like heartbleed. LibreSSL is reimplementing it correctly.

He's right when he's driving in the UK

[raymorris]

Sometimes, DJB is right, I'll give him that. More frequently, I think, he simply doesn't like following any standards, customs, or conventions. In the US, he'd come up with an argument of why driving on the left side of the road is better. If the same discussion occurred in the UK, he'd come up with an equally good argument why people should drive on the right side of the road - whatever position is contrarian, he'll take it. That's fine, it helps avoid groupthink and the like. The problem is, he doesn't just argue it - he then goes right on ahead and actually drives on the wrong side of the road. Left or right probably doesn't matter, but going head-on against all of the traffic is obviously a very bad idea, and that's what he does.

A well known example is of course the filesystem. The Linux Standards Base discussions covered a few options that each had minor benefits and drawbacks. It didn't really matter what LSB decided - the config files can be in /etc/ , in /config/, or in /why/cares/ - it doesn't matter as long as you know where they are so you can back them up, adjust them for a new instance of an image, etc. What matters most isn't where they are, but that they are in some standard location. DJB screws all that up. I suspect that half the time, the perverse pleasure of screwing up standards is actually his primary motivation for his decisions.

Re:He's right when he's driving in the UK

[hangareighteen]

His goal seems to be to make rock solid software with well-considered security of design and operation, and that's about his only goal. Compliance with the LSB is nice and all, but it's not something that keeps me up at night. Hell, it's not even in the top ten; and while DJB's software can be a little rough around the edges, I'm more than happy to use it because I have a high level of confidence in the design and implementation of his ideas.

Re:He's right when he's driving in the UK

[neurovish]

Driving around "country roads" in Scotland, I was left with the impression that they don't really have "sides". You just go along down the middle until you come across an oncoming car, then rock/paper/scissors to decide who is going to back-up to a spot wide enough for two cars to pass or just pull into the sheep field. These "country roads" also seemed to be the most direct route from one place to another.

Re:Where is arcfour?

[blueg3]

Dead. Where it belongs.

Re:symbolism over substance in the realm of secury

[theshowmecanuck]

'one party, two faces'

FTFY: 'one party, two feces'

Patrons?

[jones_supa]

The front page of openssh.org is a grimy reading:

This list specifically includes companies like NetApp, NETFLIX, EMC, Juniper, Cisco, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).

So there we go again. Even a critical piece of software like this, cannot get proper funding from the giants, who are happy to take the software for free.

It just sucks, man.

OpenSSH vulnerability

[ynedobill]

Does anyone knows if this vulnerability impacts OpenSSL implementation in OpenSSH ? http://pastebin.com/gjkivAf3