 | |  |
3.9. Algorithms Used by SSH
Table 3-4 through Table 3-6 summarize
the available ciphers in the SSH protocols and
their implementations. Required algorithms are in bold;, recommended
ones are italic; the others are optional. Parentheses indicate an
algorithm not defined in the protocol, but provided in some
implementation. The meanings of the entries are:
- x
- The implementation supports the algorithm and is included in the
default build.
- o
- The implementation supports the algorithm, but it isn't
included in the default build (it must be specifically enabled when
compiling).
- -
- The implementation doesn't support the algorithm.
Table 3-4. Algorithms in the SSH Protocols
|
|
SSH-1.5 |
SSH-2.0 |
|
Public-key |
RSA |
DSA, DH |
|
Hash |
MD5, CRC-32 |
SHA-1, MD5 |
|
Symmetric |
3DES, IDEA,
ARCFOUR, DES |
3DES, Blowfish,
Twofish, CAST-128, IDEA, ARCFOUR |
|
Compression |
zlib |
zlib |
Note that Table 3-4 simply lists algorithms in different
categories used in the two protocol specifications, without regard to
purpose. So for example, SSH-1 uses both MD5 and CRC-32, but for
different purposes; this listing doesn't imply that SSH-1 has
option to employ MD5 for integrity checking.
Table 3-5. SSH-1 Ciphers
|
|
3DES |
IDEA |
RC4 |
DES |
(Blowfish) |
|
SSH1 |
x |
x |
o |
o |
x |
|
OpenSSH |
x |
- |
- |
- |
x |
|
|
3DES |
Blowfish |
Twofish |
CAST-128 |
IDEA |
RC4 |
|
SSH2 |
x |
x |
x |
- |
- |
x |
|
F-Secure SSH2 |
x |
x |
x |
x |
- |
x |
|
OpenSSH |
x |
x |
- |
x |
- |
x |
Why
are some algorithms
unsupported by different programs? DES is often omitted from SSH-1
software as insufficiently secure. RC4 is omitted because of problems
in the way it is used in the SSH-1 protocol, permitting
vulnerabilities to active network-level attacks; this problem has
been fixed in SSH-2. IDEA is omitted from OpenSSH and the
noncommercial SSH1 and SSH2 because it is patented and requires
royalties for commercial use. Twofish isn't in OpenSSH because
it isn't yet part of the OpenSSL toolkit, which OpenSSH uses.
CAST-128 is free, so we don't know why it is missing from the
noncommercial SSH2.
The free version of SSH2 supports only the required DSA for public
keys, while the commercial F-Secure SSH2 Server adds partial support
for RSA keys for user authentication. [Section 6.2.2, "Generating RSA/DSA Keys for SSH2"].
The F-Secure server starts if its host key is RSA and reports that it
successfully read the key. However, it still advertises its host key
type as DSA in its key-exchange messages and then supplies the RSA
key anyway, causing clients to fail when they try to read the
supplied key. Of course, this problem masks the question of whether
the client can handle an RSA host key even if it were properly
identified. OpenSSH/2 doesn't contain RSA support at all, but
now that the RSA patent has expired, the ssh-rsa key type will be
added to the SSH-2 protocol, and support should follow shortly.
We now summarize each of the algorithms we have mentioned.
Don't treat these summaries as complete analyses, however. You
can't necessarily extrapolate from characteristics of
individual algorithms (positive or negative) to whole systems without
considering the other parts. Security is complicated that way.
3.9.1. Public-Key Algorithms
3.9.1.1. Rivest-Shamir-Adleman (RSA)
The
Rivest-Shamir-Adleman
public-key algorithm (RSA) is the most widely used asymmetric cipher.
It derives its security from the difficulty of factoring large
integers that are the product of two large primes of roughly equal
size. Factoring is widely believed to be intractable (i.e.,
infeasible, admitting no efficient, polynomial-time solution),
although this isn't proven. RSA can be used for both encryption
and signatures.
Until September 2000, RSA was claimed to be patented in the United States by Public
Key Partners, Inc., a company in which RSA Security, Inc. is a
partner. (The algorithm is now in the public domain.) While the
patent was in force, PKP claimed that it controlled the use of the
RSA algorithm in the USA, and that the use of unauthorized
implementations was illegal. Until the mid-1990s, RSA Security
provided a freely available reference implementation, RSAref, with a
license allowing educational and broad commercial use (as long as the
software itself was not sold for profit). They no longer support or
distribute this toolkit, though it is commonly available. Since RSA
is now in the public domain, there's no longer any reason to
use RSAref. It is no longer supported, some versions contain security
flaws, and there are better implementations out there; we discourage
its use.
The SSH-1 protocol specifies use of RSA explicitly. SSH-2 can use
multiple public-key algorithms, but it defines only DSA. [Section 3.9.1.2, "Digital Signature Algorithm (DSA)"] The SECSH working group plans to add the RSA
algorithm to SSH-2 now that the patent has expired. In the meantime,
only the F-Secure SSH2 Server implements RSA keys in SSH2, using the
global key-format identifier "ssh-rsa". This isn't
yet part of the draft standard: to be technically correct it should
use a localized name, e.g., ssh-rsa@datafellows.com.
[ Section 3.5.1.1, "Algorithm choice and negotiation"] However, this is unlikely to cause a
real problem. The feature is useful for authentication to an SSH2
server with an existing SSH1 key, so you don't need to generate
a new (DSA) key.
3.9.1.2. Digital Signature Algorithm (DSA)
The Digital Signature Algorithm (DSA)
was developed by the U.S. National Security Agency (NSA), and
promulgated by the U.S.
National Institute of Standards and
Technology (NIST) as part of the Digital Signature Standard
( DSS). The DSS was issued as a
Federal Information Processing Standard, FIPS-186, in May 1994. It is
a public-key algorithm, based on the Schnorr and ElGamal methods, and
relies on the difficulty of computing discrete logarithms in a finite
field. It is designed as a signature-only scheme that can't be
used for encryption, although a fully general implementation may
easily perform both RSA and ElGamal encryption.
DSA has also been surrounded by a swirl of controversy since its
inception. The NIST first claimed that it had designed DSA, then
eventually revealed that the NSA had done so. Many question the
motives and ethics of the NSA, with ample historical reason to do
so.[37] Researcher Gus Simmons discovered a
subliminal channel in DSA that allows an implementor to leak
information -- for instance, secret key bits -- with every
signature. [38] Since the algorithm was
to be made available as a closed hardware implementation in smart
cards as part of the government's Capstone program, many people
considered this property highly suspicious. Finally, NIST intended
DSA to be available royalty-free to all users. To that end it was
patented by David Kravitz (patent #5,231,668), then an employee of
the NSA, who assigned the patent to the U.S. government. There have
been claims, however, that DSA infringes existing cryptographic
patents, including the Schnorr patent. To our knowledge, this issue
has yet to be settled in court.
The SSH-2 protocol uses DSA as its required (and currently, only
defined) public-key algorithm for host identification.
3.9.1.3. Diffie-Hellman key agreement
The Diffie-Hellman key agreement algorithm
was the original public-key system, invented by Whitfield Diffie,
Martin Hellman, and Ralph Merkle in 1976. It was patented by them in
1977 (issued in 1980, patent #4,200,770); that patent has now
expired, and the algorithm is in the public domain. Like DSA, it is
based on the discrete logarithm problem, and it allows two parties to
derive a shared secret key securely over an open channel. That is,
the parties engage in an exchange of messages, at the end of which
they share a secret key. It isn't feasible for an eavesdropper
to determine the shared secret merely from observing the exchanged
messages.
SSH-2 uses the Diffie-Hellman algorithm as its required (and
currently, its only defined) key-exchange method.
3.9.2. Secret-Key Algorithms
3.9.2.4. ARCFOUR (RC4)
Ron
Rivest designed the RC4 cipher in 1987 for RSA Data Security, Inc.
(RSADSI); the name is variously claimed to stand for "Rivest
Cipher" or "Ron's Code." It was an unpatented
trade secret of RSADSI, used in quite a number of commercial products
by RSADSI licensees. In 1994, though, source code claiming to
implement RC4 appeared anonymously on the Internet. Experimentation
quickly confirmed that the posted code was indeed compatible with
RC4, and the cat was out of the bag. Since it had never been
patented, RC4 effectively entered the public domain. This
doesn't mean that RSADSI won't sue someone who tries to
use it in a commercial product, so it is less expensive to settle and
license than to fight. We aren't aware of any test cases of
this issue. Since the name "RC4" is trademarked by
RSADSI, the name "ARCFOUR" has been coined to refer to
the publicly revealed version of the algorithm.
ARCFOUR is very fast but less studied than many other algorithms. It
uses a variable-sized key; SSH-1 employs independent 128-bits keys
for each direction of the SSH session. The use of independent keys
for each direction is an exception in SSH-1, and crucial: ARCFOUR is
essentially a pad using the output of a pseudo-random number
generator. As such, it is important never to reuse a key because to
do so makes cryptanalysis trivially easy. If this caveat is observed,
ARCFOUR is considered secure by many, despite the dearth of public
cryptanalytic results.
3.9.2.6. Twofish
Twofish is
another design by Bruce Schneier, together with J. Kelsey, D.
Whiting, D. Wagner, C. Hall, and N. Ferguson. It was submitted in
1998 to the NIST as a candidate for the Advanced Encryption Standard,
to replace DES as the U.S. government's symmetric data
encryption standard. Two years later, it is one of the five finalists
in the AES selection process, out of 15 initial submissions. Like
Blowfish, it is unpatented and free for all uses, and Counterpane has
provided uncopyrighted reference implementations, also freely usable.
Twofish admits keys of lengths 128, 192, or 256 bits; SSH-2 specifies
256-bit keys. Twofish is designed to be more flexible than Blowfish,
allowing good implementation in a larger variety of computing
environments (e.g., slower processors, small memory, in-hardware). It
is very fast, its design is conservative, and it is likely to be
quite strong. You can read more about Twofish at:
http://www.counterpane.com/twofish.html
You can read more about the NIST AES program at:
http://www.nist.gov/aes/
3.9.3. Hash Functions
3.9.3.4. RIPEMD-160
Yet another 160-bit MD4 variant,
RIPEMD-160, was
developed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel as
part of the European Community RIPE project. RIPE stands for RACE
Integrity Primitives Evaluation;[44]
RACE, in turn, was the program for Research and Development in
Advanced Communications Technologies in Europe, an EC-sponsored
program which ran from June 1987 to December 1995 ( http://www.analysys.com). RIPE
was part of the RACE effort, devoted to studying and developing data
integrity techniques. Hence, RIPEMD-160 should be read as "the
RIPE Message Digest (160 bits)." In
particular, it has nothing to do with RIPEM, an old Privacy-Enhanced
Mail (PEM) implementation by Mark Riordan (http://ripem.msu.edu/ ).
RIPEMD-160 isn't defined in the SSH protocol, but it is used
for an implementation-specific MAC algorithm in OpenSSH, under the
name hmac-ripemd160@openssh.com. RIPEMD-160 is
unpatented and free for all uses. You can read more about it
at:
http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html
|  | | | 3.8. SSH and File Transfers |  | 3.10. Threats SSH Can Counter |
|
