[nycbug-talk] Hot Story: German Gov. intelligence agencies decrypt PGP, SSH

Isaac (.ike) Levy ike at blackskyresearch.net
Sun Jun 16 22:01:24 EDT 2013 

On Jun 16, 2013, at 9:10 PM, nop <nop at insidiae.net> wrote:

> What are current protocols at peoples' work sites now?
> 
> Whenever.

Often.  Of course everyone around me changes keys every morning, and right after lunch, M-F.  (So, weekends are still obviously a vulnerable time.)

I am of course kidding, but *nobody* likes talking about these policies, because most environments are willfully lax here.  Why?  I don't know.

--
Major gains can be had, by at least hitting the basics:

In web shops, I've repeatedly gotten the greenest daisy-fresh rookie web devs to adhere to (and not be upset about), the most basic policies, by making it simple, and providing a quick start doc to them which walks them through these 3 steps:

TASK FOR USERS (make keys):
--
1) be explicit about making keys
# cd ~/.ssh/ 
# ssh-keygen -C 'Optional Comment Goes Here' -b 4096 -t rsa -f id_rsa
(this can conform to whatever your policies are, crypto, key size, etc...)

2) explain in a sentence that private key must stay on your laptop, (make another doc or a footnote to show how to use ssh-agent, if your environment warrants it)

3) explain to send public key to the admins, (usb key or email or other, whatever your environment warrants).
--

If you don't treat your devs like idiots, they typically comply, and even *gasp* can be compelled to read some man pages.

For other policy basics, in small web shops, I can't tell you how valuable spot-checking key passwords are, e.g. ask a user to do the following:
# ssh-add -D
# ssh -i /path/to/some_key user at somehost

If no password prompt, revoke the user key, and make the user generate a new one.

--
For policy changes, I've found nothing but forcing "key changing parties" gets this to happen among users.  For admins, the key changing parties are a non-thing kind of event, like shaving or clipping toe-nails.

For non-admin/security types, a case of beer typically helps smooth the event along.

--
One last thing about ssh agent use, it can be a real problem in those unavoidable 'tons of eggs in the basket' systems in your infrastructure… Worth a discussion with your fellow admins, IMHO.


> I know the Google forces SSH key pair changes frequently (monthly or
> even weekly?), which makes sense.  It's not like forcing regular passwd
> changes and users recycling passwds or writing them down as a forced bad
> practice.
> 
> I assume people at least use different keys for work and personal.. and
> use passwds with SSH and GPG/PGP?
> 
> Natch.

Natches, on your belt, for every key changed.

(nop did teach me how to use ssh properly, once upon a time :)

>  
> 
> And that 2048-bit keys aren't a hassle to your CPU compared to 1024…

My .02¢

Shucks, 4096 bit RSA keys haven't been "too big" since 4u boxes were as punchy as my iPhone, (and the ssh logins could have a very noticeable effect on the performance of the MTA or web server on the box…).

Biggest keys everywhere, pretty much all the time, IMHO.

> 
> You can "share" a connection in openssh now, so there is no reason to get crazy on those bits.
> 
> http://protempore.net/~calvins/howto/ssh-connection-sharing/

Woah now.  Multiplexing is not only useful, it's also fun…  Not sure if fun is allowed.

Rocket-
.ike

More information about the talk mailing list