ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
are very convenient due to their small size. Ed25519 keys are
specified in RFC 8709 and OpenSSH has supported them since version 6.5
(January 2014).
Does Azure not support cloud-init? When AWS complained about Ed25519 keys, I just told AWS to not associate any keys at all and just put my key in the cloud-init config. The OS copies the contents from cloud-init to the appropriate authorized_keys file on first boot and it's none of AWS's business which key (or how many keys) I use to login into my instances.
That seems like specifically Azure DevOps, not the Azure platform generally? I assume any OS running inside Azure Compute, or any other managed services will support Ed25519 fine?
But once you've created the VM you can log in and replace that RSA key with an ED25519 one just like any standard Linux install, via ssh-copy-id or manually updating authorized_keys or whatever you want. So you just need a throwaway RSA key for the initial deployment.
It's probably because FIPS 140-2 doesn't list it. I know machines booted with fips=1 and fips certified openssl, etc, openssh won't accept ed25519 keys for key auth.
Going to 4096 doesn't get you much given you have weaker links in the security chain. The next step up would be AES 192 and RSA 7680, and then AES 256 with RSA 15360.
You'd have an argument if you were just talking about the DH key used for PFS, but the ID key is a long term secret, so breaking it has a radically payoff surface.
Even when AES and ECC have similar security they have different behavior in terms of multi-target attacks and the curve for success probability vs computation invested are quite different.
You're also not limited to use AES 128 with ssh, ChaCha20-Poly1305 is a nice choice.
Strange, I didn't expect Rambus to be involved in cryptography, nor that they would give away the spec and implementation. I guess it was designed to be a smaller die-area solution for some of their silicon IP products, and opening it up just makes it more convenient for their customers to use. (And, hopefully, nobody is stupid enough to use some vendor's secret proprietary crypto in their chips).
I'd be interested to read a history of Rambus. They're a strange and somewhat controversial company. I lived through the controversy but I'm not certain I remember it correctly. From what I remember they patented some things related to DDR SDRAM, I'm not sure how much credit they deserve for developing those things or if they were just first to file. For part of the Pentium 4's lifecycle they convinced Intel to use Rambus' proprietary DRAM (RDRAM) which supposedly had some benefits but I just remember being overpriced. They shook down DDR manufacturers for patent licensing fees. Apparently the EU opened an antitrust investigation into them for getting their patents into the standard and then not licensing them freely enough. I'm not sure it's fair to call them a patent troll but I guess they're something similar to Fraunhofer or Synopsis.
This comment is cringe enough that it is making the rounds on multiple Slacks. It's fine that you've never heard of Curve448. That just means you're not a cryptography engineer. Most people aren't! But if you're not one of those, be a little careful about connecting the dots to things like "Crypto AG". Saying "I've never heard of Curve448, it sounds sketchy" is a little like a systems programmer saying "I've never heard of Paxos before, it sounds sketchy". Most systems programmers are never going to do anything with Paxos. But all the competent ones can look it up in about 20 seconds and confirm that it isn't a conspiracy.
No, Curve448 is as good as can be per the public knowledge, see https://safecurves.cr.yp.to/. What one could expect given Rambus history is undisclosed patents, possibly the most efficient hardware implementation. They have been known to get their tech standardized (not disclosing IP claims) and come back at adopters with patent violation suits.
Cryptography Research patented quite a few DPA/SPA countermeasures, if there is a non obvious patent on Curve448 it will likely be one of those making it hard to make a non infringing, fast yet not vulnerable HW implementation... Given their business in licencing those countermeasure (https://www.rambus.com/security/dpa-countermeasures/licensed...), one can see their eagerness to get some curves in widely used standards as suspicious in that light.
I'm not really concerned but I also understand why one wouldn't implement anything Rambus related given their history of patent trolling...
> Rambus was accused of shredding key documents prior to court hearings, the judge agreed and dismissed Rambus' case against Infineon. T
> On January 9, 2009, a Delaware federal judge ruled that Rambus could not enforce patents against Micron Technology Inc., stating that Rambus had a "clear and convincing" show of bad faith, and ruled that Rambus' destruction of key related documents (spoliation of evidence) nullified its right to enforce its patents against Micron.[28]
> Rambus engaged in intentional deceptive conduct in the context of the standard-setting process for example by not disclosing the existence of the patents which it later claimed were relevant to the adopted standard. This type of behavior is known as a "patent ambush".
> Ronald Black, Rambus's CEO, said, "Somehow we got thrown into the patent troll bunch...This is just not the case."[43]
See, they are the good guys after all. It came right from their CEO. /s
If someone is acting like this then shows up with a "here is a cool curve you can use", not surprising people will be suspicious. It's like that neighbor who has been suing everyone in the neighborhood, and calling the cops on kids playing outside, all of the sudden shows with a plate of cookies. People will think twice before trying a cookie.
Same for me. I don't think Rambus was a pure troll because they actually did invent some things, but at the time I thought they saw what SCO did and wanted in on that action.
Rambus is an interesting company. I can't vouch for their crypto offerings, but they have been around since the 90's and at one point pioneered high-speed DRAM interfaces. Lots of what we see in DDR today is based on ideas and concepts they pushed forward in their proprietary interface. Early on, they definitely did innovative work.
IIRC, their interfaces were used in some Sony play-stations and also some Intel systems.
My fellow comments aren't actually getting to the point: The original release of the Pentium 4 used Rambus RAM, instead of the JEDEC standard of the time.
This Pentium 4 was released in the year 2000.
So, yes, Rambus, the company, is a known quantity. Just weird they're into crypto now, because trying to wiggle into this already crowded patent landmine is certainty an... interesting choice.
They bought Paul Kocher's Cryptography Research in 2021. Cryptography Research designed the Blu-Ray BD+ licensing system and owned a huge IP portfolio on differential power analysis, a technique Kocher, one of the godfathers of side channel cryptanalysis, invented. They also ran (run?) one of the industry's best cryptographic consultancies. If you're a major hardware vendor going to market with a new cryptographic coprocessor, you're very likely going to engage Rambus.
> Ed25519 is one of the two digital signature algorithms today that use the EdDSA algorithm framework. The other is Ed448, which targets a higher security level (224-bit vs 128-bit) but is also slower and uses SHAKE256 (which is overkill and not great for performance).
I'm using RSA8192 with SSH and not seeing any noticable performance problems. ECC is generally faster than RSA, so just always using Ed448 or even larger should be a no-brainer.
The comments about Ed25519 versus Ed448 were meant for the general case of their use, and not (necessarily) strictly in the use for SSH.
However, the reason for Ed25519 use in OpenSSH is because the keys are much smaller, and easier to cut/paste/etc, for the same security factor. The fact that they are faster for signing is a bonus.
All of the above correspond to roughly the security of AES 128. If you want AES 256 equivalence, double the size/length.
I'm in the habit of using ssh-copy-id(1), but there are a lot of places where you have to copy-paste in a web interface (and lots of instructions tell you to copy-paste into your remote ~/.ssh/authorized_keys file).
"Please note that, due to the structure of the underlying ASN.1 structure, RSA PEM bodies start always with the same characters: MIG for 1024 bit keys, MII for 2048 and 4096 bit ones."
Hmm, I wouldn’t think so, but I’m not an expert in such things. If you already have access to that text, you’ve won. I wouldn’t think that would leak any extra information.
It's a small change, but it's a signal that we're much more on top of x/crypto/ssh maintenance, compared to a year ago when we had to scramble to implement rsa-sha2-256/512 support just hours before GitHub (rightfully) dropped SHA-1 support, potentially breaking every x/crypto/ssh client.
The main reason is that thanks to the funding of my clients (https://words.filippo.io/full-time-maintainer/) I was able to hire Nicola Murino, the maintainer of SFTPGo, to pick up maintenance of x/crypto/ssh. This is benefiting both my clients and the whole ecosystem, and is a little step in growing the professional maintainer model.
The release notes do not say why there is a need to obfuscate keystroke timings. I guess it is designed to mitigate some attack vector? Is it already being exploited in the wild or... let's say is purely of academic interest?
Pretty much, if anybody can listen in on your traffic and IO is unbuffered then they can extract information about the keys pressed based on the timing between consecutive presses. There's this old LWN article: https://lwn.net/Articles/298833/
There is this cool thing I've noticed about software as it matures and this is a good example of that. When you're first starting out on a project, have no users, and its mostly feature incomplete there is little to no drive or reason to care about whole classes of security and performance issues... You're trying to just get the thing to work.
Let's ignore ongoing feature creep and development in projects for now (I'll address this in a second). As the core software becomes functional, gains users, has bugs fixed, the threat model of the software needs to change and grow. Generally software in this state gets progressively more stable and in that stability you can see the tiny ripples of very small edge cases.
For software where security is paramount and has an uncountable number of users protecting uncountable bytes of data like SSH, the tiny ripples of extremely esoteric attacks become a reasonable thing to address as a feature improvement. Do I need this feature for my personal threat model or even the threat model of my company? No probably not... But it doesn't hurt to have it either.
This feature raises the cost of attacking the software, and may dissuade different attacker from even trying. Most of practical security is more about making attacks expensive enough that they attacker will have to spend more than the value of what they would obtain if they were able to break into it and this change helps keep that high watermark well above those thresholds.
For software that does have ongoing feature creep this process is a lot slower but does seem to happen for opensource projects specifically that can survive their infancy sufficiently long enough to become foundational components like SSH and Curl. I've never seen this level stability from closed source software.
The statistical analysis described earlier works better when you have samples of a person's typing to try and learn whats been sent, but the acoustic work has raised some concerns that ML techniques can be used on just packet timings to determine what's been typed without a pre-determined signature. There's also concern that all that telemetry programs and sites send about you may be abused to build a signature of your typing patterns as well.
There was a recent research paper shared here where it was claimed using keystroke timing and some AI, researchers could predict the password with significant accuracy.
> This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword.
So does it send these phantom keystrokes only when there are real keystrokes?
On first reading I thought it sends periodic+random keystrokes and so {Client,Server}AliveInterval option(s) may not be required to keep the connection alive. Need to try and confirm the behaviour.
This version also changes ssh-keygen to generate ed25519 keys by default. Time to update scripts that generate keys without a '-t' arg.
Meh. RSA is only used to sign things in SSH and the keys used are generated in a conventional way and with the parameters you'd be told to pick (e.g. exponent 65537)
I'd say at this point the risk of silly goofs in the curve code is similar to the risk from RSA given how well understood it is.
https://news.ycombinator.com/item?id=37307708 (258 comments)