New version of SSH in the works

Secure Shell (SSH), the cryptographic network protocol used to provide confidentiality of data over unsecured networks such as the Internet, is headed for a makeover to address security and management problems associated with the proliferation of poorly managed SSH keys.

“Hundreds of thousands, even over a million SSH keys authorizing access have been found from the IT departments of many large organizations,” according to a recently released draft document from the Internet Engineering Task Force (IETF) which was co-authored by Tatu Ylonen, CEO of SSH Communications Security and the inventor of the cryptographic protocol. “This is many times more than they have interactive users. These access-granting credentials have largely been ignored in identity and access management, and present a real risk to information security.”
 
(Image from ShutterStock.com)

Ylonen, who developed SSH back in 1995, said it may take two years to obtain widespread adoption of the new version of the protocol so backwards compatibility is important. SSH2, the last major version of the protocol, came out in 2006.

SSH is used as a network protocol for secure data communications, remote shell service or command execution and other secure network services between two networked computers that connect through a secure channel over an insecure network.

RELATED CONTENT

10 dumbest mistakes of network managers

The IETF document released this month includes recommendations for security policy makers for ensuring that automated access and SSH keys are dealt with in an organization’s security policy. The requirements, the document said, take into account the need to tackle security issues as well as to keep costs at a “reasonable” level.

Among the processes outlined in the document are:

– A process for discovering who has access to what

– Brining existing IT environments under control with respects to automated access and SSH keys

– Moving authorized keys to protected locations

– Removing unused keys or those without valid purposes

– Associating authorized keys with a business process or application

– Introducing restrictions on what can be done with authorized keys

– Process for continuous monitoring and control of keys

Ylonen also said that his company will release next month a free key discovery tool that will enabled users to collect SSH key information throughout their IT environments so that they can assess their risk exposure.

The SSH Risk Advisor will help users identify where SSH is being used and the SSH keys that may have proliferated.

Read the whole story here



Related Download
Addressing Advanced Email Threats: Protect Your Data and Brand Sponsor: Cisco
Addressing Advanced Email Threats: Protect Your Data and Brand
Email has evolved from a tool used primarily by technical and research professionals to become the backbone of corporate communications.
Register Now