RE: Security Practices

• Previous message: Nigel Stepp: "Re: Security Practices"
• Maybe in reply to: David Busby: "Security Practices"
• Next in thread: Bryan McAninch: "RE: Security Practices"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 17 May 2005 11:14:47 -0600
To: "David Busby" <busby@edoceo.com>

It sounds like you're well into the territory where the ciphers you use
are no longer the weakest link.

Spending more time on server hardening and host IDS; examining the long
term storage of the sensitive data; disabling features of the ssh server
you're not going to use (port forwarding, X11 forwarding, sftp - depends
on your requirements); requiring public key authentication rather than
passwords (if you can be sure your users will keept their private keys
encrypted at their end); all will get you more benefit.

On the cipher front though - CBC and CTR use different methods of
setting the initialization vector for the block cipher operations. Both
are perfectly reasonable modes of AES. Using 4096 bit RSA keys certainly
won't do any harm (except slow down session establishment at bit), but
it won't get you much practical benefit over 2048 either. Using SHA-1
MACs only might make a meaningful difference, however, as MD5 is getting
a bit old and hoary.

Regards
Mark

> -----Original Message-----
> From: David Busby [mailto:busby@edoceo.com]
> Sent: May 16, 2005 23:28
> To: secureshell@securityfocus.com
> Subject: Security Practices
>
> List,
> I'm trying to get my a sshd setup as secure as possible,
> some folks I know what to send financial data over this.
> Right now I've got 2048bit RSA keys, aes256-cbc cipher
> (only), but all the MACs. I'm thinking that I'll make my key
> 4096bits to add some security. Which cipher is the best? I
> picked AES256 cause I believe AES to be the best, 256 was the
> largest. What is the difference between CBC and CTR? MAC of
> hmac-md5 is the best choice there correct? Assume best means
> most secure even at the sacrifice of performance. Thanks!
>
> imperium bin # ssh -V
> OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004 imperium bin #
> uname -a Linux imperium 2.6.10-gentoo-r6-edoceo #4 Sun May 1
> 03:48:25 PDT 2005
> i686 AMD Athlon(TM) XP 1700+ AuthenticAMD GNU/Linux
>
> /djb
>

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

• Previous message: Nigel Stepp: "Re: Security Practices"
• Maybe in reply to: David Busby: "Security Practices"
• Next in thread: Bryan McAninch: "RE: Security Practices"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]