RE: audit perspective: proof that all connections are encrypted

From: Mark Senior (Mark.Senior_at_gov.ab.ca)
Date: 09/16/05

  • Next message: Joseph Vaughn: "sftp question"
    Date: Fri, 16 Sep 2005 09:30:49 -0600
    To: <secureshell@securityfocus.com>
    
    

    Hi

    Ciphers applies to the symmetric cipher for the communication channel,
    MACs applies to the message authentication method for the communication
    channel. The key establishment and host authentication methods are not
    configurable, and do use sound cryptographic methods. I don't believe
    it is possible to force openssh's sshd to accept unencrypted
    communications, no matter how hard you try.

    The key establishment methods, ciphers, and MACs used in both protocol
    versions are described in the first paragraphs of the openssh sshd man
    page (http://www.openbsd.org/cgi-bin/man.cgi?query=sshd).

    Ciphers and MACs options in the config file apply to protocol version 2
    only - protocol version 1 uses 3DES or Blowfish only for the cipher, and
    CRC only for the MAC. CRC is not a cryptographically sound MAC, and
    this is one of the major reasons to disable all use of version 1 if you
    can possibly get away with it in your organization.

    Regards
    Mark
     

    > -----Original Message-----
    > From: Florin Andrei [mailto:florin@andrei.myip.org]
    > Sent: September 15, 2005 17:06
    > To: secureshell@securityfocus.com
    > Subject: audit perspective: proof that all connections are encrypted
    >
    > I have what's perhaps a slightly unusual question.
    >
    > Suppose company X is going through an audit (think: SOX).
    > Suppose one of the questions that the auditors ask is: "we
    > want proof that all your remote access devices only allow
    > encrypted connections, not plaintext".
    >
    > With a VPN concentrator, that's easy: you show them the
    > encryption algorithms that are enabled, show them that
    > plaintext is a disabled option and they're happy.
    >
    > But how about openssh? Which is the config item in
    > sshd_config that says "if the client does not agree with all
    > these encryption schemes, all of which are not plaintext,
    > terminate the connection"?
    >
    > Essentially, we have to prove that plaintext is rejected by
    > the server.
    >
    > Any connection with the Ciphers and MACs options in sshd_config?
    >
    > Hopefully I'm making myself understood. This is not a
    > strictly technical question, it's somewhere on the border
    > between technical issues and legal issues. I need an answer
    > that will satisfy people who are not geeks - if I'm being
    > sent in the right direction I can build a coherent response
    > myself (hopefully) but I need a starting point.
    >
    > I believe that this kind of issue will become more common in
    > the near future, as the practice of auditing will extend to
    > more and more companies.
    >
    > Thanks,
    >
    > --
    > Florin Andrei
    >
    > http://florin.myip.org/
    >
    >

    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.


  • Next message: Joseph Vaughn: "sftp question"

    Relevant Pages