Re: OpenSSH Using NONE as Cipher?

From: Richard E. Silverman (res_at_qoxp.net)
Date: 12/13/03

• Next message: Richard E. Silverman: "Re: SetUID GUI programs over SSH"
• Previous message: Michael Sierchio: "Re: Is it possible to sign ssh-keys with a trusted authority like Verisign ???"
• In reply to: Bill Unruh: "Re: OpenSSH Using NONE as Cipher?"
• Next in thread: Darren Tucker: "Re: OpenSSH Using NONE as Cipher?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 13 Dec 2003 00:35:17 -0500

>>>>> "BU" == Bill Unruh <unruh@string.physics.ubc.ca> writes:

    BU> ??? What is the point of using ssh or scp without a cypher? Just
    BU> use ftp, or rcp or whatever. It is NOT secure.

This point of view is much too simplistic; a connection is not just
"secure" or "not secure" as if flipping a light switch. An SSH-2
connection using a null encryption cipher still has:

- server authentication and man-in-the-middle attack protection
  (i.e. you know who you're talking to)

- cryptographically assured integrity protection (i.e. you know the data
  is passed unchanged from one end to the other)

- strong client authentication (assuming obvious mistakes aren't made,
  such as using password authentication over an unencrypted connection --
  most implementations disallow this)

So, if you don't care about privacy, but do care about these other
properties, then using SSH with a null encryption cipher makes perfect
sense. Similar motivations are behind the existence of AH mode in IPSec
as well as ESP. In particular, it makes *no* sense to compare unencrypted
SSH with "FTP, or rcp, or whatever;" these are entirely different.

-- 
  Richard Silverman
  res@qoxp.net

---

• Next message: Richard E. Silverman: "Re: SetUID GUI programs over SSH"
• Previous message: Michael Sierchio: "Re: Is it possible to sign ssh-keys with a trusted authority like Verisign ???"
• In reply to: Bill Unruh: "Re: OpenSSH Using NONE as Cipher?"
• Next in thread: Darren Tucker: "Re: OpenSSH Using NONE as Cipher?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: FTP vs. encryption ... I don't believe that FTP (this would not be a dial-up ... > connection) is any more secure than e-mail, but I need some source I ... FTP transmits files and passwords in clear, so it is not realy more secure ... (comp.security.misc) Re: FTP vs. encryption ... I don't believe that FTP (this would not be a dial-up ... > connection) is any more secure than e-mail, but I need some source I ... FTP transmits files and passwords in clear, so it is not realy more secure ... (comp.security.misc) Re: How 2 secure PC-PC data transfer ... The assumption that you are going to open your machine to attack is one of the worst ideas ... I have no idea what you mean by "not that secure". ... connecting a parallel port cable from PC to PC will work. ... If you have a front-end software that blocks all incoming FTP requests from the WAN (look ... (microsoft.public.vc.mfc) Re: Not able to Ftp ... I was also looking at the missing challenge from the local security. ... Subject: Not able to Ftp ... 220 Connection will close if idle for more than 5 minutes. ... Search the archives at http://bama.ua.edu/archives/ibm-main.html ... (bit.listserv.ibm-main) Re: Not able to Ftp ... Subject: Not able to Ftp ... I have executed the given command: the output are as below: ... connection. ... Search the archives at http://bama.ua.edu/archives/ibm-main.html ... (bit.listserv.ibm-main)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.ssh  > 2003-12