Re: OpenSSH Using NONE as Cipher?

From: Richard E. Silverman (res_at_qoxp.net)
Date: 12/13/03


Date: 13 Dec 2003 00:35:17 -0500


>>>>> "BU" == Bill Unruh <unruh@string.physics.ubc.ca> writes:

    BU> ??? What is the point of using ssh or scp without a cypher? Just
    BU> use ftp, or rcp or whatever. It is NOT secure.

This point of view is much too simplistic; a connection is not just
"secure" or "not secure" as if flipping a light switch. An SSH-2
connection using a null encryption cipher still has:

- server authentication and man-in-the-middle attack protection
  (i.e. you know who you're talking to)

- cryptographically assured integrity protection (i.e. you know the data
  is passed unchanged from one end to the other)

- strong client authentication (assuming obvious mistakes aren't made,
  such as using password authentication over an unencrypted connection --
  most implementations disallow this)

So, if you don't care about privacy, but do care about these other
properties, then using SSH with a null encryption cipher makes perfect
sense. Similar motivations are behind the existence of AH mode in IPSec
as well as ESP. In particular, it makes *no* sense to compare unencrypted
SSH with "FTP, or rcp, or whatever;" these are entirely different.

-- 
  Richard Silverman
  res@qoxp.net


Relevant Pages

  • Re: FTP vs. encryption
    ... I don't believe that FTP (this would not be a dial-up ... > connection) is any more secure than e-mail, but I need some source I ... FTP transmits files and passwords in clear, so it is not realy more secure ...
    (comp.security.misc)
  • Re: FTP vs. encryption
    ... I don't believe that FTP (this would not be a dial-up ... > connection) is any more secure than e-mail, but I need some source I ... FTP transmits files and passwords in clear, so it is not realy more secure ...
    (comp.security.misc)
  • Re: How 2 secure PC-PC data transfer
    ... The assumption that you are going to open your machine to attack is one of the worst ideas ... I have no idea what you mean by "not that secure". ... connecting a parallel port cable from PC to PC will work. ... If you have a front-end software that blocks all incoming FTP requests from the WAN (look ...
    (microsoft.public.vc.mfc)
  • Re: Not able to Ftp
    ... I was also looking at the missing challenge from the local security. ... Subject: Not able to Ftp ... 220 Connection will close if idle for more than 5 minutes. ... Search the archives at http://bama.ua.edu/archives/ibm-main.html ...
    (bit.listserv.ibm-main)
  • Re: Not able to Ftp
    ... Subject: Not able to Ftp ... I have executed the given command: the output are as below: ... connection. ... Search the archives at http://bama.ua.edu/archives/ibm-main.html ...
    (bit.listserv.ibm-main)