TY - GEN
T1 - A deeper understanding of SSH
T2 - IEEE/IFIP Network Operations and Management Symposium: Management in a Software Defined World, NOMS 2014
AU - Gasser, Oliver
AU - Holz, Ralph
AU - Carle, Georg
PY - 2014
Y1 - 2014
N2 - Until recently, relatively little was known about the characteristics of the SSH protocol on the Internet, until two larger studies analysed the cryptographic properties of SSH host keys and identified weaknesses in a number of SSH devices. However, there is no succinct comprehensive image yet how the SSH landscape looks like from the point of view of deployment practices, especially with respect to key management. In this paper, we present the results of Internet-wide SSH scans that we carried out over a period of 7 months, which resulted in the largest data set to date. We enriched our data set with large-scale mappings obtained from DNS scans, AS and WHOIS lookups, and a geo-IP database. We analysed the distribution of server and protocol versions, and found that while SSH 2 has displaced SSH 1, the rate of software updates seems to be slow. We analysed the mentioned cryptographic weaknesses and found they have become fewer, but continue to persist one year after the disclosure. Finally, we investigated the reasons for duplicate yet cryptographically strong keys. We found these are used in very different setups at varying degrees of security. Some are indeed dangerous weaknesses, others are the result of a careful and centralised setup. By example of the ten most common keys, we show the circumstances in which they occur and assess the security of each deployment. Finally, we analysed the deployment of ciphers and associated key lengths and found good results in terms of security. As our scans are of a sensitive nature, we also document the ethical considerations that guided us.
AB - Until recently, relatively little was known about the characteristics of the SSH protocol on the Internet, until two larger studies analysed the cryptographic properties of SSH host keys and identified weaknesses in a number of SSH devices. However, there is no succinct comprehensive image yet how the SSH landscape looks like from the point of view of deployment practices, especially with respect to key management. In this paper, we present the results of Internet-wide SSH scans that we carried out over a period of 7 months, which resulted in the largest data set to date. We enriched our data set with large-scale mappings obtained from DNS scans, AS and WHOIS lookups, and a geo-IP database. We analysed the distribution of server and protocol versions, and found that while SSH 2 has displaced SSH 1, the rate of software updates seems to be slow. We analysed the mentioned cryptographic weaknesses and found they have become fewer, but continue to persist one year after the disclosure. Finally, we investigated the reasons for duplicate yet cryptographically strong keys. We found these are used in very different setups at varying degrees of security. Some are indeed dangerous weaknesses, others are the result of a careful and centralised setup. By example of the ten most common keys, we show the circumstances in which they occur and assess the security of each deployment. Finally, we analysed the deployment of ciphers and associated key lengths and found good results in terms of security. As our scans are of a sensitive nature, we also document the ethical considerations that guided us.
UR - http://www.scopus.com/inward/record.url?scp=84904179337&partnerID=8YFLogxK
U2 - 10.1109/NOMS.2014.6838249
DO - 10.1109/NOMS.2014.6838249
M3 - Conference contribution
AN - SCOPUS:84904179337
SN - 9781479909131
T3 - IEEE/IFIP NOMS 2014 - IEEE/IFIP Network Operations and Management Symposium: Management in a Software Defined World
BT - IEEE/IFIP NOMS 2014 - IEEE/IFIP Network Operations and Management Symposium
PB - IEEE Computer Society
Y2 - 5 May 2014 through 9 May 2014
ER -