<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TR8PWW" height="0" width="0" style="display:none;visibility:hidden">

Elliptic Curves and More: Universal SSH Key Manager Version 1.3.3

By Roman Hernandez on September, 7 2014
Roman Hernandez

Solutions Manager, Universal SSH Key Manager
Roman has been with SSH Communications Security for over 10 years and has held various positions of increasing responsibility in R&D and product management. Currently, Roman is the Solutions Manager for the Universal SSH Key Manager product line and works hand-in-hand with Fortune 500 and Global 2000 IT security teams to ensure access to their critical data centers is secure and compliant. Prior to joining the company, he worked at Microsoft where he designed and developed software to automate scalability testing of the Passport (now Microsoft account) authentication service. Roman holds a Bachelor of Science degree in Computer Science from the Monterrey Institute of Technology and Higher Education in Monterrey, Mexico and a Master of Science degree in Telecommunications Software from Aalto University in Finland.

The latest version of Universal SSH Key Manager brings an important update: support for elliptic curve cryptography (ECC) keys. If you’re not familiar with ECC, suffice it to say that it’s an approach to public-key cryptography based on elliptic curves which is said to provide the same level of security as traditional RSA or DSA but with smaller key sizes while also using faster and lighter algorithms.

Why is support for ECC important? Because ECC algorithms have been gaining popularity and have become embedded into modern SSH implementations. It can no longer be ignored.

If you have an SSH key management solution which only supports RSA and DSA keys, you may think that you’re ok as long as you are not running any servers which support ECC. But be careful, because that won’t be the case for long.

OpenSSH introduced support for ECC in the form of ECDSA keys in version 5.7, and version 6.5 added support for ed25519 keys. Many may still have an impression that ECC keys are “fairly new”. This is most likely due to the slowness of most enterprise platforms in upgrading OpenSSH versions. For instance, RHEL 6 and earlier, Debian 6 and earlier, Ubuntu 10.10 and earlier, SuSE 11sp2 and earlier all ship with OpenSSH versions that do not yet support ECC. Based on this, you might think that Unix platforms are also lagging behind in OpenSSH version support, right? Well, not quite.

ECC keys actually are not that new anymore. OpenSSH 5.7 was released three and a half years ago. AIX 6.1 already comes with OpenSSH 6.0, HP-UX SecureShell supports it in version A.05.80 (available for all versions of HP-UX since 2011), SuSE added support for ECC in a service pack! (OpenSSH was upgraded from 5.1 in SuSE 11 service pack 2 to OpenSSH 6.2 in service pack 3) There is also the chance that somewhere in your environment, someone has upgraded the OpenSSH version in an older platform in order to get that new feature that came with a more recent OpenSSH release. How often do you monitor your SSH versions?

If I knew that SSH key usage was monitored in my environment but only for “standard” algorithms, using ECDSA keys would be a pretty good way to hide authorizations.

Making matters worse, there is no configuration option to disable use of ECC keys in versions of OpenSSH that support it (at least not without recompiling OpenSSH). You can only enable or disable public-key authentication as a whole. 

What this all means in practice is that one can no longer afford to rely on the flawed assumption that RSA and DSA are the only SSH keys that require monitoring and management. In order to properly manage your environment all of the key types that are allowed by the SSH servers in your environment (don’t forget SSH1 keys as well) need to be discoverable.

In addition to ECC support, Universal SSH Key Manager 1.3.3 adds support for Centrify SSH 2013 clients and servers as well as new managed OS support for Ubuntu Linux 12.04.

Submit a Comment

Stay up to date