Solved

encryption robustness

Posted on 2002-07-03
13
321 Views
Last Modified: 2010-04-20
Hi Glenn,

1)what tool/package should i use in order to get my RSA PUBLIC/PRIVATE KEYS? i only know how to generate a pair of public/private keys using GnuPG, but don't know if they are RSA keys...

this question was in the other post but hasn't been answered...

2) "You might try to "up" the number of key bits somewhat in /etc/ssh/sshd.conf (if your "server side" is linux/OpenSSH)."

unfortunately i don't have control over that "server side".

i remember that if i encrypt a file using gpg by 1024bits, it would be theoretically impossible to decrypt it(or way too expensive). so compared with that, how robust is ssh(as a secured terminal)?

3) regarding putty configuration:
"prefered ssh protocol version"---should i choose 1 or 2?

"enable compression"---should i tick it for more security?

"prefered encryption algorithm"---which one can give me higher security? 3DES, blowfish or DES?

and i just can't make the fonts bigger. nor can i change the background/foreground color... argh!

Thanks,
KEN
(btw, can you tell me your email address? all the posts are in plain texts and there's no security at all. so maybe i should ssh and then email you from a shell account)
0
Comment
Question by:ken021600
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
13 Comments
 
LVL 20

Accepted Solution

by:
Gns earned 50 total points
ID: 7127270
1) Yes it was. Openssl.

2) Very robust.

At protocol level 1 each host has a 1024 bit RSA key used for identification, and the server generates a "server" key (also RSA) that normally is 768 bits (this key usually gets regenerated every hour, or upon use, and is never stored to disk). Upon connection, the client tries to verify that the server is who it claims (the 1024 key is intact from the last time). The client then generates a 256 bit random number encrypt it with both (RSA) keys and send back to the server. This random number is then used as the session key with the symmetric algorithm, either 3DES or Blowfish (3DES being the default). After this (the "tunnel" is now established) the actual user authentication takes place (.rhost, .rhosts with RSA host auth, RSA challange-response or plain ol' password authentication).

Protocol level 2 is similar, but use only one DSA server (identification) key, and relies on a Diffie-Hellman key exchange (key agreement) to establish the session key. You also have more choice as to the symmetric cipher used for the session (128 bit keys: AES, 3DES, Blowfish, CAST128 or Arcfour. 192 bit: AES. 256 bit: AES). At leve 2 the insecure .rhosts methods have been ditched/replaced by public key user or host authentication, and retaining the password and challage-response methods.

So, to sum it all up, if you don't use some of the more stupid settings, both provide very good protection (on par with GnuPG). Protocol level 2 use more modern algorithm and methods.
Which leads us to...

3) Protocol level 2. No, not for security (you might want it for other reasons though;). Listed worst -> best: DES, 3DES, Blowfish, AES (this is just an opinion;-).

Hm, what version of putty is that? My development snapshot as of 2001-08-04 (yeah! not that new) has AES and some other nice-looking features... oh, just looked at version 0.51 which looks more like what you describe ken.

-- Glenn
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7127309
> prefered ssh protocol version
2 (even the encryption is not stronger, 1 is know for vulnerabilities)

> "enable compression"---should i tick it for more security?
AFAIK, compression is marked in the packet, so it does not increase security
If you tick it, you just decrease the amount of data send, but increase the required computing power on both ends.
0
 

Author Comment

by:ken021600
ID: 7128381
OK i got it.

before closing this post, can i ask another quick question?

is it secure to upload files to a site using ttssh and zmodem? I only find "telnet","ssh" and "other" in ttssh's menu and there's "scp", so i guess the answer is no...

i want a client which provides secure uploading/downloading and supports xyzmodem under windows...any comments?

Thanks,
KEN
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 20

Expert Comment

by:Gns
ID: 7129361
I haven't used ttssh, so I'll have to defer to ahoffmanns expertise on this. Even if it would be OK, why bother? You have scp (ssh enhance rsh:), which is enough.

What you can do is to take any xyzmodem ip-enabled program, and "route" the traffic through your ssh "tunnel". Either do it more or less as suggested in the VPN mini HOWTO (http://www.tldp.org/HOWTO/VPN-HOWTO/index.html), or look at how it's done for vnc (http://www.uk.research.att.com/vnc/sshvnc.html). You might also want to look at MindTerm (a Java SSH client, that only needs a JRE 1.1.x. Unfortunately payware) at http://www.tldp.org/HOWTO/MindTerm-SSH-HOWTO/index.html .

-- Glenn
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7129362
hmm have seen this question (xyzmodem) couple of days before ...

If you have a ssh connection, then using anything inside the tunnel is secure. You also may use scp then (ttsh does not have it, but putty)
About the xyzmodem in ttssh I am unshure.
0
 

Author Comment

by:ken021600
ID: 7133611
sorry it took me a while to reply.

my hats off to both of you. i only hope one day i will be as knowledgeable as you...

i've got a few more questions coming up and i'll post them to "Linux" board. Please give me a hand if you have the time. :)

cheers,
KEN
0
 
LVL 20

Expert Comment

by:Gns
ID: 7138891
No worries ken.

I'm on vacation during the next three weeks, so I'll probably miss those new questions (probably redo most of the house...sigh), but as you've no doubt noticed, there is an abundance of knowledge at EE/Linux*, so you'll probably get first class aid from ahoffmann, Jim Levie et al without me. Heck, you'll probably get better answers ;-).

-- Glenn
0
 

Author Comment

by:ken021600
ID: 7140369
Have a good rest and i'm looking forward to seeing you...

enjoy your vacation, to the hilt!

cheers,
KEN
0
 
LVL 20

Expert Comment

by:Gns
ID: 7153716
I'm trying, though I was stupid enough to bring the lil' ol' laptop with me... The weather is great though, and the beer is cool....:-)

-- Glenn
0
 

Author Comment

by:ken021600
ID: 7153870
"no worries"...? are you from oz?

hooroo,
KEN
0
 
LVL 20

Expert Comment

by:Gns
ID: 7166501
Nope, from Sweden (just the other side of the globe:-).

I don't pass every little comment through the spellchecker though.

-- Glenn
0
 

Author Comment

by:ken021600
ID: 7222283
according to the latest statistics, there are more than 45 million people accessing the net...that's a -lot- of people. actually i was shocked coz i thought 30 million was a very big number...:)

KEN
0
 
LVL 20

Expert Comment

by:Gns
ID: 7222306
If you're "down under" Ken, isn't thsi in the middle of the night?

Go to bed man, you need the sleep:-).

-- Glenn
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question