Category Archives: Encryption

How to Verify OpenSSH Source

Download the source, signature, and old key from http://www.openssh.com/portable.html. I picked 3 different mirrors:

Download the current key from the MIT PGP Public Key Server at 0xD3E5F56B6D920D30.

Verify the current key is signed with the old key:

Kenjis-MacBook-Air:ssh kenji$ gpg --import DJM-GPG-KEY.asc

gpg: key 86FF9C48: "Damien Miller (Personal Key) <[email-removed]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Kenjis-MacBook-Air:ssh kenji$ gpg --import 0xD3E5F56B6D920D30.asc

gpg: key 6D920D30: public key "Damien Miller <[email-removed]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

Kenjis-MacBook-Air:ssh kenji$ gpg --check-sigs 0xD3E5F56B6D920D30

pub   3200R/6D920D30 2013-12-10 [expires: 2021-01-01]
uid                  Damien Miller <[email-removed]>
sig!         86FF9C48 2013-12-10  Damien Miller (Personal Key) <[email-removed]>
sig!3        6D920D30 2013-12-10  Damien Miller <[email-removed]>
sub   3200R/672A1105 2013-12-10 [expires: 2021-01-01]
sig!         6D920D30 2013-12-10  Damien Miller <[email-removed]>

Verify the signature of the openssh source.

Kenjis-MacBook-Air:ssh kenji$ gpg --verify openssh-7.1p2.tar.gz.asc openssh-7.1p2.tar.gz

gpg: Signature made Wed Jan 13 17:13:46 2016 PST using RSA key ID 6D920D30
gpg: Good signature from "Damien Miller <[email-removed]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 59C2 118E D206 D927 E667  EBE3 D3E5 F56B 6D92 0D30

Full Process

Download the OpenSSH source, signature, and old key as described above.

Use pgpdump to determine the full Key ID used to sign the tarball.

Kenjis-MacBook-Air:pgpdump-0.29 kenji$ ./pgpdump openssh-7.1p2.tar.gz.asc 
Old: Signature Packet(tag 2)(428 bytes)
	Ver 4 - new
	Sig type - Signature of a binary document(0x00).
	Pub alg - RSA Encrypt or Sign(pub 1)
	Hash alg - SHA512(hash 10)
	Hashed Sub: signature creation time(sub 2)(4 bytes)
		Time - Wed Jan 13 17:13:46 PST 2016
	Sub: issuer key ID(sub 16)(8 bytes)
		Key ID - 0xD3E5F56B6D920D30
	Hash left 2 bytes - d2 4c 
	RSA m^d mod n(3197 bits) - ...
		-> PKCS-1

If you don’t have pgp dump, you can use gpg --verify to see the short key ID:

Kenjis-MacBook-Air:ssh kenji$ gpg --verify openssh-7.1p2.tar.gz.asc openssh-7.1p2.tar.gz
gpg: Signature made Wed Jan 13 17:13:46 2016 PST using RSA key ID 6D920D30
gpg: Can't check signature: public key not found

OR you can manually parse the signature packet as described below.

Download the signature key from the MIT PGP Public Key Server at 0xD3E5F56B6D920D30.

The OpenSSH mailing list (https://lists.mindrot.org/pipermail/openssh-unix-dev/2013-December/031905.html) shows that Damien Miller is the signer of the portable source. Search for all of his keys on the MIT Key Server https://pgp.mit.edu/pks/lookup?search=Damien+Miller&op=index. This shows 0xD3E5F56B6D920D30 and 0xCE8ECB0386FF9C48 (i.e. DJM-GPG-KEY.asc) belonging to Damien Miller. Even though the 0xCE8ECB0386FF9C48 is listed as revoked, I think the keys can be trusted; because DJM-GPG-KEY.asc continues to be posted on the OpenSSH mirrors, and the creation date for 0xD3E5F56B6D920D30 is consistent with the mailing list announcement.

Verify the signature on the current key and the source as described above.

PGP Signature Parsing

Extract the raw signature:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGsBAABCgAGBQJWlvZKAAoJENPl9Wttkg0w0kwMfRd8u1P8+RDXoF32uhtOwQAY
31cJz2gBf2jnBV/BEzxBNCvpObE9ECCMyWK0RSCjHQBxfwoW4YdkAArBZxbexXtU
fXOlUdcB1cc4OqgvvufktMt5txg17VSKv8tI23mCT0Ibs3dppz+PNAH2LzcKWTXb
Hr7PQzY4qufZ336R6ADKuXqfUFDNx7oLEiehTrSC7AhIM3Wagqv2dRBJNkW/Ci3w
qWnTQ6IOD5A//EDLVW0SqQ1/4n7mWBmkoiRw0xzFxRnnHKjhwIGqwj5oOoDFzZOa
6XtOcIwh9VXemTl5Gq+ZaiaRFA1TRHsVXVT1TgSUgB3Muy3PyOFHmHEZlLyfPrNV
/WjoV18zosVGd2egGB8jK6xzftpPeoVndiWPwSIz52E6xBtoCVXr0ksjz3wbgx+9
NOVF58Zo19eN6Nf1H4EP3K0aNDnjM5lsByphGGk5W7sQUc0u4Yvw4Rbc9VGV8I/Z
Sddw5WProNQXmsO06eO2ey8POUI4CaKTe8UWfc74MXkF93m8MD7VdmB4lYCsFi8=
=0gQS
-----END PGP SIGNATURE-----

Copy this into a file.

Convert the base64 to binary and then view in a hex editor:

base64 -D <file> | xxd
0000000: 8901 ac04 0001 0a00 0605 0256 96f6 4a00  ...........V..J.
0000010: 0a09 10d3 e5f5 6b6d 920d 30d2 4c0c 7d17  ......km..0.L.}.
0000020: 7cbb 53fc f910 d7a0 5df6 ba1b 4ec1 0018  |.S.....]...N...
0000030: df57 09cf 6801 7f68 e705 5fc1 133c 4134  .W..h..h.._..<A4
0000040: 2be9 39b1 3d10 208c c962 b445 20a3 1d00  +.9.=. ..b.E ...
0000050: 717f 0a16 e187 6400 0ac1 6716 dec5 7b54  q.....d...g...{T
0000060: 7d73 a551 d701 d5c7 383a a82f bee7 e4b4  }s.Q....8:./....
0000070: cb79 b718 35ed 548a bfcb 48db 7982 4f42  .y..5.T...H.y.OB
0000080: 1bb3 7769 a73f 8f34 01f6 2f37 0a59 35db  ..wi.?.4../7.Y5.
0000090: 1ebe cf43 3638 aae7 d9df 7e91 e800 cab9  ...C68....~.....
00000a0: 7a9f 5050 cdc7 ba0b 1227 a14e b482 ec08  z.PP.....'.N....
00000b0: 4833 759a 82ab f675 1049 3645 bf0a 2df0  H3u....u.I6E..-.
00000c0: a969 d343 a20e 0f90 3ffc 40cb 556d 12a9  .i.C....?.@.Um..
00000d0: 0d7f e27e e658 19a4 a224 70d3 1cc5 c519  ...~.X...$p.....
00000e0: e71c a8e1 c081 aac2 3e68 3a80 c5cd 939a  ........>h:.....
00000f0: e97b 4e70 8c21 f555 de99 3979 1aaf 996a  .{Np.!.U..9y...j
0000100: 2691 140d 5344 7b15 5d54 f54e 0494 801d  &...SD{.]T.N....
0000110: ccbb 2dcf c8e1 4798 7119 94bc 9f3e b355  ..-...G.q....>.U
0000120: fd68 e857 5f33 a2c5 4677 67a0 181f 232b  .h.W_3..Fwg...#+
0000130: ac73 7eda 4f7a 8567 7625 8fc1 2233 e761  .s~.Oz.gv%.."3.a
0000140: 3ac4 1b68 0955 ebd2 4b23 cf7c 1b83 1fbd  :..h.U..K#.|....
0000150: 34e5 45e7 c668 d7d7 8de8 d7f5 1f81 0fdc  4.E..h..........
0000160: ad1a 3439 e333 996c 072a 6118 6939 5bbb  ..49.3.l.*a.i9[.
0000170: 1051 cd2e e18b f0e1 16dc f551 95f0 8fd9  .Q.........Q....
0000180: 49d7 70e5 63eb a0d4 179a c3b4 e9e3 b67b  I.p.c..........{
0000190: 2f0f 3942 3809 a293 7bc5 167d cef8 3179  /.9B8...{..}..1y
00001a0: 05f7 79bc 303e d576 6078 9580 ac16 2f    ..y.0>.v`x..../
Packet Tag: 0x89 = Old Format Packet, Tag = 2, 2 octet packet length
Packet Length: 0x01AC = 428 bytes
Signature Version: 0x04 = Version 4
Signature Type: 0x00 = Binary Signature
Signature Algorithm: 0x01 = RSA
Hash Algorithm: 0x0A = SHA-512
Hashed Subpacket(s) Size: 0x0006 = 6 bytes
Hashed Subpacket: 0x05025696f64A
   Size: 0x05 = 5 bytes
   Type: 0x02 = Signature Creation Time
   Time: 0x5696f64a = Wed Jan 13 17:13:46 PST 2016
Unhashed subpacket(s) size: 0x000A = 10 bytes
Unhashed subpacket: 0x09 10D3 E5F5 6B6D 920D 30
   Size: 0x09 = 9 bytes
   Type: 0x10 = placeholder for backwards compatibility
   Key ID: D3E5F56B6D920D30
Left 16 bits of hash: 0xD24C
MPI Length: 0x0C7D = 3197 bits = 400 bytes

DreamHost Private Key Format

When renewing my SSL/TLS certificate for my DreamHost shared hosting account, I generated a new 4096-bit RSA Private Key using OpenSSL 1.0.1e. I was surprised and confused when DreamHost reported "Invalid private key". I initially thought it was a problem with the 4096-bit key but found documentation indicating 4096 is a supported option.

I checked the that my key was PEM formatted as expected, and finally realized it was an incompatibility between the "-----BEGIN RSA PRIVATE KEY-----" and the "-----BEGIN PRIVATE KEY-----" variants of the PEM format when I couldn’t create a self-signed cert using OpenSSL 0.9.8za and my brand new key. Once I realized this, it was a simple conversion using the command

openssl rsa -in private.key -inform PEM -out outfile.key -outform PEM

with OpenSSL 1.0.1. The in/out forms aren’t strictly necessary, but make the command a little clearer to read.

Musings on Password Lengths

I’ve been thinking about password lengths, complexity, and how much strength is really required.

Random Passwords

I use LastPass for all of my passwords an never really calculated how long I need to make my passwords secure assuming they’re fully random. Since AES with a 128-bit key is considered sufficiently secure, I want my passwords to have at least 128-bits of strength. Doing some quick math based on a standard US ASCII Keyboard, the bits in strength in each character classes are as follows:

  • lowercase – 26 ≈ 4.7
  • uppesrcase – 26 ≈ 4.7
  • numbers – 10 ≈ 3.3
  • symbols – 30 ≈ 4.9

I assume that every website will accept alphanumeric passwords, so that gives 62 possibilities. Each character has just short of 6 bits of strength. 128 / 6 ≈ 21.3, so a random 22 character alphanumeric password has more than 128 bits of strength.

If the website accepts all special characters, that 92 possibilities. Each character then has just over 6.5 bits of strength. 128 / 6.5 ≈ 19.7, so a random 20 character password has more than 128 bits of strength.

"Human" Passwords

Human passwords are much more difficult to estimate the strength of. I like to use a variant of the xkcd: Password Strength method of using a combination of words, numbers and symbols. This changes/adds the number of possibilities based on the number of words. The Oxford English Dictionary indicates that there are about 600,000 words in the English language. Assuming that half of these are between 3 and 6 characters, each word between 3 and 6 characters has about 18.2 bits of strength.

If an attacker knew the composition of a password that followed the pattern word, symbol, word, number, word, symbol, word; this password would have 18.2 + 4.9 + 18.2 + 3.3 + 18.2 + 4.9 + 18.2 = 87.7. While a password like this doesn’t quite reach 128 bits of strength; it is reasonably strong, should be easy to remember, and fairly easy to type. Also, an attacker probably wouldn’t know the password composition method, making the actual strength a bit higher. If science and technical terms are included, that will increase the strength per word. Just make sure you pick your words randomly.

Conclusions

The 24+ character random passwords for websites are unnecessary, especially when the password reset functions generally have limited security.

I should add a little more length for my master passwords that are susceptible to an offline attack (e.g. LastPass). Fortunately most passwords like this use PBKDF2 to increase the computing power necessary to perform a brute force attack.

Updated Dreamhost Ciphers

Dreamhost offers free SSL/TLS through SNI for their shared hosting accounts. When this service was first released, it was limited to an RC4 ciphersuite and TLSv1.0. For most applications, RC4 is no longer a preferred cipher within the cryptographic community (Matthew Green’s blog post).

I haven’t seen an announcement, but I’d guess it was in the early November upgrade from Debian to Ubuntu that updated the security.

Dreamhost now supports TLSv1.0, TLSv1.1, and TLSv1.2 with the following cipher suites:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

Other than Triple-DES being a little on the weak side, this is now a very solid and modern list of ciphers.