Root Causes 100: OpenSSH Deprecates SHA-1

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

June 15, 2020

Once widely used, SHA-1 is considered insecure today and has been deprecated from the most common PKI use cases. OpenSSH recently provided a roadmap to its eventual deprecation of SHA-1. Join our hosts as they discuss the long, complex process of sunsetting a widely used cryptographic practice, the factors that contribute to these practices continuing beyond their secure lifespans, and the importance of crypto agility.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanSo, we are here today, we are talking about a news item in the world of cryptographic algorithms and in particular, this is, I am looking at a ZDNet article from May 27 I believe it is and the headline reads, OpenSSH to Deprecate SHA-1 Log-ins Due to Security Risk. So, I guess I would start by saying people are still using SHA-1?

Jason SorokoYeah, they are. And in fact, previous podcasts that we’ve done, Tim, we talked about SHA-1 especially within the context of encryption. We’ve talked about it in the context of SSL certificates.

Tim CallanYeah. right.

Jason SorokoIn this case, we are now talking about SSH keys.

Tim CallanYeah. And so, this is obviously, I mean, so, gee, there’s a lot of directions to go with this. First, SHA-1, we all gotta stop using SHA-1. Right? We’ve talked about this in in the past because it’s not really considered to be secure anymore. But I don’t know. I guess what I kind of meant from that question is doesn’t it feel like we’ve already talked about this and been through this a few years ago and how come this is happening now? Like doesn’t this feel like a 2017 headline.

Jason SorokoYeah. Well, I can tell you - - of course, when you are a tech journalist you try to make things interesting. You try to make things fresh and new.

Tim CallanSure.

Jason SorokoAnd I think what is new here is OpenSSH as a project, right, as an OpenSource software project, has been warning now from several versions back that there was going to be deprecation of SHA-1.

Tim CallanOk.

Jason SorokoSo, the default cryptographic algorithm that was used in OpenSSH for a very, very long time was SHA-1. It was the SSH-RSA command line issuance. Whenever you are using OpenSSH was just a default that was built right in and so what’s different now is that the default will be changing to SHA-256 and additionally, it looks like within the latest version, OpenSSH is including a methodology. It’s including a command line option that enables the automatic update of the algorithm itself, which is great. And I think what is brand-new and this is what really - - the headline would not have been as great to read but really what they are trying to warn is that in future versions of OpenSSH the ability to use SHA-1 will be completely deprecated out.

Tim CallanOk. So, they are just gonna stub it out entirely. We’ve seen this. A lot of people do this, right. You don’t want to break a bunch of people by surprise one day, so you do things to telegraph it in advance. You make it harder to use. You make them go in and deliberately pick it and then you let them know you can do this for the next nine months but then guess what? It’s just going. Right? That’s a very common approach that people take to deprecating this kind of functionality.

I guess the question I would ask is, is this scary though? That SHA-1 is still available for OpenSSH today?

Jason SorokoIt could be. It could be. I think that it’s still there for the fact that key rotation within certain kinds of security communications is difficult to change. I think, Tim, to really answer your question in a slightly different way which is what the scary use cases and scenarios are. I think a lot of embedded devices that are using older implementations of OpenSSH that may never, ever be able to be upgraded, those are the ones that I’m most worried about.

Tim CallanSure. And that’s one of the use cases we just saw on the Atrostrute rollover is like old, embedded devices were some of the devices were some the devices that couldn’t handle that because for that exact same reason.

So, what do we do? At the end of the day if these devices are out there and we feel like this protocol is not cryptographically secure do we just have to live with that for the lifetime of the devices?

Jason SorokoPotentially, yes. So therefore, for devices that are consumer-level devices that are in the hands of consumers, you know, there may or may not be issues with that and the chances of those things ever being fixed are not great. Perhaps it’s a corporate communication to the customers to say, hey, if you are assuming that the communications of this device are secure just be careful how you use it. Who knows? It could be something like that but then again, if the devices were embedded inside of - - if OpenSSH was embedded in devices such as for industrial systems or critical infrastructure taking an inventory of those weaker devices and how they are being used might be part of what you want to do.

Tim CallanYeah. And then this kind of goes back to another conversation that we always have when we have this, which is, geez if you can’t update the outdated cryptography then what are the chances that you can patch the zero days? You know. And if you can’t do that then gosh, you have fundamentally an insecure system and maybe you need to be asking yourself if more extreme measures are required, like replacing those devices.

Jason SorokoYeah. That’s right, Tim. And I think in some cases that might be true. I think in a lot of other cases there is already so many devices that have such weak security. In other words, when you consider hard-coded username and passwords that can get you a root shell within a device compared to say, you know, a deprecated cryptographic algorithm I think there’s even lower hanging fruit available for the bad guys right now.

Tim CallanYeah. You might say I doubt that anybody is gonna put the processing power in necessary to compromise my refrigerator, now on the other hand, if they can make my power plant blow up that’s another matter and so, for that second one maybe we better go pull that meter out and for the first one, maybe we figure the fridge is a fridge and they’re gonna attrition out over time.

Jason SorokoYeah. That’s exactly right, Tim. Those consumer-level devices I already have a big fear about them. In fact, if we were to do an informal survey right now about a whole pile of different consumer level devices, I’m betting they’re not even using something as strong as a SSH key.

Tim CallanYes. That’s why we keep having Botnets isn’t it?

Jason SorokoSeems to be the case.

Tim CallanMaybe a quick topic – anything else that we need to cover on this topic, Jay, that I missed?

Jason SorokoNo. I think for the practitioner who is, you know, the Linux administrator whoever it is that is responsible for the OpenSSH implementation at your enterprise, I would say check out the documentation of the new version, check out what the changes are, check out how to auto update and auto rotate your keys. I think that it might be time for you to start looking at automating SSH keys as well. Thinking about the idea that we talked about on previous podcasts about putting those keys into certificates so you can enact timing policies. But for right now, the most important thing would be making sure that if you are gonna upgrade OpenSSH, understand the implications of the fact that the default of cryptographic algorithm is going to change and rotate those keys out.

Tim CallanAlright. Cool. So, there you go. OpenSSH deprecating SHA-1. Let me ask you this and we may already have answered this one, but do you think we are gonna see more headlines like this as time goes on? Are there still significant industry components that have SHA-1 deprecation still in their future and not in their past?

Jason SorokoUnfortunately, I think some of the next set of SHA-1 news we might hear is where perhaps where SHA-1 is used in ways that we never thought. And it’s gonna continue to be in things such as embedded devices unfortunately.

Tim CallanYeah. That’s the other thing that happens, right, when you find is you get something as broad and ubiquitous as some of these cryptographic standards and there are usages you literally don’t know about and then what happens is when some level of functionality is deprecated, no matter how hard everyone looks for it, you never find it cause there is something that’s just sitting there running and nobody knows and then you turn it off and all of the sudden something is breaking that nobody has thought about in 15 years and it turns out that was why. So, yes, probably there will be some of that as well and that’s a lot of the hard work that goes on with switching systems over, right. This is how come we think it’s gonna take a long time to get to the quantum safe cryptographic algorithms, right. For the exact same reason. So, there’s a bunch of stuff that’ll swap out really fast and then there’s a long tail that will be difficult to isolate and understand and change.

Jason SorokoThat’s exactly right, Tim. And I think in this case with SHA-1 that has an incredibly long tail because of just how incorporated it was at the default level of so many things that we’ve done.

Tim CallanYeah. And, you know, less thought of the concept of crypto agility, right. If you go back in time even five years, certainly ten years, we weren’t as keen to the need for crypto agility as we are now. So, if you are setting up something up from scratch today, you are thinking about how do I swap out these algorithms completely and correctly and expediently when I need to. Five years ago, certainly ten years ago, probably wasn’t high on your list of things to think about.

Jason SorokoYeah. I would say about five years ago I was thinking about it quite a lot but I don’t think it was on the top of mind of people who were really on the front lines of this.

Tim CallanYeah. I think that’s right. I think the industry was going that way but for your kind of working IT professional, there hadn’t been a lot of communication and education on that point, and it wasn’t not really good tools even and it wasn’t something that a lot of people were putting on their checklists.

Jason SorokoThat’s exactly right, Tim. But here we are. We still have headlines about major protocols that are used daily.

Tim CallanI know. So, get crypto agile everybody.

Jason SorokoYou got it.

Tim CallanAlright. Thanks Jay. Always a pleasure to talk to you.

Jason SorokoThank you, Tim.

Tim CallanThis has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!