SSH Tunneling still relevant?

[lucid]

Seems like a silly question I know.

As of late it seems that those who care must re-evaluate our methods of anonymity due to the NSA 'cracking' RSA 1024 bit encryption. So obviously VPNs, SSL/HTTPS, Tor, and many other methods I'm sure, are out the window.... at least if you are trying to hide from the government.

Now up until recently I've been under the impression that rooting a multitude of SSH servers, and using them as SOCKS proxies by chaining them all together and tunneling through them was one of the best ways to be anonymous considering that you would be in complete control of all the nodes so you wouldn't have to worry about logs. However, considering that RSA was cracked, and SSH uses RSA encryption, seems that SSH tunneling is not as uber leet anon as we all thought it was.

But what if I'm using DSA instead? I assume the NSA wouldn't have any problems with that... but what about ECDSA? Has that been compromised? Is there any algo that we can still use safely?

Discuss, friends.

[Zesh]

You can still use many algorithms as long as the key size is "large" enough.

[ande]

Everyone needs to calm down: The National Security Agency HAS NOT "cracked" common internet encryption.


What the NSA has done, according to leaked documents, is (1) undermine encryption by coercing companies to put backdoors into their software and (2) hack into tech company servers to steal encryption keys.
The misconception has spawned as a result of major news organizations like The Guardian, Propublica, and New York Times conflating the two ideas of "exploiting" and "cracking.

Source: http://www.businessinsider.com/calm-down-the-nsa-hasnt-cracked-basic-internet-encryption-2013-9



My two cents: I don't think the NSA can crack, as in brute force, RSA within a reasonable time-frame just yet. And even if they did, they would have to disclose that information in a scenario where you get "cough" while tapped by the NSA.

[lucid]

See I read that article but I got the feeling that it was sensationalism to hide the fact that the NSA is aggressively invading our privacy.

Well, I suppose it's true, they didn't really crack it they just backdoored it. Either way it seems that RSA 1024 is no where near strong enough anymore, so all I need to do is use, say RSA 4096bit encryption then..

[chapp]

The same rules apply. SSH tunnel chaining is not a matter of keeping the data secret, but the origin of the data. At two points must the data be available as clear text, either of these can be compromised. Just expect everything you write to be visible to everyone and don't reveal too much info, if you are not interested in being associated with it later.


The NSA might/quite likely have successfully weakened certain encryption algorithm allowing them to extract certain information.

[lucid]

At two points must the data be available as clear text

To that sir all I will say is...

End-to-end encryption

[chapp]

To that sir all I will say is...

End-to-end encryption

That does not change the premise of data being clear text at two end-points, thus you most at all time rely on the recipient and yourself not to be compromised.

[proxx]

Apart from that you could also give the data in the tunnel another layer with any ecryption of choice.

[lucid]

Apart from that you could also give the data in the tunnel another layer with any ecryption of choice.

You should elaborate more.

[proxx]

You should elaborate more.

I should.

Well for example it should be possible to use ncat with SSL  inside your ssh tunnel.
Generate some really havy keys.
Change the port to something weird to make it look like something else is going on.
There are some alternatives to ssh , maybe those can be layered in such a fashion.
Didnt take the time to read about the encryption documentation but there are tool like MOSH, LSH and many more.
You also might want to look at corkscrew , its a tool that lets you ssh through HTTP proxies , nice toys.

Q: Has your secure datagram protocol been audited by experts?

    No. Mosh is actively used and has been read over by security-minded crypto nerds who think its design is reasonable, but any novel datagram protocol is going to have to prove itself, and SSP is no exception. We use the reference implementations of AES-128 and OCB, and we welcome your eyes on the code. We think the radical simplicity of the design is an advantage, but of course others have thought that and have been wrong. We don't doubt it will (properly!) take time for the security community to get comfortable with mosh.

Dunno if thats a good thing
Was looking for key strenght settings but didnt find anything yet.

[lucid]

I should.

Well for example it should be possible to use ncat with SSL  inside your ssh tunnel.
Generate some really havy keys.
Change the port to something weird to make it look like something else is going on.

Cryptcat anyone?

That's a good idea. I've never thought about doing that though. Oddly enough, I've never actually heard of corkscrew. Sounds like an interesting idea though. I never really considered tunneling SSH through HTTP proxies. I figured just creating a SOCKS tunnel and browse the internet through that as being sufficient.

Shows how dumb I am.

That does not change the premise of data being clear text at two end-points, thus you most at all time rely on the recipient and yourself not to be compromised.

Which is why it's good to own all the SSH servers your tunneling through.

[proxx]

Cryptcat anyone?

That's a good idea. I've never thought about doing that though. Oddly enough, I've never actually heard of corkscrew. Sounds like an interesting idea though. I never really considered tunneling SSH through HTTP proxies. I figured just creating a SOCKS tunnel and browse the internet through that as being sufficient.

Shows how dumb I am.

Most certainly not, I speak to people daily that have far greater knowledge on many subjects.
Compared to some I feel like a complete noob, I probably am.
I can just aim to approach that level some day.

[spark]

if we suppose that RSA 1024 is no more reliable as well as ssh tunnels. How would ssh tunneling through http proxies improves encryption ?

[proxx]

if we suppose that RSA 1024 is no more reliable as well as ssh tunnels. How would ssh tunneling through http proxies improves encryption ?

It does not, I was only referring to another usefull tool.
Even if the encryption is flawed there is still something like obfustication.

[spark]

If by obfuscation you mean white-box cryptography, i don't know if this is the appropriate solution since obfuscation is meant to hide the decryption key even from the legitimate user.