Tatu Ylonen, the CEO of SSH Communications Security, a company that he helped to set up to further the Secure Shell standard – which he authored back in 1995 at the University of Helsinki – is working on a new version of the popular cryptographic standard.
SSH is widely used in the IT industry for server authentication, as well as machine-to-machine communications, but Ylonen says that, 18 years after the standard was first formulated, it’s time for a major update.
This is, he told ITSP, the third version of SSH, and has been co-authored by Ylonen and a number of other researchers, including Murugiah Souppaya, a research scientist with MIT Labs.
Details of the proposed new SSH standard have already been submitted to the Internet Engineering Task Force (IETF) for comments and ratification, with plans to release SSH-3 later this year.
ITSP notes that, whilst SSH-1 was published in 1995, it has since been superseded by SSH-2, which was published in 2006.
Ylonen says that the 58-page IETF draft document – `Managing SSH Keys for Automated Access – Current Recommended Practice’ – has just been published by the IETF and will be up for comment/review until this October.
Delving into the SSH-3 proposed standard reveals that Ylonen and his team are recommending a number of advances, including:
Moving keys to protected locations
Removing unused keys
Associating authorised keys with a business process or application
Removing keys for which no valid purpose can be found
Rotating keys on a regular basis, and
Restricting what can be done with each authorised key
In parallel with the proposed SSH-3 standard, Ylonen and his team have developed a new utility. Known as SSH Risk Assessor (SRA), the free software provides users with a clear report on risk and compliance exposures in SSH environments.
The idea behind the software, is that it identifies organisation-specific compliance status with relevant standards; assess actions needed to achieve compliance; and seeks to provide an understanding of the current state of the secure shell environment
Ylonen says that companies are being flagged for compliance violations under general guidelines relating to SSH access control.
SRA, he adds, provides an easy way for enterprises and government agencies to determine if there are risk and compliance issues with respect to who has access to what information in their SSH environment.
“With compliance authorities preparing to create specific requirements regarding access controls in SSH environments, SRA is a critical tool that will help auditors and security teams scope the size of the issue and create awareness with IT executives,” he explained.