2012年7月18日 星期三

是否可以關閉SSH Tunneling 的加密或是降低加密等級

圖片來源:網路

大家一定覺得很奇怪,SSH的存在就是為了要有一個安全加密的通道啊,怎麼會有人想要關閉加密功能或是降低加密等級呢?怎麼會有這樣的需求呢?在解釋之前先來先舉幾個會用到SSH Tunneling 的正常案例:

所以建立SSH Tunnel的主要用意就是建立一個通道,想辦法可以由外界進入一個受限制的網路,看圖片比較有感覺。

圖片來源:網路


圖片來源:網路


由這張圖就可以看到,透過 SSH Tunnel 傳遞的資料都是有受到加密保護的,一直到離開SSH Tunneling 到達受限制的內網(相對起來也是受信任的內網)。


 圖片來源:網路

這時候問題來了:

1. 如果我要連線的Device (Embedded System) cpu 不夠力怎麼辦?是否可以關掉?
2. 加密對於速度也會有影響,那要如何增加速度呢?
3. 加密到底是用麼演算法在加密呢?

所以我在網路上找到幾個答案:

1. 有加密和沒加密速度可以差到86%

RFC 4253 specifies that, during handshake, client and
server can agree not to use any bulk encryption.
In other words, the encrypted transfer speed is *** 86% SLOWER ***
than the unencrypted transfer speed.

2. 透過patch 的方式:hpn-ssh ,的確可以關掉

3. 就是降低加密等級
---------------------------------------------------------------------------
You cannot disable encryption, at least not in any standards-compatible way. You can pick weaker and/or faster ciphers if you're really worried about overhead. ARCFour and Blowfish are pretty fast. DES is slow.

For OpenSSH:
man ssh_config
man sshd_config

The following ciphers are currently defined:

      3des-cbc         REQUIRED          three-key 3DES in CBC mode
      blowfish-cbc     OPTIONAL          Blowfish in CBC mode
      twofish256-cbc   OPTIONAL          Twofish in CBC mode,
                                         with a 256-bit key
      twofish-cbc      OPTIONAL          alias for "twofish256-cbc"
                                         (this is being retained
                                         for historical reasons)
      twofish192-cbc   OPTIONAL          Twofish with a 192-bit key
      twofish128-cbc   OPTIONAL          Twofish with a 128-bit key
      aes256-cbc       OPTIONAL          AES in CBC mode,
                                         with a 256-bit key
      aes192-cbc       OPTIONAL          AES with a 192-bit key
      aes128-cbc       RECOMMENDED       AES with a 128-bit key
      serpent256-cbc   OPTIONAL          Serpent in CBC mode, with
                                         a 256-bit key
      serpent192-cbc   OPTIONAL          Serpent with a 192-bit key
      serpent128-cbc   OPTIONAL          Serpent with a 128-bit key
      arcfour          OPTIONAL          the ARCFOUR stream cipher
                                         with a 128-bit key
      idea-cbc         OPTIONAL          IDEA in CBC mode
      cast128-cbc      OPTIONAL          CAST-128 in CBC mode
      none             OPTIONAL          no encryption; NOT RECOMMENDED
----------------------------------------------------------------

Reference:
[1] Disable encryption ssh
張貼留言