How SSH Keys Can Transform Your Organization’s Security

Communication over an unsecured network carries many risks, ranging from session hacking and bandwidth theft to malware injection and data leaks. Cryptographic keys and secure communication protocols are one way to secure remote communication between users and machines over an open network.

The Secure Socket Shell (SSH) protocol generates SSH keys, which admins can use to authenticate both sides of a communication channel, facilitating secure device control, access, and data exchange. Securing SSH keys is necessary for ensuring the authentication of parties of the communication channel and the security of data and user activity without being restricted to an offline network.

SSH keys are pairs of asymmetric keys–one private and one public–that establish a secure and authentic communication channel between two parties over the web. You can think of them as a more secure alternative to standard passwords, where only users with real keys can access your network or server.

Organizations often use software to create key pairs, such as OpenSSH, which includes tools for key generation like SSH-Keygen, commonly found on Unix and Microsoft Windows operating systems. Specialized tools automate the key production process, allowing you to customize the keys using different cryptographic algorithms and decide whether to combine the key with a password to protect it while at rest for added security. 

SSH keys offer end users and organizations several benefits, including enhanced security, automation, and convenience. Since communication and authentication leverage asymmetric cryptography, private keys are less likely to be intercepted or compromised with brute-force attacks.

In industries with secure access to services and computing power, clients often prefer SSH keys over password authentication. This includes sectors like finance, healthcare, education, and manufacturing, where unique SSH keys are assigned to individual users.

SSH keys work on a public-private key per machine basis, where you need the pair to agree in order to access a server. The SSH protocol relies on the host server being able to recognize the user as an entity with access authorization in a sea of attempted logins from the internet. During the initial key exchange process, the protocol uses asymmetric cryptography, where the private key is only known to the user. In contrast, the public key is distributed to any SSH server the user attempts to access.

After the initial key exchange, the protocol then switches to symmetric encryption to construct a secure communication channel between the user and the server. The exchanged data is further encrypted using an authenticated encryption algorithm  to guarantee the confidentiality and the integrity of the data in transit in the case of an interception.

The SSH protocol consists of three types of keys, all working together to provide secure and authenticated access to servers.   

User keys are the private keys held by the user’s machine. They act as an alternative to passwords. A user key is part of the public-private key duo and is used to authenticate the user’s identity when communicating with the host server.

Even though private keys aren’t meant to be publically shared, they’re still at risk of being compromised through data breaches and leaks, which grant the infiltrator unauthorized access to the server.

The host key is the public part of the SSH key pair owned by the server. Both user and server are in possession of the other’s public key, allowing them to mutually verify identities during the handshake.

Because host keys are public, they aren’t at risk of being directly compromised. However, infiltrators can spoof a public key to trick honest users into connecting with their machine instead of the intended one.

Session keys are single-use symmetric keys that are nullified as soon as the session concludes, whether the user logs out or the session expires. They authenticate both parties involved in a key exchange, allowing them to decide on an encryption algorithm to secure the communication. Session keys pose a relatively low-security risk because they’re temporary.

As more and more companies and organizations store their data digitally in a separate location from their user base, reliably securing the connection is crucial. Depending on the application of the SSH protocol and the added layers of security and encryption, there are many benefits to securing your networks from SSH attacks:

SSH ports are virtual doorways that limit the access to a network server to users with a valid key pair or password. 

Data is usually most vulnerable when in-transit because whenever a remote user tries to access it, it’s exposed to the network. SSH keys provide the basis for establishing an encrypted communications tunnel that protects data from eavesdroppers and maintains its integrity during the session, ensuring only authorized individuals with valid keys have access to the data.

Depending on the type of data your company stores and handles, you might be subject to varying levels of strict local and federal regulations. Your ability to maintain data integrity and protect it from unauthorized access is usually a requirement of many mandatory and complementary certifications. The standards typically vary depending on whether it’s medical and patient data, financial information, or user activity logs.

Using network segmentation, SSH keys can be reliably used to regulate server access within an organization’s internal infrastructure. By minimizing the number of endpoints to a critical server, you can limit the possibility of an insider threat or data breach.

Thanks to automated features like key rotation, distribution, and automatic user authentication, relying on SSH keys simplifies the workload otherwise required to secure the simultaneous connections of hundreds, if not thousands, of users.

Depending on the size of the operation, managing SSH keys requires a mix of technical and security knowledge. A small team of skilled IT professionals with experience in system administration and different encryption key types is usually sufficient.

This is especially the case if you rely on specialized software for your communication and key generation, which automates much of the work. Without reliable skills, there’s an increased risk of compromising the keys or not using adequate encryption.

SSH keys are a security tool to suit the needs of your networks. By combining SSH keys with other security practices, experienced network security officers can achieve optimal results.

That’s not to say there aren’t SSH security best practices that apply to most cases. The average Fortune 500 company handles millions of SSH key pairs at any given moment, which makes generalized and blanket approaches to secure SSH keys standard industry practice.

Strong, unique SSH key passphrases add an additional layer of security to private keys. Using a dedicated credential manager lets you choose more secure passphrases that vary in length and complexity without having to worry about remembering them.

With the massive number of keys the average organization uses, it’s best to automate key rotation and distribution instead of relying on manual reminders and communication options. This ensures no SSH key remains in use long enough to become a potential system vulnerability.

Server hardening configurations should reflect the level of security you’re looking to achieve. Generally, you should consider limiting the number of user login attempts per hour or day, controlling IP address access, and setting sessions to automatically expire after an appropriate duration.

An SSH key size is typically proportional to the level of security it offers but inversely proportional to network traffic speeds. Most key generators let you choose a cryptographic key size between 256 and 4096 bits. When selecting the size, it’s also important to consider the cryptographic algorithm, as same-length keys can offer different levels of performance and security depending on the algorithm used during the SSH handshake.

Common algorithms used in SSH key encryption include RSA, ECDSA, and Ed25519. Ultimately, you want to set the encryption protocol to maximize security without expending unnecessary processing power.

Continuously monitor key usage, data traffic, and server attempts to differentiate suspicious behavior or areas of high risk. Gathering analytical data can also help enforce the weaker points in your server security and efficiently use your available resources.

The cybersecurity landscape is rapidly evolving, with zero-day exploits and new avenues of attacks emerging daily. It’s essential to continuously reevaluate your existing security structure to ensure it can withstand the most common attacks in your industry.

Regular advancements in computing power and encryption algorithms now allow for stronger SSH keys that are easier to distribute and manage on a larger scale. Working with your internal security team or expert network security providers is one of the best ways to stay up to date on how to secure SSH keys and mitigate SSH attacks for yourself and your users.

Just as SSH keys are a critical security tool for your network, Dashlane is an invaluable tool for protecting your credentials. Explore Dashlane’s security principles to see how we secure data and guard against potential cyberattacks.

Dashlane

Dashlane is a web and mobile app that simplifies password management for people and businesses. We empower organizations to protect company and employee data, while helping everyone easily log in to the accounts they need—anytime, anywhere.

Read more