Re: new SSH vulnerability?
From: CJ (hah@notonyerlife.com)Date: 03/13/02
- Next message: Markus Rietzler: "restrict client access"
- Previous message: Walter Hop: "Re: SSH and the zlib double-free vulnerability"
- In reply to: Alan: "new SSH vulnerability?"
- Next in thread: Simon Tatham: "Re: new SSH vulnerability?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "CJ" <hah@notonyerlife.com> Date: Wed, 13 Mar 2002 17:33:24 GMT
"Alan" <a__l__a__n@hotmail.com> wrote in message
news:e155108f.0203130822.631d4f2f@posting.google.com...
> A new attack has been published against symmetric encryption schemes
> that use CBC chaining and PKCS-5 padding (a pretty common
> combination). See
>
> http://dscwww.epfl.ch/EN/publications/abstract.asp?ID=200150
>
> Not being an expert on SSH protocol implementations myself, I thought
> this woudl be a good place to find out if SSH (particularly, OpenSSH)
> is vulnerable.
>
> HOW THE ATTACK WORKS
>
> Basically the attacker creates two-block messages consisting of one
> block R of his choice, followed by a second block C from a real
> message. He sends the message to the original recipient and observes
> the reaction. As part of the processing of the message, the recipient
> will symmetric-block-decrypt the second block, XOR the result with the
> (chosen) first block, and attempt to interpret the results as PKCS-5
> padding, and perhaps respond. If the response allows the attacker to
> infer whether or not the second block looks like a properly formatted
> padding block, he can use the recipient as an oracle in an adaptive
> chosen plaintext attack. In an expected time on the order of 128 * 8
> steps (for a 64 bit block as in 3DES) he can find a value of R that
> results in the PKCS-5 padding block P = {0x08 0x08 0x08 0x08 0x08 0x08
> 0x08 0x08}. XOR of this value of R with P yields the correct
> decryption of the original ciphertext C (which he then XOR's with the
> previous ciphertext block from the real message to get the original
> plaintext). Yikes!
>
> CONCLUDING QUESTIONS
>
> So the obvious questions for SSH are:
>
> 1) Does SSH use CBC and PKCS-5 for any symmetric-block-encrypted data
> exchange?
>
> 2) Does SSH leak enough information about improper padding blocks to
> indicate that the last block did / did not contain valid padding?
> That could be by directly telling this to the sender, or by the length
> of time to reply, etc, whether intentional or not.
>
> 3) If the answers to 1 and 2 are yes, is there a quick remedy that can
> be applied while waiting for a patch?
>
> What is the damage?
I thought ssh used asymetric ??
Could be wrong.
CJ
----------------------------------------------------------------------------
Year 2000 never bothered me.
It's year 65536 that I'm worried about
----------------------------------------------------------------------------
H4x0R : I'm way cooler than you! I got 40 scrypts that can kill yer machine
sysop : Heh! Yeah right!
w33n3r: Yeah. I can nail you from here man ... gimme your ip and you're toast!
l4m3rz: Yeah .. we rock .. we're gonna fry your machine
sysop : Ok, I dare ya ... My ip is 127.0.0.1
H4x0R : ##Disconnected##
w33n3r: ##Disconnected##
l4m3rz: ##Disconnected##
- Next message: Markus Rietzler: "restrict client access"
- Previous message: Walter Hop: "Re: SSH and the zlib double-free vulnerability"
- In reply to: Alan: "new SSH vulnerability?"
- Next in thread: Simon Tatham: "Re: new SSH vulnerability?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
