Re: Can we decrypt ssh session?

From: William Peckham (mrwbp@attbi.com)
Date: 03/21/03 

From: "William Peckham" <mrwbp@attbi.com>
Date: Fri, 21 Mar 2003 02:43:04 GMT

Actually it should be possible. If the captured textual data is reasonably
large, it should only take a few months of processing time. I cannot think
that it would be WORTH it though.

"Alan S H Lam" <shlam@ie.cuhk.edu.hk> wrote in message
news:3E7839B5.67DD3084@ie.cuhk.edu.hk...
> Thanks for the information. So it is impossible to decrypt the ssh session
> even
> for the first hour?
>
> Regards,
>
> Alan
>
> "Richard E. Silverman" wrote:
>
> > >>>>> "AL" == Alan S H Lam <shlam@ie.cuhk.edu.hk> writes:
> >
> > AL> Hi, Script-kiddies had broken into our system and installed a
ssh
> > AL> backdoor. We have tcpdump all the ssh session and capture the
sshd
> > AL> private key. Can we decrypt the ssh session from the tcpdump
> > AL> files?
> >
> > AL> From the tcpdump file, the sshd version should be
> > AL> SSH-1.5-1.2.27 and the ssh client should be
> > AL> SSH-1.5-PuTTY-Release-0.53b.
> >
> > No. Even SSH-1 provides forward secrecy using the "server key," an
> > ephemeral asymmetric key which is replaced every hour. So unless you
also
> > managed to get a core dump of the running sshd which captured the server
> > key used for a connection, you will not be able to decrypt it except by
> > brute-force attack on a 768-bit RSA key. See:
> >
> > http://www.snailbook.com/docs/protocol-1.5.txt
> >
> > --
> > Richard Silverman
> > slade@shore.net
> 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.458 / Virus Database: 257 - Release Date: 2003-02-24
Quantcast