Re: Decrypting SSH traffic
- From: Steven Mocking <ufo@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 14 Apr 2007 18:52:56 +0200
Simon Tatham wrote:
Steven Mocking <mocking@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
One should be able to decrypt SSH sessions from the captured traffic
using the host's private key of the honeypot, because AFAIK that key is
used to encrypt the symmetric random session key (blowfish).
That information is both out of date and incomplete.
You're right. Should have figured that out earlier.
I can't think of any method of doing what you want which doesn't
leave _some_ means by which a sufficiently paranoid attacker might
able to detect it. The emulation option is probably the best in
theory, since an emulated system can _in principle_ be made
arbitrarily faithful to the real hardware it's emulating, but in
practice it's not clear to me that it would be noticeably better
than any of the other options.
What about physically reading a hardware RNG? Not going to do it, but in
theory it should work, while the attacker is unable to circumvent and/or
notice it.
For practical purposes, patching is probably easier.
.
- References:
- Decrypting SSH traffic
- From: Steven Mocking
- Re: Decrypting SSH traffic
- From: Simon Tatham
- Decrypting SSH traffic
- Prev by Date: Re: The value of SSH_MSG_KEXDH_INIT and SSH_MSG_KEXDH_REPLY
- Next by Date: only root can log in using ssh after reboot
- Previous by thread: Re: Decrypting SSH traffic
- Next by thread: How can you get sshd listinening TWO or more ports simultaneously?
- Index(es):
