Flaw Made Public In OpenSSH Encryption 231
alimo20 writes "Researchers at the Royal Holloway, University of London have discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux. According to ISG lead professor Kenny Patterson, an attacker has a 2^{-18} (that is, one in 262,144) chance of success. Patterson tells that this is more significant than past discoveries because 'This is a design flaw in OpenSSH. The other vulnerabilities have been more about coding errors.' The vulnerability is possible by a man-in-the-middle intercepting blocks of encrypted material as it passes. The attacker then re-transmits the data back to the server and counts the number of bytes before the server to throws error messages and disconnects the attacker. Using this information, the attacker can work backwards to figure out the first 4 bytes of data before encryption. 'The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH, said Patterson. ... Patterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days.'"
Re:Not much of a threat... (Score:3, Interesting)
Anyone else remember when Unix was the usual target, and MS/DOS the "safe" OS?
Design flaw (Score:5, Interesting)
Re:Why so much press on this? (Score:4, Interesting)
Noticed? A good firewall that is updated regularly by a traffic analyzer should have a rule set to drop or deny the retransmissions after the first few. I guess we could have a philosophical debate about whether running code "notices" something when it matches a pattern and crosses a threshold to trigger a rule. "Notice" to me usually connotes sentience, or at least animal consciousness.
Need to be worried? (Score:3, Interesting)
Of course, those numbers are regarding a specific distribution/ssh version, could be different for other versions, but still, looks somewhat hard to happen ever.
Re:To those wondering why they mention Debian (Score:4, Interesting)
The changelog for this version includes:
* Backport from upstream CVS (Markus Friedl):
- packet_disconnect() on padding error, too. Should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18.
This implies that older versions are more vulnerable. Not sure if this is what people are referring to as 5.2's countermeasures.
I wish people would try to understand CRYPTO hacks (Score:5, Interesting)
There are a whole suite of cyphers, including AES aka Rijhndael are configurable, have you done yours?, and not vulnerable.
Finally the protocol is trivially fixed.
Now I for one, whilst I have the highest respect for the work done by people like Ross Anderson and Schnieer am fed up to the back teeth with alarmism from governments, NGOs and academics -- all of which add up to give us more money.
If you dont know these researchers were working for the UK equivalent of Homeland Security and failed to inform SSH of the details of the attack, doubtless quoting National Security.
These people who parade nonsense should be tarred an feathered and sent on the next rail.
I wish people would take Mathematics seriously (Score:3, Interesting)
An continues to spread FUD.
The attack requires a Man in the Middle scenario, if I ssh into a random machine the MiM is __VERY__ unlikely to work unless the NSA and my ISP are in cahoots and I dont notice that connection takes a nonsensically longer time (15min v 3s),
Now comes the idiot who talks about rsync, and scripted connections, which, for brevity I did not address and tries to use multipicative probability leveling to try to convince us we have a problem; sorry now you need 1000+ MiM attacks, and fail to notice that they are failing, so you also dont notice a net cable kicked out, or a cable cut by a backhoe.
Look guys, get real, if you want to use statistics or probability learn some and understand contingent probability which is essential to risk evaluation.
Re:How vulnerable? (Score:3, Interesting)
Are you kidding? Security scanners can't go around overflowing buffers as part of a routine test. This could take down your entire network! Honestly...
Re:Old version = old news (Score:3, Interesting)
But where did those details get released? They are not on the zdnet article in the link. Based on the vague description, I have a guess about what the problem probably is. You take cipher block you want to get decrypted and send it in the position in the stream where the length of a message would be. The server then decrypts it and finds the length. If the length is a 32 bit field but only lengths up to 2^14 are valid, then it would explain the numbers in the description. If the length is invalid, the receiver will immediately break the connection and all you know is, that the 32 bit value was larger than a valid length. If the length is valid, the attacker starts sending garbage one byte at a time to the recipient, until the recipient breaks the connection. Then the attacker knows the 32 bits.
This could be fixed by not breaking the connection immediately. A fix could work like this. First you find out after how many bytes the connection would be broken for the longest valid size of a packet. If you receive a message with invalid length or invalid checksum, you receive more bytes and throw them away until you have received the maximum number of bytes for a message. Only then you report the problem (and make sure not to tell the peer if it was invalid length or invalid checksum). If your peer interrupts the connection before you receive all the additional bytes, you behave exactly as if they had done so before you had enough bytes to verify the checksum.