Firewall Wizards mailing list archives
RE: ssh holes? Trojans? [long]
From: Ben Nagy <bnagy () sa volante com au>
Date: Tue, 26 Sep 2000 15:08:46 +0930
-----Original Message----- From: sean.kelly () lanston com [mailto:sean.kelly () lanston com] Sent: Tuesday, 26 September 2000 4:02 AM To: firewall-wizards () nfr net Subject: RE: [fw-wiz] ssh holes? Trojans? [long]From: Ben Nagy [mailto:bnagy () sa volante com au] In summary, though, it's quite hard to do what you want. What you're effectively trying to do is mount an active man-in-the-middle (MitM) attack against the protocol. Sadly, the ephemeral keying in the SSH transport layer is signed Diffie-Hellman, which is resistant to MitM.This got me thinking. PGP supports the use of ADKs in its Diffie-Hellman keys (as the recent ADK bug hoopla would attest), could SSH do the same? I'm personally not a fan of ADKs but it would enable monitoring of an SSH session.
You could probably perform a major overhaul of the protocol to make some ADK-like behaviour happen, yes. I don't think you'd get much support from the community, though. For example, if the SSH proxy knows the client's random number it can work out all the keys by watching the wire. Thus a busted / escrowed random sequence on the client could allow for snooping. Or whatever. We're talking about a fundamentally different protocol though. With the PGP you encrypt a symmetric key with the RSA public key and send it to the recipient - there's no negotiation of a shared secret - the secret is unilaterally derived by the sender and included with the message. If you're using ADKs you then ALSO encrypt the same symmetric key with the public key of Eve (the eavesdropper). With Diffie-Hellman and SSH the ephemeral keys that are used for content encryption are derived interactively. I'm not a real crypto guy, so I can't tell you for sure whether one of the DH parties can even force the resultant keys into a weak group unilaterally, but I don't actually think so.
Sean
So, in short, you could only do this by modifying the protocol or hacking up a trojaned client - and if you're doing that there are much easier ways of making the snooping work. Background - Basic Diffie-Hellman Ref: Schneier, Applied Crypto, Chapter 22.1 We get a big number, G, and a big prime P. There are known-good numbers to use for G and P. The SSH drafts even have a mandatory G listed. Alice wants to create a shared secret with Bob. Alice Just Makes Up a number, which I'm calling A. Bob's Made Up Number is B. Alice sends Bob ALICE, which is G^A mod P. Nobody can work out A unless they can compute the discrete log of G^A mod P which is hard. Bob sends Alice BOB, which is G^B mod P. Ditto for stealing B. Alice then works out BOB^A mod P. Bob gets ALICE^B mod P. These numbers are both the same and work out to be G^AB mod P - that's our shared secret. Nifty. Note that this is an interactive protocol. I don't think Alice can force the final result to be weak, because the discrete log problem is always at least as hard as G^B mod P (even if Alice picks 1 for A). However, a weak A can lead to an attacker computing A if they are watching the exchange, which then breaks the protocol. I'll leave the MitM attack against this basic protocol as an exercise. It's easy - that's why SSH uses _signed_ Diffie-Hellman. Sorry if that made no sense - I warned you, though. Cheers, -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- RE: ssh holes? Trojans? [long] Ben Nagy (Sep 20)
- Re: ssh holes? Trojans? [long] Magosányi Árpád (Sep 22)
- Re: ssh holes? Trojans? [long] Robert Collins (Sep 22)
- <Possible follow-ups>
- RE: ssh holes? Trojans? [long] Ben Nagy (Sep 25)
- Re: ssh holes? Trojans? [long] Magosányi Árpád (Sep 26)
- RE: ssh holes? Trojans? [long] sean . kelly (Sep 25)
- RE: ssh holes? Trojans? [long] Ben Nagy (Sep 26)