Bugtraq mailing list archives
Re: SSH1 key recovery patch
From: Markus Friedl <markus.friedl () INFORMATIK UNI-ERLANGEN DE>
Date: Thu, 22 Feb 2001 21:59:40 +0100
On Thu, Feb 22, 2001 at 11:49:45AM -0500, Dan Astoorian wrote:
On Wed, 21 Feb 2001 15:37:45 EST, Markus Friedl writes:OpenSSH checks whether the two calls to rsa_private_decrypt() success and the resulting session keys has the correct size. Otherwise it just uses a 'random' session key. Now the attacker no longer can tell whether the RSA operations failed and the oracle is (almost) closed. [...]As much as I hate to point out possible problems without proposing solutions to them: Has anyone performed any sort of analysis as to whether there are any significant timing differences between the cases where the RSA operations succeeded and where they failed--whether due to differences in the amount of time taken by rsa_private_decrypt() (etc.) in the two cases, or the time taken to prepare the 'random' session key?
(1) the padding check is _after_ the expensive mod_exp-operation in rsa_private_decrypt(), so there is no significant timing difference in rsa_private_decrypt(). (2) the 'random' session key is generated by 'md5' operations and time (md5) << time (2*rsa_private_decrypt). so, in this case, the timing difference is not an issue. -markus
Current thread:
- SSH1 key recovery patch Iván Arce (Feb 13)
- Re: SSH1 key recovery patch Andrew Brown (Feb 15)
- Re: SSH1 key recovery patch Pavel Machek (Feb 19)
- Re: SSH1 key recovery patch Johannes Geiger (Feb 20)
- Re: SSH1 key recovery patch Johannes Geiger (Feb 21)
- Re: SSH1 key recovery patch Markus Friedl (Feb 21)
- Message not available
- Re: SSH1 key recovery patch Markus Friedl (Feb 22)