Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability

[David Wagner <daw () MOZART CS BERKELEY EDU>]

Maybe there's a lesson to be learned from this SSH advisory: "Attacks
always get better; they never get worse" [1].

I spent a little time looking for Bleichenbacher attacks on SSH more than
two years ago.  There was obviously a side channel disclosing decryption
failures, but the best attack I could find was an an obscure 'academic
attack' that had fairly hefty resource requirements: 2^20 interactions
with the server, and ability to do TCP hijacking.

At the time, I interpreted this as only a very minor attack, due to the
strong assumptions required.  Back in June 1998, I fired off a warning
note to all the SSH folks I could think of [2], but quickly gave up and
forgot about the whole thing when I never heard back from anyone [3].

I was mistaken in my assessment.  We now know that Bleichenbacher
attacks are a real threat.  CORE SDI has described an insightful advance
in analysis, a clever trick that can be used to exploit the same side
channel that I wrongly considered useful only for academic attacks [4].
In short, I'm impressed by CORE SDI's contributions and humbled at
overlooking the possibility for practical attacks.

The lesson here seems clear.  I should have known better: the mere
presence of the side channel should have been enough justification
to justify fixing the code, despite the impractical nature of attacks
known then.  Attacks only get better, and once the attacker gets a foot
in the door with this sort of weakness, who knows where it will all end?
Next time, maybe I'll know better; in the meantime, I thought the lesson
might be worth mentioning.



[1] I'm indebted to Bruce Schneier for this observation; see his April
15th Crypto-gram newsletter.

[2] http://www.cs.berkeley.edu/~daw/tmp/ssh
Available upon request (my website seems to be down at the moment,
but hopefully will be back).

[3] As a side note, this indicates to me that the vulnerability reporting
process in place at SSH could probably be improved.  I sent several
repeated emails, but never heard once heard back from anyone, and soon
gave up.

[4] As one who has been previously guilty of perpetrating an 'academic
attack' or two (when your analysis starts with "first guess 192 bits of
the key", you know you're in the land of 'academic attacks'!), it seems
that I can err equally well in both directions...