Bugtraq mailing list archives
Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability
From: David Wagner <daw () MOZART CS BERKELEY EDU>
Date: Sat, 10 Feb 2001 08:31:55 GMT
Maybe there's a lesson to be learned from this SSH advisory: "Attacks always get better; they never get worse" [1]. I spent a little time looking for Bleichenbacher attacks on SSH more than two years ago. There was obviously a side channel disclosing decryption failures, but the best attack I could find was an an obscure 'academic attack' that had fairly hefty resource requirements: 2^20 interactions with the server, and ability to do TCP hijacking. At the time, I interpreted this as only a very minor attack, due to the strong assumptions required. Back in June 1998, I fired off a warning note to all the SSH folks I could think of [2], but quickly gave up and forgot about the whole thing when I never heard back from anyone [3]. I was mistaken in my assessment. We now know that Bleichenbacher attacks are a real threat. CORE SDI has described an insightful advance in analysis, a clever trick that can be used to exploit the same side channel that I wrongly considered useful only for academic attacks [4]. In short, I'm impressed by CORE SDI's contributions and humbled at overlooking the possibility for practical attacks. The lesson here seems clear. I should have known better: the mere presence of the side channel should have been enough justification to justify fixing the code, despite the impractical nature of attacks known then. Attacks only get better, and once the attacker gets a foot in the door with this sort of weakness, who knows where it will all end? Next time, maybe I'll know better; in the meantime, I thought the lesson might be worth mentioning. [1] I'm indebted to Bruce Schneier for this observation; see his April 15th Crypto-gram newsletter. [2] http://www.cs.berkeley.edu/~daw/tmp/ssh Available upon request (my website seems to be down at the moment, but hopefully will be back). [3] As a side note, this indicates to me that the vulnerability reporting process in place at SSH could probably be improved. I sent several repeated emails, but never heard once heard back from anyone, and soon gave up. [4] As one who has been previously guilty of perpetrating an 'academic attack' or two (when your analysis starts with "first guess 192 bits of the key", you know you're in the land of 'academic attacks'!), it seems that I can err equally well in both directions...
Current thread:
- Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability Iván Arce (Feb 10)
- <Possible follow-ups>
- Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability David Wagner (Feb 10)