SSH vs. IKE trust models (was Re: Insecure IKE Implementations Clarification)

[Thor Lancelot Simon <tls () rek tjls com>]

On Fri, Dec 12, 2003 at 11:25:55PM +0100, Florian Weimer wrote:
> Thor Lancelot Simon wrote:
>
> > Yes and no.  SSH is not, by itself, a network-layer encryption solution,
> > and there are many applications where that's really desirable.  The other
> > issue is, of course, that SSH's model for authenticating host identities
> > is, itself, a mess: in this day and age, it is not acceptable to just
> > punt on the problem of first contact and pretend that users will reasonably
> > exchange key fingerprints offline.
>
> You don't exchange fingerprints, you just store them.  Previously, I

Indeed, and you have no way to know that you are storing the right
fingerprint.

> > The widespread success of sniffing and MITM attacks on the SSH
> > protocol -- all due to users not doing what the protocol, by omitting
> > any means of using a hierarchy or web to validate host keys, requires
> > them to do -- should be proof enough of this.
>
> There are very few such attacks in the wild.  Most machines which do not

That's not true; such attacks have been widely documented at every recent
IETF meeting.

Nothing prevents you from using certificate-authenticated IKE the exact
same way you use your web browser: store individual host certificates,
instead of the root certificate and the DNs of the parties you expect to
connect to.  However, nothing *enables* you to use SSH with either a
hierarchical trust model (which you seem to not like) or a web-of-trust
model (ala PGP) where you decide whom to trust and how much, because
both have been proposed to the working group and both have been,
effectively, shot down.  As I said, that is very unfortunate, and the
dsniff and other attacks at recent IETF meetings and elsewhere (e.g. on
college campus networks) illustrate that real users are suffering for
it in the real world right now.

Thor