IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: draft minutes from meeting at ietf50..
I suggest that the following paragraphs be included in the transport
draft. They contain recommendations for the size of private exponent
in the DH key exchange, and mention security problems related to
traffic analysis.
Greetings,
Niels.
Implementation Notes:
To increase the speed of the key exchange, both client and server may
reduce the size of their private exponents. It should be at least
twice as long as the key material that is generated from the shared
secret. For more details see the paper by van Oorschot and Wiener
[A].
[A] P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key
agreement with short exponents, In Advances in Cryptology -
EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
An adversary can listen to SSH network traffic to determine the length
of authentication passwords typed during login and interactive shell
sessions [B]. Using packet timing analysis, it is also possible to
infer the probability of letter combinations in the typed passwords
[C]. SSH servers and clients MAY send SSH_MSG_IGNORE messages to
mitigate the impact of traffic analysis.
[B] OpenWall Security Advisory, Passive Analysis of SSH (Secure
Shell) Traffic,
http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt
[C] Dawn Song, David Wagner and Xuqing Tian, Keystroke Analysis and
SSH Timing Attacks, 10th USENIX Security Symposium, August 2001
Home |
Main Index |
Thread Index |
Old Index