Re: an attack against SSH2 protocol

To: Bill Sommerfeld <sommerfeld%east.sun.com@localhost>
Subject: Re: an attack against SSH2 protocol
From: Wei Dai <weidai%eskimo.com@localhost>
Date: Fri, 8 Feb 2002 12:10:36 -0800

On Fri, Feb 08, 2002 at 02:50:29PM -0500, Bill Sommerfeld wrote:
> So, I'm surprised to see no technical comments on this so far, either
> here or on my local view of sci.crypt.

I have received some comments through private email. Apparently the exact
same weakness was known for IPSec and may also exist in TLS (I haven't
read enough of its RFC to be sure) so this seems to be a common problem.

(We really should drop the rule of thumb "use CBC mode unless there's a
reason not to" and replace it with "use CTR mode unless there's a reason
not to".)

> The attack appears to be extremely narrow -- to restate it
> (please correct me if i'm wrong)
>  - real-time adaptive chosen plaintext attack
>  - attacker can verify a guess at one block of plaintext occurring 
> immediately before the injected plaintext

No, the attacker can verify a guess of any previous block of plaintext,
not just the block immediately before the injected plaintext.

>  - the chosen plaintext is chosen based on the ciphertext of the
>  guessed plaintext. 
> 
> I do have to question the arcfour/RC4 recommendation, though -- as
> currently specified, ssh is vulnerable to the RC4 "weak key" problem
> because, as specified, it doesn't discard the start of the keystream.
> (fixing this has been discussed, but there seemed to be very little
> interest in doing work on RC4/arcfour when this was last raised).

That's why I didn't recommend ARC4, only suggested that it be considered
as an alternative while a better fix is implemented.

> Moreover, it appears to be fairly straightforward to make an
> implementation resist the attack while retaining interoperability:

This suggested fix is based on the above misunderstanding, and so doesn't
work.

I still think the easiest fix is to deprecate the existing CBC mode
ciphers and define new ciphers in OFB, CFB, or CTR modes. I suggest CTR
mode unless there's a reason not to use that, but we may also want to
define ciphers in other modes as a backup (in case some problem with CTR
mode is discovered down the road).

Follow-Ups:
- Re: an attack against SSH2 protocol
  - From: Bodo Moeller

References:
- an attack against SSH2 protocol
  - From: Wei Dai
- Re: an attack against SSH2 protocol
  - From: Bill Sommerfeld

Prev by Date: Re: an attack against SSH2 protocol
Next by Date: Re: an attack against SSH2 protocol
Previous by Thread: Re: an attack against SSH2 protocol
Next by Thread: Re: an attack against SSH2 protocol
Indexes:

Home | Main Index | Thread Index | Old Index