Re: potential disclaimer for the transport draft.

To: Bill Sommerfeld <sommerfeld%east.sun.com@localhost>
Subject: Re: potential disclaimer for the transport draft.
From: Wei Dai <weidai%eskimo.com@localhost>
Date: Mon, 18 Mar 2002 17:54:43 -0800

On Mon, Mar 18, 2002 at 10:20:40AM -0500, Bill Sommerfeld wrote:
> Preliminary analysis of this attack as applied to the SSH protocol
> suggests that the protocol is actually fairly resistant to this
> attack; while estimates vary, it appears that, on average, an attacker
> would have to inject tens or hundreds of millions of chosen plaintexts
> to confirm guesses on the value of a few unknown plaintexts.

I think this paragraph is not accurate. Specificly, the protocol itself is
not resistant, rather it's the current implementations that are somewhat
resistant, and the attacker does not have to inject tens of millions of
chosen plaintexts, he just needs to cause tens of millions of packets to
be sent, and do one chosen plaintext at the right moment.

> While this attack involves less work than a brute-force attack on the
> underlying cipher (and is thus a matter of some concern), it is also
> likely to be significantly more difficult than attacks on other parts
> of a system using the SSH protocol, and so is unlikely to be an
> immediate risk to real-world systems.  

I don't think it's the case that the attack is unlikely to be an immediate
risk to real-world systems. On any particular system, it's probably not
the biggest hole, but it quite likely is the biggest hole on *some*
real-world systems.

> Due to this document's
> recommendation that rekeying occur once an hour, an attacker also has
> a limited amount of time to complete any particular attack.

I suggest rewording this section of the warning as follows:

Preliminary analysis of this attack as applied to the SSH protocol
suggests that current implementations of the protocol contain a number of
limitations which have the side effect of hindering the attack. As a
result the attacker must at least cause tens of millions of packets to be
sent over the same connection and encrypted with the same key before the
attack has a reasonable chance of success. Due to this document's
recommendation that rekeying occur once an hour, an attacker also has a
limited amount of time to complete any particular attack. 

While this attack involves less work than a brute-force attack on the
underlying cipher (and is thus a matter of some concern), it is also
likely to be significantly more difficult than attacks on other parts of a
system using the SSH protocol.

---

Also, I think we need to say something to the effect that once the new
modes are defined, CBC ciphers should be considered deprecated and no
longer REQUIRED or RECOMMENDED, so that future users are not confronted
with the choice of CBC mode.

Follow-Ups:
- Re: potential disclaimer for the transport draft.
  - From: Bill Sommerfeld

References:
- potential disclaimer for the transport draft.
  - From: Bill Sommerfeld

Prev by Date: potential disclaimer for the transport draft.
Next by Date: Re: potential disclaimer for the transport draft.
Previous by Thread: potential disclaimer for the transport draft.
Next by Thread: Re: potential disclaimer for the transport draft.
Indexes:

Home | Main Index | Thread Index | Old Index