Re: IESG feedback on core drafts.

To: ietf-ssh%netbsd.org@localhost
Subject: Re: IESG feedback on core drafts.
From: Tero Kivinen <kivinen%iki.fi@localhost>
Date: Thu, 3 Apr 2003 16:48:43 +0300

> > >    In addition, the CBC mode attack can be mitigated by
> > >    ensuring the an SSH_MSG_IGNORE packet preceeds any real
> > >    data at the start of a TCP packet.
> > A TCP packet? How is the TCP mapping relevant?

To the attack to work, the attacker needs to know the IV of the next
block that is going to be encrypted. In CBC that is the output of the
encryption of the previous block. If the attacker does not have any
way to see the packet yet (i.e it is in the internal buffers of the
ssh implementation or even in the kernel) then he cannot use this
attack. If the last packet has been sent out to the network (i.e
attacker will know it) then he can use the attack.

In optimal case we would need to add extra packet only if the packet
has been sent out to network, and there is no other packets waiting in
any buffers. Unfortunately it is not normally easy to see if there are
unsent packets in the kernel, thus for example ssh's secsh checks if
there is any data in its own buffers, and if not then it will add
extra packet. 

If we add new packet to stream every time the attacker knows the IV
that is supposed to be used for next packet, we will always cause the
attacker to guess wrong IV, thus his attack will never be successfull.

>    Additionally, the CBC mode attack may be mitigated through the
>    insertion of packets containing SSH_MSG_IGNORE.  This technique may be
>    used to obfuscate the relative positions of the enciphered message and
>    its use is encouraged.

It is not to obfuscate the relative positions, it is to change the IV
known by the attacker to something else, i.e something that is not
known by the attacker. The contents of the packet actually does not
matter, as long as attacker cannot affect its contents.

As far as I can understand the attack (and remember about it, this was
more than year ago when I last time checked this attack) this should
make the attack impossible.
-- 
kivinen%ssh.fi@localhost
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- Re: IESG feedback on core drafts.
  - From: Eric Rescorla

References:
- Re: IESG feedback on core drafts.
  - From: Chris Lonvick

Prev by Date: I-D ACTION:draft-ietf-secsh-dns-04.txt
Next by Date: Re: IESG feedback on core drafts.
Previous by Thread: Re: IESG feedback on core drafts.
Next by Thread: Re: IESG feedback on core drafts.
Indexes:

Home | Main Index | Thread Index | Old Index