IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.



Hi,

On Tue, 8 Apr 2003, RJ Atkinson wrote:

>
> On Monday, Apr 7, 2003, at 20:50 America/Montreal, Bill Sommerfeld
> wrote:
> > Thanks for your edits.
> >
> > This thread seems to have died down.  Are we done yet?
>
> No.

Agreed.

>
> 	Chris's text ignored a bunch of my questions/inputs.  I'd
> really like to see those addressed.

Ran's questions and comments are appropriate and do need to be addressed.
I didn't make an attempt as the plane was landing, but instead incorported
his comments into the revision before sending it out.

>
> 	In some cases, it is a matter of editing the text to be more
> clear/precise.  In other cases, it might be a matter of either deleting
> a poorly justified claim or justifying the claim more clearly (ideally
> via a citation to some paper in the published literature that supports
> the claim).  I'm open to hearing about some other proposed resolution
> of those items, if such exists.
>
> 	The open issues need to be resolved in some deliberate manner,
> IMHO.

For the convenience of everyone who's now fired-up to complete this, I'm
attaching the revision of Section 11 that I sent out a few days ago.
Ran's comments may be found by looking for "[RJA :" at the start of lines.

Thanks,
Chris


=======
11. Security Considerations

   In order to make the entire body of Security Considerations more
   accessible, Security Considerations for the transport, authentication,
   and connection documents have been gathered here.

   The transport protocol [1] provides a confidential channel over an
   insecure network.  It performs server host authentication, key
   exchange, encryption, and integrity protection.  It also derives a
   unique session id that may be used by higher-level protocols.

   The authentication protocol [2] provides a suite of mechanism which
   can be used to authenticating the client user to the server.
   Individual mechanisms specified in the in authentication protocol use
   the session id provided by the transport protocol and/or depend on the
   security and integrity guarantees of the transport protocol.

   The connection protocol [3] specifies a mechanism to multiplex
   multiple streams [channels] of data over the confidential and
   authenticated transport. It also specifies channels for accessing an
   interactive shell, for 'proxy-forwarding' various external protocols
   over the secure transport (including arbitrary TCP/IP protocols), and
   for accessing secure 'subsystems' on the server host.

11.1 Transport


11.1.1 Confidentiality

   It is beyond the scope of this document and the Secure Shell Working
   Group to analyze or recommend specific ciphers other than the ones
   which have been established and accepted within the industry.  At the
   time of this writing, ciphers commonly in use include 3DES, ARCFOUR,
   twofish, serpent and blowfish.  AES has been accepted by The US Federal
   Information Processing Standards [FIPS-197] and the cryptographic
   community as being acceptable for this purpose as well.  As always,
   implementors and users should check current literature to ensure that
   no recent vulnerabilities have been found in ciphers used within
   products.  Implementors should also check to see which ciphers are
   considered to be relatively stronger than others and should recommend
   their use to users over relatively weaker ciphers.  It would be
   considered good form for an implementation to politely and
   unobtrusively notify a user that a stronger cipher is available and
   should be used when a weaker one is actively chosen.

   The "none" cipher is provided for debugging and SHOULD NOT be used
   except for that purpose.  It's cryptographic properties are
   sufficiently described in RFC 2410, which will show that its use does
   not meet the intent of this protocol.

   The relative merits of these and other ciphers may also be found in
   current literature.  Two references that may provide information on the
   subject are [SCHNEIER] and [KAUFMAN,PERLMAN,SPECINER].  Both of these
   describe the CBC mode of operation of certain ciphers and the weakness
   of this scheme.  Essentially, this mode is theoretically vulnerable to
   chosen cipher-text attacks because of the high predictability of the
   start of packet sequence.  However, this attack is still deemed
   difficult and not considered fully practicable especially if relatively
   longer block sizes are used.

   Additionally, another CBC mode attack may be mitigated through the
   insertion of packets containing SSH_MSG_IGNORE.  Without this
   technique, a specific attack may be successful.  For this attack
   (commonly known as the Rogaway attack) to work, the attacker would
   need to know the IV of the next block that is going to be encrypted.
   In CBC mode that is the output of the encryption of the previous
   block. If the attacker does not have any way to see the packet yet
   (i.e it is in the internal buffers of the ssh implementation or even
   in the kernel) then this attack will not work. If the last packet has
   been sent out to the network (i.e the attacker has access to it) then
   he can use the attack.

   In the optimal case an implementor would need to add an extra packet
   only if the packet has been sent out onto the network and there are no
   other packets waiting for transmission. Implementors may wish to check
   to see if there are any unsent packets awaiting transmission, but
   unfortunately it is not normally easy to obtain this information from
   the kernel or buffers.  If there are not, then a packet containing
   SSH_MSG_IGNORE SHOULD be sent.  If a new packet is added to the stream
   every time the attacker knows the IV that is supposed to be used for
   the next packet, then the attacker will not be able to guess the
   correct IV, thus the attack will never be successfull.

   As an example, consider the following case:

      Client                                                  Server
      ------                                                  ------
      TCP(seq=x, len=500)            ->
         contains Record 1

                          [500 ms passes, no ACK]

      TCP(seq=x, len=1000)           ->
         contains Records 1,2

                                     <-                        ACK


      (1) The Nagle algorithm + TCP retransmits mean that the two
          records get coalesced into a single TCP segment
      (2) Record 2 is *not* at the beginning of the TCP segment
          and never will be, since it gets ACKed.
      (3) Yet, the attack is possible because Record 1 has already
          been seen.

   As this example indicates, it's totally unsafe to use the existence
   of unflushed data in the TCP buffers proper as a guide to whether
   you need an empty packet, since when you do the second write(),
   the buffers will contain the un-ACKed Record 1.

   On the other hand, it's perfectly safe to have the following
   situation:

      Client                                                  Server
      ------                                                  ------
      TCP(seq=x, len=500)           ->
         contains SSH_MSG_IGNORE

      TCP(seq=y, len=500)           ->
         contains Data

   Provided that the IV for second SSH Record is fixed after the data for
   the Data packet is determined -i.e. you do:
        read from user
        encrypt null packet
        encrypt data packet


11.1.2 Data Integrity

   This protocol does allow the Data Integrity mechanism to
   be disabled.  Implementors SHOULD be wary of exposing this
   feature for any purpose other than debugging.  Users and
   administrators SHOULD be explicitly warned anytime the
   "none" mac is enabled.

   So long as the "none" mac is not used, this protocol
   provides data integrity.

   Because MACs use a 32 bit sequence number, they might
   start to leak information after 2**32 packets have
   been sent.  However, following the rekeying
   recommendations should prevent this attack.
   The transport protocol [1] recommends rekeying after
   one gigabyte of data, and the smallest possible
   packet is 16 bytes. Therefore, rekeying SHOULD happen
   after 2**28 packets at the very most.

11.1.3 Replay

   This protocol binds each session key to the session
   by including random data that is specific to the
   session in the hash used to produce session keys.

[RJA:  Is it random or pseudo-random ?
[RJA:  Does the difference matter in this case ?

   This session id is used by higher level protocols
   to prevent replay of packets form previous sessions.

   In addition, the use of cipher chaining prevents
   replay of packets within the session.  Cipher chaining
   also prevents the insertion or deletion of packets.

[RJA:  Citations would be pleasant for these claims.

11.1.4 Man-in-the-middle

   This protocol makes no assumptions nor provisions for
   an infrastructure for distributing public keys.  It is
   expected that this protocol will sometimes be used without
   insisting on reliable association between the server host
   key and the server host name.  Such usage is vulnerable
   to man-in-the-middle attacks.

   This vulnerability to man-in-the-middle attacks can
   be mitigated in several fashions:

   1. Narrow the window.  If the client ensures that the
      host key for a given server remains consistant, an
      attacker must execute the man-in-the-middle attack
      on the _first_ connection to a given server.

[RJA:  Narrow *which* window ?
[RJA:  Intended meaning is not crystal clear above.


   2. Use an authentication method that is not vulnerable
      to man-in-the-middle.  For example, public-key
      authentication is not vulnerable to man-in-the-middle
      attack, because the signature is made across data
      that is session specific.  The attack can not use
      the signature he receives because the session specific
      data between the attacker and server is different, and
      can not create a valid signature because he does not
      have the private key.

[RJA:  Is this really true and sufficient ?

   However, this does assume that the public-key has
   been distributed to the server host in some secure
   fashion before the first SSH connection can be made.

   3. Because the protocol is extensible, future extensions
      to the protocol may provide better mechanisms for dealing
      with the need to know the server's host key before
      connecting.  For example, storing the hostkey fingerprint
      in a secure dns database, or using kerberos over gssapi
      during keyexchange to authenticate the server.

   Server administrators are encouraged to make host key
   fingerprints available for checking by some means whose
   security does not rely on the integrity of the actual host
   keys.  Possible mechanisms include secured Web pages, the DNS
   [draft-ietf-secsh-dns], physical pieces of paper, etc.
   Implementors SHOULD provide recommendations on how best to do
   this with their implementation.

   Use of this protocol without reliable association

[RJA:  association of what/whom ?

   is inherently insecure, but may be necessary in
   non-security critical environments, and still
   provides protection against passive attacks.  However,
   implementors of protocols running on top of this
   protocol should keep this possibility in mind.

[RJA:  ???  s/protocols running/applications running/ ???

11.1.5 Denial-of-service

   This protocol is designed to be used over a reliable transport.  If
   transmission errors or message manipulation occur, the connection is
   closed.  The connection SHOULD be re-established if this occurs.
   Denial of service attacks of this type ("wire cutter") are almost
   impossible to avoid.

   In addition, this protocol is vulnerable to Denial of Service
   attacks because an attacker can force the server to go through
   the CPU and memory intensive tasks of connection setup and
   key exchange without authenticating.  Implementors SHOULD provide
   features that make this more difficult.  For example, only allowing
   connections from a subset of IPs known to have valid users.

11.1.6 Covert Channels

   The protocol was not designed to eliminate covert channels.  For
   example, the padding, SSH_MSG_IGNORE messages, and several other
   places in the protocol can be used to pass covert information, and
   the recipient has no reliable way to verify whether such information
   is being sent.

11.2 Authentication Protocol

   The purpose of this protocol is to perform client user
   authentication.  It assumed that this runs over a secure transport
   layer protocol, which has already authenticated the server machine,
   established an encrypted communications channel, and computed a
   unique session identifier for this session.  The transport layer
   provides forward secrecy for password authentication and other
   methods that rely on secret data.

[RJA:  "perfect forward secrecy" or "forward secrecy" ?

   The server may go into a "sleep" period after repeated unsuccessful
   authentications to make key search harder.

   Several authentication methods with different security
   characteristics are allowed.  It is up to the server's local policy
   to decide which methods (or combinations of methods) it is willing to
   accept for each user.  Authentication is no stronger than the weakest
   combination allowed.

11.2.1 Weak Transport

   If the transport layer does not provide confidentiality, authentication
   methods that rely on secret data SHOULD be disabled.  If it does not
   provide MAC protection, requests to change authentication data (e.g.
   password change) SHOULD be disabled to avoid an attacker from
   modifying the ciphertext without being noticed, rendering the new
   authentication data unusable (denial of service).

11.2.2 Debug messages

   Special care should be taken when designing debug messages.  These
   messages may reveal surprising amounts of information about the host
   if not properly designed.  Debug messages can be disabled (during
   user authentication phase) if high security is required.

11.2.3 Local security policy

   Implementer MUST ensure that the credentials provided
   validate the professed user and also MUST ensure that
   the local policy of the server permits the user the
   access requested.

   In particular, because of the flexible nature of the
   SSH connection protocol, it may not be possible to determine
   this completely at the time of authentication, because
   the kind of service being requested is not yet clear.

[RJA:  Unclear antecedent "this".

   For example, local policy might allow a user to access
   files on the server, but not start an interactive shell.
   However, during the authentication protocol, it is not
   known whether the user will be accessing files or
   attempting to use an interactive shell, or even both.

   In any event, local security policy for the server
   host MUST be applied and enforced correctly.

11.2.4 Public key authentication

   The use of public-key authentication assumes that the
   client host has not been compromised.

   This risk can be mitigated by the use of passphrases
   on private keys; however, this is not an enforceable
   policy.  The use of smartcards, or other technology
   to make passphrases an enforceable policy is suggested.

   The server could require both password and public-key
   authentication, however, this requires the client
   to expose its password to the server (see section on
   password authentication below.)

11.2.5 Password authentication

   The password mechanism of specified in the authentication
   protocol assumes that the server has not been compromised.
   If the server has been compromised, using password
   authentication will reveal a valid username / password
   combination to the attacker, which may lead to further
   compromises.

   This vulnerability can be mitigated by using an alternative
   form of authentication.  For example, public-key authentication
   makes no assumptions about security on the server.

11.2.6 Host based authentication

   Host based authentication assumes that the client
   has not been compromised.  There are no mitigating
   strategies, other than to use host based authentication
   in combination with another authentication method.

11.3 Connection protocol

11.3.1 End point security

   End point security is assumed by the connection protocol.
   If the server has been compromised, any terminal sessions,
   port forwarding, or systems accessed on the host are compromised.
   There are no mitigating factors for this.

   If the client end point has been compromised, and the server
   fails to stop the attacker at the authentication protocol,
   all services exposed (either as subsystems or through forwarding)
   will be vulnerable to attack.  Implementors SHOULD provide
   mechanisms for administrators to control which services
   are exposed to limit the vulnerability of other services.

   These controls might include controlling which machines and
   ports can be target in 'port-forwarding' operations, which
   users are allowed to use interactive shell facilities, or
   which users are allowed to use exposed subsystems.

11.3.2 Proxy forwarding

   The SSH connection protocol allows for proxy forwarding of other
   protocols such as SNMP, POP3, and HTTP.  This may be a concern for
   network administrators who wish to control the access of certain
   applications by users located outside of their physical location.
   Essentially, the forwarding of these protocols may violate site
   specific security policies as they may be undetectably tunneled
   through a firewall.  Implementors SHOULD provide an administrative
   mechanism to control the proxy forwarding functionality so that
   site specific security policies may be upheld.

   In addition, a reverse proxy forwarding functionality
   is available, which again can be used to bypass firewall
   controls.

   As indicated above, end-point security is assumed during
   proxy forwarding operations.  Failure of end-point security
   will compromise all data passed over proxy forwarding.

11.3.3 X11 forwarding

   Another form of proxy forwarding provided by the ssh
   connection protocol is the forwarding of the X11 protocol.

   Implementors of the X11 protocol SHOULD implement the
   magic cookie spoofing, to prevent unauthorized use of
   the proxy.

[RJA:  Add citation for "magic cookie spoofing".

   X11 forwarding relies on end-point security.  If end-point
   security has been compromised, X11 forwarding will allow
   any attack against the X11 server possible locally.

   Users and administrators should, as a matter of course, use
   X11 security mechanism to prevent unauthorized use of
   the X11 server.

[RJA:  Which "X11 security mechanism" is meant ?
[RJA:  Also, please add a citation for that mechanism.


References:

[SCHNEIER] Applied Cryptography, Second Edition, Bruce Schneier, Wiley
and Sons Publisher, 1996

[KAUFMAN,PERLMAN,SPECINER] Network Security; PRIVATE Communication in
a PUBLIC World, Charlie Kaufman, Radia Perlman, Mike Speciner, Prentice
Hall Publisher, 1995

===end===






Home | Main Index | Thread Index | Old Index