IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
2nd Version - Section 11.1.4 Man-in-the-middle
Hi,
I've pulled out #2 from the prior version and didn't like it until I
reformatted it. I've kept a lot of the verbiage and hopefully the
thoughts. Please comment.
Thanks,
Chris
=======================================================================
11.1 Transport
11.1.4 Man-in-the-middle
This protocol makes no assumptions nor provisions for an
infrastructure or means for distributing the public keys of hosts. It
is expected that this protocol will sometimes be used without first
verifying the association between the server host key and the server
host name. Such usage is vulnerable to man-in-the-middle attacks.
This section describes this and encourages administrators and users to
understand the importance of verifying this association before any
session is initiated.
There are two cases of man-in-the-middle attacks to consider. The
first is where an attacker places a device between the client and the
server before the session is initiated. In this case, the attack
device is trying to mimic the legitimate server and will offer its
public key to the client when the client initiates a session. If it
were to offer the public key of the server, then it would not be able
to decrypt or sign the transmissions between the legitimate server and
the client unless it also had access to the private-key of the host.
The attack device will also, simultaneously to this, initiate a
session to the legitimate server masquerading itself as the client.
If the public key of the server had been securely distributed to the
client prior to that session initiation, the key offered to the client
by the attack device will not match the key stored on the client. In
that case, the user SHOULD be given a warning that the offered host
key does not match the host key cached on the client. As described in
Section 3.1 of [ARCH], the user may be free to accept the new key and
continue the session. It is RECOMMENDED that the warning provide
sufficient information to the user of the client device so they may
make an informed decision. If the user chooses to continue the
session with the stored public-key of the server (not the public-key
offered at the start of the session), then the session specific data
between the attacker and server will be different between the
client-to-attacker session and the attacker-to-server sessions due to
the randomness discussed above. From this, the attacker will not be
able to make this attack work since the attacker will not be able to
correctly sign packets containing this session specific data from the
server since he does not have the private key of that server.
Insecure distribution of server public keys allows a second type of
man-in-the-middle attack that should also be considered in this case;
one with suitable but incorrect host keys. If the server public keys
are not securely distributed then the client cannot know if it is
talking to the intended server. An attacker may use social
engineering techniques to pass off server keys to unsuspecting users
and may then place a man-in-the-middle attack device between the
legitimate server and the clients. If this is allowed to happen then
the clients will form client-to-attacker sessions and the attacker
will form attacker-to-server sessions and will be able to monitor and
manipulate all of the traffic between the clients and the legitimate
servers. Server administrators are encouraged to make host key
fingerprints available for checking by some means whose security does
not rely on the integrity of the actual host keys. Possible
mechanisms are discussed in Section 3.1 of [SSH-ARCH] and may also
include secured Web pages, physical pieces of paper, etc.
Implementors SHOULD provide recommendations on how best to do this
with their implementation. Because the protocol is extensible, future
extensions to the protocol may provide better mechanisms for dealing
with the need to know the server's host key before connecting. For
example, making the host key fingerprint available through a secure
DNS lookup, or using kerberos over gssapi during key exchange to
authenticate the server are possibilities.
As a second man-in-the-middle case, attackers may attempt to
manipulate packets in transit between peers after the session has been
established. As described in the Replay part of this section, a
successful attack of this nature is very improbable. As in the Replay
section, this reasoning does assume that the MAC is secure and that it
is infeasible to construct inputs to a MAC algorithm to give a known
output. This is discussed in much greater detail in Section 6 of RFC
2104. If the MAC algorithm has a vulnerability or is weak enough,
then the attacker may be able to specify certain inputs to yield a
known MAC. With that they may be able to alter the contents of a
packet in transit. Alternatively the attacker may be able to exploit
the algorithm vulnerability or weakness to find the shared secret by
reviewing the MACs from captured packets. In either of those cases,
an attacker could construct a packet or packets that could be inserted
into an SSH stream. To prevent that, implementors are encouraged to
utilize commonly accepted MAC algorithms and administrators are
encouraged to watch current literature and discussions of cryptography
to ensure that they are not using a MAC algorithm that has a recently
found vulnerability or weakness.
In summary, the use of this protocol without a reliable association of
the binding between a host and its host keys is inherently insecure
and is NOT RECOMMENDED. It may however be necessary in non-security
critical environments, and will still provide protection against
passive attacks. Implementors of protocols and applications running
on top of this protocol should keep this possibility in mind.
-end
Home |
Main Index |
Thread Index |
Old Index