Re: Ben Harris's individual submissions: arcfour-fixes and rsa-kex

To: ietf-ssh%netbsd.org@localhost
Subject: Re: Ben Harris's individual submissions: arcfour-fixes and rsa-kex
From: Ben Harris <bjh21%bjh21.me.uk@localhost>
Date: Tue, 05 Apr 2005 13:36:14 +0100

In article <200504030227.VAA27779%Sparkle.Rodents.Montreal.QC.CA@localhost> you write:
>>>> rsa-kex is a weaker kex
>>> Well, it's weaker in some respects,
>> [D]iscussions of SHA-1 have convinced me that there's a slight
>> weakness here that I should perhaps guard against.  Because the
>> client can see all the other input to the exchange hash before it
>> generates K, if it's got a working collision attack against HASH it
>> can create two sessions with the same session ID.
>
>I'm not sure this buys you anything of significance.  Even granting all
>the above, what can go wrong if a client (or two clients in collusion,
>which amounts to the same thing) gets two sessions with the same
>session ID?

Nothing that I can think of, but SSH is an extensible protocol, which means
we need to allow for possible future developments.  At the moment, I think
that duplicate session IDs are only a problem if the client in one session
colludes with (or is) the server in another, in which case they can MITM a
session from the other client to the other server.  I think this is only by
chance, though, and I can't be sure that future extensions won't assume the
uniqueness of session IDs in other ways.

Imagine, for instance, a backwards version of my RSA KEX, in which the
client generates a key and the server encrypts the secret under it.  This
might be useful if your server is particularly short of CPU.  Given a
client, A, which supports this imaginary KEX method, a server, B, which
supports my KEX method, and an adversary, M, which can generate collisions
in SHA-1, M can MITM a connection between A and B despite the fact that
neither A nor B supports both protocols.

This is all getting a bit silly really.  I'm arguing that my protocol is
insecure despite the fact that I think it's secure enough (cracking the RSA
keys should be about as hard as generating hash collisions, and is a lot
more dangerous since it can be done off-line).

-- 
Ben Harris

References:
- Ben Harris's individual submissions: arcfour-fixes and rsa-kex
  - From: Bill Sommerfeld
- Re: Ben Harris's individual submissions: arcfour-fixes and rsa-kex
  - From: Ben Harris
- Re: Ben Harris's individual submissions: arcfour-fixes and rsa-kex
  - From: der Mouse

Prev by Date: Re: I-D ACTION:draft-ietf-secsh-publickeyfile-08.txt
Next by Date: Re: I-D ACTION:draft-ietf-secsh-publickeyfile-08.txt
Previous by Thread: Re: Ben Harris's individual submissions: arcfour-fixes and rsa-kex
Next by Thread: draft-ietf-secsh-auth-kbdinteract-07 approved for publication..
Indexes:

Home | Main Index | Thread Index | Old Index