Re: applying AES-GCM to secure shell: proposed "tweak"

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Wed, Apr 15, 2009 at 05:38:13PM -0400, der Mouse wrote:
> >>> There has been a security vulnerability [...]
> >> Thanks. Do you have a pointer to more details?
> > http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
> 
> Got a pointer to anything that actually describes the attack?  That
> page describes only the effect of the attack, not the mechanism, and
> makes claims that seem dubious to me ("an arbitrary, attacker-selected
> block of ciphertext", claims that only CBC mode is affected, and the
> claims here that it's due to encrypting packet lengths - these sound
> unlikely to me to all be true - but of course that likely just means
> I'm missing something, which is why I'm interested in more details).

I don't recall where the attack is described.

Briefly: an active attacker replaces what he/she knows to be an
encrypted packet length with bytes that he/she knows correspond to an
encrypted password, then after that sends the remainder of the packet
(possibly garbage) one byte/block at a time.

The information leak about the incorrect packet length may reveal some
number of bits of the password.  That number depends on how much
information is leaked.  If the packet length decrypted to something >
max packet length and the length was not syslogged to a remote host and
not sent back to the client (which the user might then quote w/o privacy
protection to a helpdesk), then the attacker learns very little.  If the
packet length decrypted to something < max packet length and there's no
syslog/disconnect leak then the attacker recovers 16 - block size bits
of the password.  If the attacker recovers the decrypted packet length
from syslog or the disconnect sent to the user, then the attacker
recovers four bytes of the password.