Re: Albrecht/Paterson/Watson's attack

To: "Mouse" <mouse%Rodents-Montreal.ORG@localhost>, <ietf-ssh%netbsd.org@localhost>
Subject: Re: Albrecht/Paterson/Watson's attack
From: "denis bider \(Bitvise\)" <ietf-ssh3%denisbider.com@localhost>
Date: Mon, 5 May 2014 18:15:39 -0600

Our implementation in Bitvise SSH Server (versions of the last several yearsthat use our FlowSsh library) makes this class of attack difficult by:

- Implementing precise checks about whether the received packet length isvalid.

- If the received packet length is invalid, generating a random valid packetlength, and continuing execution as if that length was received.

This way, the attacker is denied knowledge of whether their attempt toinfiltrate the first CBC block succeeded or not.

I know of no way the attacker can distinguish one successful infiltrationattempt from hundreds of thousands of unsuccessful attempts. Even if theattacker knows some property of the plaintext, e.g. that it is ASCII, manyof the unsuccessful "plaintexts" can seem valid.


denis

-----Original Message-----From: Mouse

Sent: Monday, May 5, 2014 13:39
To: ietf-ssh%netbsd.org@localhost
Subject: Albrecht/Paterson/Watson's attack

Perhaps it wasn't mentioned here, or perhaps I'd just missed it, but a
note elselist prompted me to read
http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf.

Any thoughts?  Besides the obvious suggestions made in the paper
(basically "don't use CBC bulk ciphers"), it occurs to me that there is
another defense: make it hard to identify packet boundaries by,
whenever the connection would otherwise go idle, generating an IGNORE
packet and sending only part of it, holding the rest until something
more is available to be sent on that connection.

It wouldn't completely prevent the attack, since the attacker can
simply guess how much BPP-level packet remains at the network-level
packet boundary, but it would be another factor against success - and
it would require not just injecting data, but intercepting and
modifying the first wire packet after idle time.  It would also render
connections attackable only during the first packet after idle time,
rather than at any time when idle.  It seems to me this would increase
the difficulty of an attack, perhaps significantly.  While admittedly
this particular attack is easy enough to defeat by just not using CBC
modes, it seems likely to me that some other attack based on
recognizing and exploiting BPP-layer packet boundaries will come along.

Thoughts?

/~\ The ASCII   Mouse
\ / Ribbon Campaign
X  Against HTML mouse%rodents-montreal.org@localhost

/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

References:
- Albrecht/Paterson/Watson's attack
  - From: Mouse

Prev by Date: Re: Albrecht/Paterson/Watson's attack
Next by Date: Re: Albrecht/Paterson/Watson's attack
Previous by Thread: Re: Albrecht/Paterson/Watson's attack
Next by Thread: Re: Albrecht/Paterson/Watson's attack
Indexes:

Home | Main Index | Thread Index | Old Index