IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Albrecht/Paterson/Watson's attack
Our implementation in Bitvise SSH Server (versions of the last several years
that use our FlowSsh library) makes this class of attack difficult by:
- Implementing precise checks about whether the received packet length is
valid.
- If the received packet length is invalid, generating a random valid packet
length, and continuing execution as if that length was received.
This way, the attacker is denied knowledge of whether their attempt to
infiltrate the first CBC block succeeded or not.
I know of no way the attacker can distinguish one successful infiltration
attempt from hundreds of thousands of unsuccessful attempts. Even if the
attacker knows some property of the plaintext, e.g. that it is ASCII, many
of the unsuccessful "plaintexts" can seem valid.
denis
-----Original Message-----
From: Mouse
Sent: Monday, May 5, 2014 13:39
To: ietf-ssh%netbsd.org@localhost
Subject: Albrecht/Paterson/Watson's attack
Perhaps it wasn't mentioned here, or perhaps I'd just missed it, but a
note elselist prompted me to read
http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf.
Any thoughts? Besides the obvious suggestions made in the paper
(basically "don't use CBC bulk ciphers"), it occurs to me that there is
another defense: make it hard to identify packet boundaries by,
whenever the connection would otherwise go idle, generating an IGNORE
packet and sending only part of it, holding the rest until something
more is available to be sent on that connection.
It wouldn't completely prevent the attack, since the attacker can
simply guess how much BPP-level packet remains at the network-level
packet boundary, but it would be another factor against success - and
it would require not just injecting data, but intercepting and
modifying the first wire packet after idle time. It would also render
connections attackable only during the first packet after idle time,
rather than at any time when idle. It seems to me this would increase
the difficulty of an attack, perhaps significantly. While admittedly
this particular attack is easy enough to defeat by just not using CBC
modes, it seems likely to me that some other attack based on
recognizing and exploiting BPP-layer packet boundaries will come along.
Thoughts?
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse%rodents-montreal.org@localhost
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Home |
Main Index |
Thread Index |
Old Index