Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw Made Public In OpenSSH Encryption

Posted by timothy on from the days-to-whom dept.

alimo20 writes "Researchers at the Royal Holloway, University of London have discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux. According to ISG lead professor Kenny Patterson, an attacker has a 2^{-18} (that is, one in 262,144) chance of success. Patterson tells that this is more significant than past discoveries because 'This is a design flaw in OpenSSH. The other vulnerabilities have been more about coding errors.' The vulnerability is possible by a man-in-the-middle intercepting blocks of encrypted material as it passes. The attacker then re-transmits the data back to the server and counts the number of bytes before the server to throws error messages and disconnects the attacker. Using this information, the attacker can work backwards to figure out the first 4 bytes of data before encryption. 'The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH, said Patterson. ... Patterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days.'"

4 of 231 comments (clear)

  1. Design flaw by aaronfaby · · Score: 5, Interesting

    If the flaw is in the design of SSH, wouldn't all OS's be effected? Why does this only effect Debian?

  2. Re:Why so much press on this? by mr_mischief · · Score: 3, Interesting

    Noticed? A good firewall that is updated regularly by a traffic analyzer should have a rule set to drop or deny the retransmissions after the first few. I guess we could have a philosophical debate about whether running code "notices" something when it matches a pattern and crosses a threshold to trigger a rule. "Notice" to me usually connotes sentience, or at least animal consciousness.

  3. Re:To those wondering why they mention Debian by Pretzalzz · · Score: 3, Interesting
    All current versions of Debian have 5.1p1-5 as the version of openssh[testing/unstable differences are just dependency rebuilds].

    The changelog for this version includes:

    * Backport from upstream CVS (Markus Friedl):

    - packet_disconnect() on padding error, too. Should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18.

    This implies that older versions are more vulnerable. Not sure if this is what people are referring to as 5.2's countermeasures.

  4. I wish people would try to understand CRYPTO hacks by omb · · Score: 4, Interesting

    This was never a real threat, just another piece of Academic FUD. To be vulnerable as an interactive ssh user you would have to ignore 100,000 aborted sessions to expose 14 bits of plaintext, I think I would notice, and block the attacker.

    There are a whole suite of cyphers, including AES aka Rijhndael are configurable, have you done yours?, and not vulnerable.

    Finally the protocol is trivially fixed.

    Now I for one, whilst I have the highest respect for the work done by people like Ross Anderson and Schnieer am fed up to the back teeth with alarmism from governments, NGOs and academics -- all of which add up to give us more money.

    If you dont know these researchers were working for the UK equivalent of Homeland Security and failed to inform SSH of the details of the attack, doubtless quoting National Security.

    These people who parade nonsense should be tarred an feathered and sent on the next rail.