Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw Made Public In OpenSSH Encryption

Posted by timothy on from the days-to-whom dept.

alimo20 writes "Researchers at the Royal Holloway, University of London have discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux. According to ISG lead professor Kenny Patterson, an attacker has a 2^{-18} (that is, one in 262,144) chance of success. Patterson tells that this is more significant than past discoveries because 'This is a design flaw in OpenSSH. The other vulnerabilities have been more about coding errors.' The vulnerability is possible by a man-in-the-middle intercepting blocks of encrypted material as it passes. The attacker then re-transmits the data back to the server and counts the number of bytes before the server to throws error messages and disconnects the attacker. Using this information, the attacker can work backwards to figure out the first 4 bytes of data before encryption. 'The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH, said Patterson. ... Patterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days.'"

2 of 231 comments (clear)

  1. Design flaw by aaronfaby · · Score: 5, Interesting

    If the flaw is in the design of SSH, wouldn't all OS's be effected? Why does this only effect Debian?

  2. I wish people would try to understand CRYPTO hacks by omb · · Score: 4, Interesting

    This was never a real threat, just another piece of Academic FUD. To be vulnerable as an interactive ssh user you would have to ignore 100,000 aborted sessions to expose 14 bits of plaintext, I think I would notice, and block the attacker.

    There are a whole suite of cyphers, including AES aka Rijhndael are configurable, have you done yours?, and not vulnerable.

    Finally the protocol is trivially fixed.

    Now I for one, whilst I have the highest respect for the work done by people like Ross Anderson and Schnieer am fed up to the back teeth with alarmism from governments, NGOs and academics -- all of which add up to give us more money.

    If you dont know these researchers were working for the UK equivalent of Homeland Security and failed to inform SSH of the details of the attack, doubtless quoting National Security.

    These people who parade nonsense should be tarred an feathered and sent on the next rail.