Making password driven SSH 'immune' to MTM attacks.

Gregory Maxwell greg at linuxpower.cx
Sat Feb 26 07:53:07 EST 2000 

On Fri, 25 Feb 2000, Dave Dykstra wrote:

> On Thu, Feb 24, 2000 at 06:22:22PM -0500, Gregory Maxwell wrote:
> > The RSA method is good because it doesn't rely on the (frequently
> > non)secrecy of passwords. It's primary disadvantage is that using it
> > correctly requires a PKI of some form (be it x.509 certs, GPG signed
> > copies, manual key population) to be secure. 
> 
> I think that's nonsense.  If you personally exchange RSA public keys or
> get them from people you know personally there's no reason why it needs
> a PKI.  RSA authentication works wonderfully in SSH.  It's hardly any
> harder to exchange RSA public keys than to exchange a secret password,
> except that the former can't be transmitted over a telephone.

I should have been more clear:

I was defining PKI as 'some sort of key management system which provides
some level of authentication of key legitimicy'. Not that bastardized
system of 'trust-for-money' called normally called PKI. :)

> If you're worried about a compromise before the initial connection then
> exchange the public key of the host separately at the same time you
> exchange the individual's key.  No big deal.

Since I'm not two good at accuratly rembering numbers 1024+ bits in size,
and there is no widespread, standardized, and cheap 'smart card' system.
I can rember several passwords, and carry them around in my
mind. I can't mentally carry even a single RSA key pair.

> I rarely run into cases where
> there's a reason to be suspicious that early, however.

Oh? You don't ever connect to a SSH host for the first time across the
internet? Perhaps you always can get verified keys (using the GPG
ring-of-trust by hand method of PKI). But this isn't something the
computer using world at large will do, they will blissfully see WARNING
and type 'YES' blissfully ignorant of the middle-man.

Someday there will be a simple and well understood method for securly
veryfing RSA key pairs (all hail DNSSEC!). But thats not available today.
Today, most people use passwords, and they arn't willing to goto the
effort of veryfing RSA keys.
 
> That's a worthwhile reason to add SRP support to OpenSSH, but I don't see
> much value in enabling SRP if your system doesn't already have an SRP
> password file.

I agree with that.
 
> - Dave Dykstra

More information about the openssh-unix-dev mailing list