Public storage for public keys

Ed Phillips ed at UDel.Edu
Wed Jan 16 02:05:32 EST 2002 

On Mon, 14 Jan 2002, Jason Stone wrote:

> Date: Mon, 14 Jan 2002 15:24:08 -0800 (PST)
> From: Jason Stone <jason at shalott.net>
> To: Ed Phillips <ed at UDel.Edu>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: Public storage for public keys
>
>
>
> > > Yes, saved in a trusted location (ie, local file system).
> > > A key in DNS is not trustworthy, since DNS is easily
> > > compromised.
> >
> > Then the hard part - JH would have to play man-in-the-middle between A
> > and B enough to convince A that the spoofed host key for B is okay...
> > but how can JH do this without knowing the REAL private host key for
> > system B?  What am I missing?
>
> No, JH doesn't have to know B's private key - that's the point.  A doesn't
> know B's public key ('cause this whole discussion is about how to give it
> to him), so JH gets in the middle of A and B (check out dsniff, ettercap,
> etc - this is real easy nowadays), and when A asks for B's public key, JH
> hands his own public key to A.  Now A encrypts all his packets with JH's
> key and sends them to JH.  JH then requests B's public key, decrypts all
> of A's packets, re-encrypts them with B's public key, and passes them on
> to B.  Neither A nor B realizes, because at a fundamental level, they
> don't _really_ know each other if they haven't already exchanged keys and
> cached them locally.

Okay... that makes sense to me now.  So the main problem is that, without
a secure way to verify that the B's public keys is authentic you're pretty
wide open to this sort of thing.  And the known_hosts file is the only way
we have for A to verify the public key presented by B... so if we were
using DNS (which is easily hijacked) to distribute known_hosts info, then
that makes the problem even worse, right?

On the other hand, if we were using LDAP (or whatever) + SSL + signed
certificates as a means for the ssh client to verify a public key
presented by B, then we could potentially still centralize the known_hosts
information securely... assuming that we only trust signatures that JH
can't create himself?

Is there any provision in the SSH specification (I really should make time
to read this some day) to use digital signatures with ssh public keys?

> Man-in-the-middle attacks are no longer strictly theoretical, nor reserved
> for hardcore hackers.  Easy and powerful tools are widely available to let
> just anyone perform active attacks against a local net, even a switched
> one, and shoddy key exchange is completely unacceptable.

> You _could_ use DNSSEC to distribute the keys, and I'm interested in why
> this ended up being rejected?

I haven't read up on it... so I'm not sure if people are complaining that
it just "moves" the security hole instead of plugging it...

Thanks,

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key

More information about the openssh-unix-dev mailing list