OpenSSH security advisory: cbc.adv
Jim Knoble
jmknoble at pobox.com
Sat Nov 22 07:00:41 EST 2008
Circa 2008-11-21 05:19 dixit Damien Miller:
: OpenSSH Security Advisory: cbc.adv
:
: Regarding the "Plaintext Recovery Attack Against SSH" reported as
: CPNI-957037[1]:
[...]
: AES CTR mode and arcfour ciphers are not vulnerable to this attack at
: all. These may be preferentially selected by placing the following
: directive in sshd_config and ssh_config:
:
: Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc
As I recall, the 'arcfour' cipher (no keysize in the name) has its own
potential vulnerability, in that it fails to discard the initial 1536
bytes of the kesystream <http://www.ietf.org/rfc/rfc4345.txt>. The
'arcfour128' cipher is the one which mixes the keystream before using
it.
The following 'Ciphers' spec is probably what Damien intended:
Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,aes256-cbc
--jim
--
jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
+----------------------------------------------------------------------+
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing. --Aldous Huxley|
+----------------------------------------------------------------------+
More information about the openssh-unix-dev
mailing list