OpenSSH security advisory: cbc.adv

Jim Knoble jmknoble at
Sat Nov 22 07:00:41 EST 2008

Circa 2008-11-21 05:19 dixit Damien Miller:

: OpenSSH Security Advisory: cbc.adv
: Regarding the "Plaintext Recovery Attack Against SSH" reported as
: CPNI-957037[1]:


: AES CTR mode and arcfour ciphers are not vulnerable to this attack at
: all. These may be preferentially selected by placing the following
: directive in sshd_config and ssh_config:
: Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc

As I recall, the 'arcfour' cipher (no keysize in the name) has its own
potential vulnerability, in that it fails to discard the initial 1536
bytes of the kesystream <>.  The
'arcfour128' cipher is the one which mixes the keystream before using

The following 'Ciphers' spec is probably what Damien intended:

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,aes256-cbc


jim knoble  |  jmknoble at  |
(GnuPG key ID: C6F31FFA  >>>>>> )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|

More information about the openssh-unix-dev mailing list