OpenSSH security advisory: cbc.adv

[Damien Miller]

On Fri, 21 Nov 2008, Jim Knoble wrote:

> Circa 2008-11-21 05:19 dixit Damien Miller:
> 
> : OpenSSH Security Advisory: cbc.adv
> : 
> : Regarding the "Plaintext Recovery Attack Against SSH" reported as
> : CPNI-957037[1]:
> 
>   [...]
> 
> : AES CTR mode and arcfour ciphers are not vulnerable to this attack at
> : all. These may be preferentially selected by placing the following
> : directive in sshd_config and ssh_config:
> : 
> : Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc
> 
> As I recall, the 'arcfour' cipher (no keysize in the name) has its own
> potential vulnerability, in that it fails to discard the initial 1536
> bytes of the kesystream <http://www.ietf.org/rfc/rfc4345.txt>.  The
> 'arcfour128' cipher is the one which mixes the keystream before using
> it.
> 
> The following 'Ciphers' spec is probably what Damien intended:
> 
> Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,aes256-cbc

No, I intended to leave the "arcfour" cipher in there because I don't
want security advice to break working configurations - "arcfour" has
always been in the default ssh protocol 2 proposal and lots of people
use it.

With regard to early keystream correlation, I don't think this is quite
so serious in SSH - arcfour is keyed with 256 bits of good-quality key
material derived from D-H. We could leak half these bits and still be a
solid position.

SSH's use is very different to WEPs. In WEP, the key is almost certainly
weak to begin with (it is human-entered). WEP also reuses the key over
and over, with different (sometimes weak) IVs - this reuse repeatedly
exposes the early keystream and is (with the weak IVs) what allows the
Fluhrer, Shamir and Mantin attack to recover the key. SSH uses the
negotiated keys only once.

I'd like to get rid of "arcfour" from the standard proposal, but haven't
thought of a nice way to transition people away from it.

-d