OpenSSH security advisory: cbc.adv

Jim Knoble jmknoble at
Sat Nov 22 17:06:08 EST 2008

Circa 2008-11-21 18:53 dixit Damien Miller:

: On Fri, 21 Nov 2008, Jim Knoble wrote:
: > Circa 2008-11-21 05:19 dixit Damien Miller:
: > : OpenSSH Security Advisory: cbc.adv
: > : 
: > : Regarding the "Plaintext Recovery Attack Against SSH" reported as
: > : CPNI-957037[1]:
: > The following 'Ciphers' spec is probably what Damien intended:
: > 
: > Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,aes256-cbc
: No, I intended to leave the "arcfour" cipher in there because I don't
: want security advice to break working configurations - "arcfour" has
: always been in the default ssh protocol 2 proposal and lots of people
: use it.

I stand corrected.

: With regard to early keystream correlation, I don't think this is quite
: so serious in SSH - arcfour is keyed with 256 bits of good-quality key
: material derived from D-H. We could leak half these bits and still be a
: solid position.
: SSH's use is very different to WEPs. In WEP, the key is almost certainly
: weak to begin with (it is human-entered). WEP also reuses the key over
: and over, with different (sometimes weak) IVs - this reuse repeatedly
: exposes the early keystream and is (with the weak IVs) what allows the
: Fluhrer, Shamir and Mantin attack to recover the key. SSH uses the
: negotiated keys only once.

Thanks for clarifying this, Damien.  The risks as you describe them
above make 'arcfour' a reasonably secure choice.  As you note, keeping
things from breaking is more than a bit important.


jim knoble  |  jmknoble at  |
(GnuPG key ID: C6F31FFA  >>>>>> )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|

More information about the openssh-unix-dev mailing list