LZ4 compression in openssh

Aris Adamantiadis aris at 0xbadc0de.be
Mon Oct 28 21:56:38 EST 2013


Also nice to know that zlib at openssh.com enables the compression only
after authentication, mitigating the known problems with compression
and passwords. It is also very hard to do chosen-plaintext attacks on
the client to server side (in opposite to HTTPS where that's trivial).
And most passwords that are typed after authentications are entered
character by character, making them fall under the padding length anyway.
I think the compression vulnerabilities in CRIME are not appliable to
SSH with delayed compression.

Aris

Le 25/10/13 21:47, Daniel Kahn Gillmor a écrit :
> On 10/25/2013 03:23 PM, Mark E. Lee wrote:
>> Thanks for the response, what kind of problematic interactions
>> would occur (other than trying to compress seemingly random
>> data)?
> 
> e.g. https://en.wikipedia.org/wiki/CRIME or similar attacks where
> the attacker can inject pre-defined cleartext into the channel and
> can then observe length changes in the ciphertext to derive the
> other (non-injected) contents of the cleartext.
> 
> --dkg
> 
> 
> 
> _______________________________________________ openssh-unix-dev
> mailing list openssh-unix-dev at mindrot.org 
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 


More information about the openssh-unix-dev mailing list