OpenSSH and CBC

Gerhard Wiesinger lists at wiesinger.com
Tue Jun 16 19:52:56 AEST 2015


On 15.06.2015 21:31, Christian Weisgerber wrote:
> On 2015-06-15, Gerhard Wiesinger <lists at wiesinger.com> wrote:
>
>> I saw that OpenSSH release 6.7 removed all CBC ciphers by default. Is
>> CBC therefore considered as broken and unsecure (in general or SSH
>> implementation)?
> CBC modes in SSH use the last encrypted block of the previous packet
> as the IV for the next packet.  The protocol is specified this way.

As the new IV depends on the (unknown) key and an unbroken crypto/hash 
algorithms I don't see any problem with this assuming normal behaviour 
with new keys on a new connection and correct implementation. Am I wrong?

>
>> I also read a lot of references (see below) but still not clear to me
>> what's the actual "security status" of CBC and why it has been removed
>> in general.
> These are pertinent:
>
>> http://www.kb.cert.org/vuls/id/958563
> http://www.openssh.com/txt/cbc.adv
>

But that should be already covered by:
http://www.openssh.com/txt/release-5.2
We believe that these attacks are rendered infeasible by these changes.

BTW: If you didn't know, here you find the details about the attacks 
(already in my link list):
http://isg.rhul.ac.uk/~kp/SandPfinal.pdf
I think it was unknown at the time OpenSSH 5.2 was released.
E.g. some assumptions are wrong: After at most 2^14 connections ...
With each new ssh connection I will have a new symmetrical key so the 
assumption is not feasible.

Also: One of the main challenges for building an exploit based on our 
proof-of-concept code would be to find a service which tolerates SSH 
connection failures and reconnects on these failures.
I think such assumptions are just theoretical.
Also according to the paper encrypt then-MAC schemes are also vulnerable 
(which are considered secure): But it is not hard to see that this 
construction would still be vulnerable to our attacks.

There is another paper available: Some Fixes To SSH
https://eprint.iacr.org/2013/151.pdf

BTW: Jan Zerebecki also doesn't recommend the AES CTR modes as they 
disclose packet length.
https://wiki.mozilla.org/Security/Guidelines/OpenSSH
Any comments on this?

Ciao,
Gerhard

-- http://www.wiesinger.com/



More information about the openssh-unix-dev mailing list