OpenSSH and CBC
Damien Miller
djm at mindrot.org
Fri Jun 19 18:29:57 AEST 2015
On Fri, 19 Jun 2015, Gerhard Wiesinger wrote:
> On 15.06.2015 16:05, Gerhard Wiesinger wrote:
> > http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
> > https://packetstormsecurity.com/files/72061/Vulnerability_Advisory_SSH.txt.html
> > http://isg.rhul.ac.uk/~kp/SandPfinal.pdf
>
> The success probability in recovering 32 plaintext bits is 2^{-18} when
> attacking the OpenSSH implementation of the SSH RFCs. A variant of the attack
> against the OpenSSH implementation verifiably recovers 14 plaintext bits with
> probability 2^{-14}.
That's before our countermeasures, that make this attack AFAIK infeasible.
> Recovering 14 bits: That's basically no better than brute force, so no real
> attack, isn't it?
No, it's a real attack but it is not practical in most configurations.
> Recovering 32 bits: That's basically a little bit better than brute force bu
> think there is also no real attack vector, isn't it?
Depends on what the 32 bits are. If I can recover 32 bits of a password
than you're going to have a bad day.
> Especially in the context of OpenSSH 5.2 mitigation and different keys in
> different kind of connections.
>
> Any opinions on this?
The defaults in recent OpenSSH are safe against this attack. It's not
something you need to worry about if both ends are OpenSSH. If you're
using a non-OpenSSH client or server then you might need to pay more
attention.
-d
More information about the openssh-unix-dev
mailing list