Re: OpenSSH and CBC

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, 19 Jun 2015, Gerhard Wiesinger wrote:

> On 15.06.2015 16:05, Gerhard Wiesinger wrote:
> > http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
> > https://packetstormsecurity.com/files/72061/Vulnerability_Advisory_SSH.txt.html 
> > http://isg.rhul.ac.uk/~kp/SandPfinal.pdf
> 
> The success probability in recovering 32 plaintext bits is 2^{-18} when
> attacking the OpenSSH implementation of the SSH RFCs. A variant of the attack
> against the OpenSSH implementation verifiably recovers 14 plaintext bits with
> probability 2^{-14}.

That's before our countermeasures, that make this attack AFAIK infeasible.

> Recovering 14 bits: That's basically no better than brute force, so no real
> attack, isn't it?

No, it's a real attack but it is not practical in most configurations.

> Recovering 32 bits: That's basically a little bit better than brute force bu
> think there is also no real attack vector, isn't it?

Depends on what the 32 bits are. If I can recover 32 bits of a password
than you're going to have a bad day.

> Especially in the context of OpenSSH 5.2 mitigation and different keys in
> different kind of connections.
> 
> Any opinions on this?

The defaults in recent OpenSSH are safe against this attack. It's not
something you need to worry about if both ends are OpenSSH. If you're
using a non-OpenSSH client or server then you might need to pay more
attention.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux