On Fri, 19 Jun 2015, Gerhard Wiesinger wrote: > On 15.06.2015 16:05, Gerhard Wiesinger wrote: > > http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt > > https://packetstormsecurity.com/files/72061/Vulnerability_Advisory_SSH.txt.html > > http://isg.rhul.ac.uk/~kp/SandPfinal.pdf > > The success probability in recovering 32 plaintext bits is 2^{-18} when > attacking the OpenSSH implementation of the SSH RFCs. A variant of the attack > against the OpenSSH implementation verifiably recovers 14 plaintext bits with > probability 2^{-14}. That's before our countermeasures, that make this attack AFAIK infeasible. > Recovering 14 bits: That's basically no better than brute force, so no real > attack, isn't it? No, it's a real attack but it is not practical in most configurations. > Recovering 32 bits: That's basically a little bit better than brute force bu > think there is also no real attack vector, isn't it? Depends on what the 32 bits are. If I can recover 32 bits of a password than you're going to have a bad day. > Especially in the context of OpenSSH 5.2 mitigation and different keys in > different kind of connections. > > Any opinions on this? The defaults in recent OpenSSH are safe against this attack. It's not something you need to worry about if both ends are OpenSSH. If you're using a non-OpenSSH client or server then you might need to pay more attention. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev