Hacker News new | comments | show | ask | jobs | submit login
OpenSSH Design Flaw Discovered (zdnet.com)
20 points by durin42 on May 20, 2009 | hide | past | web | favorite | 7 comments

Working on a blog post on this now --- actually a response to Atwood's recent craziness --- but you should know this is a general attack, and a well-known one, which I know as "error oracle attacks", but might have a better formal name.

Long story short: you can't generate error messages that reveal whether messages decrypted properly, or attackers can permute and reply valid messages and use them to reveal plaintext. This touches on the same radioactive mistake Atwood made earlier this week, but even if you don't make his mistake, there are simplier implementation errors you can make that have the same impact.

A good deck from 2005, from the same group cited here:


I could dispute whether this is really a "design error" in OpenSSH, in that you wouldn't want to imply that this was particularly hard to fix; the fix, for instance, won't break compatibility.

The OpenSSH security page has more useful information and a link to the advisory (posted last November).


Would have been nice for the zdnet article to provide a link to it.

On: http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt

It says: "The most straightforward solution is to use CTR mode instead of CBC mode, since this renders SSH resistant to the attack."

there is also this page: http://www.openssh.com/txt/cbc.adv

both one level down from that one.

(off-topic, but it's amusing how their comment system removes the word "chink" from all comments even though it's the first word of the title of the article.)

It says it is in SSH 4.7. I just checked and I'm already up to version 5.1. on a 2.6.26-1 system. How dated is this problem?

This is a flaw in the SSH standard itself, not in a specific version of software. Countermeasures have been put in place to mitigate the flaw in OpenSSH however.

"They've fixed [OpenSSH]; they've put countermeasures in place to stop our attack," said Patterson. "But the standard has not changed."

The article appears to have been removed.

"We were unable to find the page you requested."

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact