From owner-freebsd-security  Fri Jan  7 12:53:22 2000
Delivered-To: freebsd-security@freebsd.org
Received: from bg.sics.se (bg.sics.se [193.10.66.124])
	by hub.freebsd.org (Postfix) with ESMTP
	id 96F6914DE1; Fri,  7 Jan 2000 12:53:18 -0800 (PST)
	(envelope-from bg@bg.sics.se)
Received: (from bg@localhost)
	by bg.sics.se (8.9.3/8.9.3) id VAA05066;
	Fri, 7 Jan 2000 21:53:10 +0100 (CET)
	(envelope-from bg)
To: Dag-Erling Smorgrav <des@flood.ping.uio.no>,
	Brian Fundakowski Feldman <green@FreeBSD.ORG>
Cc: Markus Friedl <markus.friedl@informatik.uni-erlangen.de>,
	security@FreeBSD.ORG
Subject: Re: OpenSSH protocol 1.6 proposal
References: <Pine.BSF.4.10.10001011324420.756-100000@green.dyndns.org> <xzpu2krs40g.fsf@flood.ping.uio.no>
From: Bjoern Groenvall <bg@sics.se>
Date: 07 Jan 2000 21:53:09 +0100
In-Reply-To: Dag-Erling Smorgrav's message of 06 Jan 2000 14:50:39 +0100
Message-ID: <wuhfgpa9je.fsf@bg.sics.se>
Lines: 39
X-Mailer: Red Gnus v0.52/Emacs 19.34
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Dag-Erling Smorgrav <des@flood.ping.uio.no> writes:

> Brian Fundakowski Feldman <green@FreeBSD.ORG> writes:
> > I've been thinking what the best way to make OpenSSH more secure would be,
> > and now it seems to be a change in the protocol.  What change?  Well,
> > SSH version 1.5 and below (all versions so far) have been vulnerable to
> > attacks based upon properties of the highly insecure CRC32 hash used.
> 
> Which part of "ssh 1.2.25 fixes the problem" did you not understand?

Markus Friedl <markus.friedl@informatik.uni-erlangen.de> writes:
> 1.2.25 et al do not fix the problem, they just make
> attacks a little bit harder.

Also remember that the SSH_3DES scheme resists the attack described by
Futoranski et.al. The attack is effective against IDEA_CFB, DES_CBC or
in general any block cipher that uses CBC or CFB. Currently there is
no known attack that is effective when the somewhat weird feedback
mode of SSH_3DES is used.

So if you are looking for a temporary solution to the SSHv1 problem,
disable all ciphers but SSH_3DES. Unlike the attack detector in
1.2.25++, this solution will always resist the Futoranski attack.

This does not imply that the SSH_3DES mode is secure, only that there
currently has been no published method of attack. In the long run we
still need a new packet format.

Cheers,
Björn


-- 
  _     _                                               ,_______________.  
Bjorn Gronvall (Björn Grönvall)                        /_______________/|     
Swedish Institute of Computer Science                  |               ||
PO Box 1263, S-164 29 Kista, Sweden                    | Schroedingers ||
Email: bg@sics.se, Phone +46 -8 633 15 25              |      Cat      |/
Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30       `---------------' 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message