From owner-freebsd-security Wed Dec 29 6:31:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from faui01.informatik.uni-erlangen.de (faui01.informatik.uni-erlangen.de [131.188.2.1]) by hub.freebsd.org (Postfix) with ESMTP id 74A1C14BEA for ; Wed, 29 Dec 1999 06:31:50 -0800 (PST) (envelope-from msfriedl@faui01.informatik.uni-erlangen.de) Received: (from msfriedl@localhost) by faui01.informatik.uni-erlangen.de (8.8.8/8.1.16-FAU) id PAA26014; Wed, 29 Dec 1999 15:31:46 +0100 (MET) Date: Wed, 29 Dec 1999 15:31:46 +0100 From: Markus Friedl To: freebsd-security@FreeBSD.ORG Cc: Warner Losh , Fernando Schapachnik Subject: Re: OpenSSH vulnerable to protocol flaw? Message-ID: <19991229153146.A25953@faui01.informatik.uni-erlangen.de> References: <199912161207.JAA22894@ns1.via-net-works.net.ar> <199912162104.OAA74270@harmony.village Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: ; from owner-freebsd-security on Fri, Dec 28, 2007 at 12:07:49AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OpenSSH implements the SSH1 protocol. The mentioned flaw can only be fixed by breaking the protocol. I have an experimental patch that replaces CRC with hmac-sha1 among other things. send mail to markus@openssh.COM if you want to review/test/comment/crytoanalyze the patches. -markus On Fri, Dec 28, 2007 at 12:07:49AM +0000, owner-freebsd-security wrote: > Warner Losh writes: > > OpenSSH implements the ssh1 protocol, which is vulnerable to insertion > > attacks like the one described in bugtraq. I don't think they have > > changed the protocol at all, but I'm sure someone will tell me if I'm > > wrong. > > Random quotes from the advisory: > > Note that the new revision for the SSH protocol, proposed and > published as Internet Drafts [2],[3],[4] [5] makes use of > cryptographycally strong message authentication codes for > integrity checks that wont fail to these attacks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message