On Wed, Feb 06, 2002 at 05:36:41PM -0500, Jose Nazario wrote: > The attack itself is very simple. Remember that in CBC mode, each > plaintext block is XOR'ed with the last ciphertext block and then > encrypted to produce the next ciphertext block. Suppose the attacker > suspects that plaintext block P_i might be x, and wants to test whether > that's the case, he would choose the next plaintext block P_j to be x > XOR C_(i-1) XOR C_(j-1). If his guess is correct, then C_j = Encrypt(P_j > XOR C_(j-1)) = Encrypt(P_i XOR C_(i-1)) = C_i, and so he can confirm his > guess by looking at whether C_j = C_i. I understand the maths behind this, but I can't quite see a practical attack. If the attacker wants to guess a plaintext block P_i transmitted by the SSH client, he must feed his plaintext block P_(i+1) to the ssh client on standard input, so that it is properly encrypted and then transmitted. This implies a great deal of control over the client process (such as the ability to write to the client's standard input). Maybe I'm dense, but I can't think of many scenarios where an attacker can get this type of control. Either someone or something establishes an SSH connection, transmits The Secret and then relinquishes control of the session to the attacker (which is not a very common use of SSH), or the attacker obtains control of a user's terminal (hijacking e.g. the xterm), or of the ssh client process itself. In the latter two cases, The Secret can usually be retrieved much more conveniently through traditional methods. At any rate, I believe this can be used as a local exploit only. > However even with this and other potential constraints it seems very > possible for the attacker to succeed in some situations. So I suggest I don't say it's not a problem, but I think this is exagerating things a bit. I cannot see this problem being exploited for most "normal" uses of ssh (remote login and file copy). Tunneling other protocols through an SSH connection may be a different issue, but it still seems a bit far-fetched. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okirat_private +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 12:04:46 PST