On Thu, 7 Feb 2002, Olaf Kirch wrote: > I understand the maths behind this, but I can't quite see a practical > attack. If the attacker wants to guess a plaintext block P_i transmitted > by the SSH client, he must feed his plaintext block P_(i+1) to the ssh > client on standard input, so that it is properly encrypted and then > transmitted. This implies a great deal of control over the client > process (such as the ability to write to the client's standard input). Well, in some cases, this might be possible. For example, when some protocol is tunneled over ssh - irc, smtp, pop3, and so on, and so on. Pretty common application. In many cases, a block of at least partially sensitive information (private messages, mails, etc) can be followed by attacker-induced block (irc ping responses, smtp return envelope, whatever). Of course, this usually does not apply to any interactive sessions - some might argue that users are often predictable, e.g. always type 'ls' after logging in, but... > I don't say it's not a problem, but I think this is exagerating things > a bit. That's a different thing ;-) -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 13:55:55 PST