IETF Logo Mail Archive

Re: [Curdle] [saag] Time for SSH3?

Theodore Ts'o <tytso@mit.edu> Wed, 20 December 2023 16:35 UTC

Return-Path: <tytso@mit.edu>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8809BC14EB17 for <curdle@ietfa.amsl.com>; Wed, 20 Dec 2023 08:35:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.409
X-Spam-Level:
X-Spam-Status: No, score=-4.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0fRM7e8axvJ5 for <curdle@ietfa.amsl.com>; Wed, 20 Dec 2023 08:35:13 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE38DC14F5EA for <curdle@ietf.org>; Wed, 20 Dec 2023 08:35:12 -0800 (PST)
Received: from cwcc.thunk.org (pool-173-48-123-239.bstnma.fios.verizon.net [173.48.123.239]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 3BKGZ1cD005616 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Dec 2023 11:35:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1703090104; bh=lG5zgspKh48qJc97hcmbR9eqFl2KBVi7QDCgWHoIAHw=; h=Date:From:Subject:Message-ID:MIME-Version:Content-Type; b=n2jCwiQxLGxBvLujYufnY/0SdeSQMpyamfNtUSOaHOEfNR5ZGwjppiyj7olzs2AeZ GhCvgF4xID5lknF9yUQQp68RJADj+jq0Ud5qz28/WFkC33mpEDMagOAGScU71ofOaJ Xaq6ToqY/NSC81HOcWjdmHcsVfj/NIZAHrgIVHujfhI7+XyFMPcitNHacCTLN8oE2i tV7xnwQwTq4Zdx2MGjyiQ2l7Huf44ztWCxRZu/Yy8lpPBRjWvaXqHK4Q4871l0Nktj 0JKs+Uvvj6EOb4r3LXQdYoclewgeFk79l5ZcVW9vX+taXBB8kkD5O/zOspc7YOzGOD NVKXMEsFM5Dkg==
Received: by cwcc.thunk.org (Postfix, from userid 15806) id B82A715C02AA; Wed, 20 Dec 2023 11:35:01 -0500 (EST)
Date: Wed, 20 Dec 2023 11:35:01 -0500
From: Theodore Ts'o <tytso@mit.edu>
To: Derek Atkins <derek@ihtfp.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, saag <saag@ietf.org>, "curdle@ietf.org" <curdle@ietf.org>
Message-ID: <20231220163501.GB297455@mit.edu>
References: <GVXPR07MB96789816DE49A02D46AC25628996A@GVXPR07MB9678.eurprd07.prod.outlook.com> <SY4PR01MB6251678A7FD714B5CDC26A8FEE96A@SY4PR01MB6251.ausprd01.prod.outlook.com> <30cd214d9666d142cd8987ead79d5b42.squirrel@mail.ihtfp.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <30cd214d9666d142cd8987ead79d5b42.squirrel@mail.ihtfp.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/BzpjvruIYsmSozLX99iuxqA-9vE>
Subject: Re: [Curdle] [saag] Time for SSH3?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Dec 2023 16:35:15 -0000

On Wed, Dec 20, 2023 at 08:26:53AM -0500, Derek Atkins wrote:
> 
> The attack here is pretty clever, but (at least currently) is fairly
> limited to Chacha/Poly and CBC-etm.  The workaround is easy: don't
> use those methods, and use GCM or OCB methods.

Well, one of the algorithms in question is
chacha20-poly1305@openssh.com, which is the default for OpenSSH, which
is why the preprint claims that 77% of all ssh connections are
vulnerable.  Of course, it *also* requires a MITM attack, and if the
attacker has MITM capabilities, given that (a) SecureDNS isn't
generally deployed, and (b) most users can be tricked into accepting
unknown key's fingerprints, so there are probably easier way to attack
most users.

> I see no reason to throw out the whole protocol, including the
> decades of analysis and code reviews just because someone found an
> issue with a few added extensions.

In addition to the short-term fix of disabling the ciphers, there is
also an extension, strict key exchange, which will address the attack.
It requires that both the client and server be patched, but that's
going to be deployable much more quickly than a completly incompatible
protocol change that will take years to be fully deployed.

Moreover, if IETF tries to standardize a completely incompatible
protocol rewrite without close coperation with development team(s) of
the dominant implementation(s), the precedent of IPv6 of taking
**decades** to be fully rolled out may be the more relevant
comparison.

Cheers,

					- Ted

v2.29.0 | Report a Bug | By Email | System Status