Re: [Curdle] [saag] Time for SSH3?
Derek Atkins <derek@ihtfp.com> Wed, 20 December 2023 13:27 UTC
Return-Path: <derek@ihtfp.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CACEC14CE3F; Wed, 20 Dec 2023 05:27:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iY-dUDVVVF5W; Wed, 20 Dec 2023 05:26:56 -0800 (PST)
Received: from mail.ihtfp.org (MAIL.IHTFP.ORG [204.107.200.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60D50C14F603; Wed, 20 Dec 2023 05:26:55 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.ihtfp.org (Postfix) with ESMTP id 1ACC2806C240; Wed, 20 Dec 2023 08:26:54 -0500 (EST)
Received: from mail.ihtfp.org ([127.0.0.1]) by localhost (mail.ihtfp.org [127.0.0.1]) (maiad, port 10024) with LMTP id 560961-06; Wed, 20 Dec 2023 08:26:54 -0500 (EST)
Received: by mail.ihtfp.org (Postfix, from userid 48) id E8E258095A01; Wed, 20 Dec 2023 08:26:53 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ihtfp.org E8E258095A01
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1703078813; bh=9vO2hGl3QJ/2Ri3LulLiwpXtMhTIhjhbIbJJggT6yj8=; h=In-Reply-To:References:Date:Subject:From:To:Cc:From; b=Xqj1u67m93mN/KVIvt26sCoUUgVl+uxtt61owwIq0cuGFRcL3W9pdH765qZaq42e3 R3AhJygMmyGcXKQsPwvEvHyfbqa5p3yqw82IbcbiHls6yeJ+nwzPZJsCvv9BOJkQ79 h1ko9AIHLuBeX9kj8zUX7Y1UEmnX8wRBFqoUiOnw=
Received: from 192.168.248.188 (SquirrelMail authenticated user warlord) by mail.ihtfp.org with HTTP; Wed, 20 Dec 2023 08:26:53 -0500
Message-ID: <30cd214d9666d142cd8987ead79d5b42.squirrel@mail.ihtfp.org>
In-Reply-To: <SY4PR01MB6251678A7FD714B5CDC26A8FEE96A@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <GVXPR07MB96789816DE49A02D46AC25628996A@GVXPR07MB9678.eurprd07.prod.outlook.com> <SY4PR01MB6251678A7FD714B5CDC26A8FEE96A@SY4PR01MB6251.ausprd01.prod.outlook.com>
Date: Wed, 20 Dec 2023 08:26:53 -0500
From: Derek Atkins <derek@ihtfp.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, saag <saag@ietf.org>, "curdle@ietf.org" <curdle@ietf.org>
User-Agent: SquirrelMail/1.4.23 [SVN]-6.fc34.20190710
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/CImU2hva8VRUUqeS4KKhE-UxhsU>
Subject: Re: [Curdle] [saag] Time for SSH3?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Dec 2023 13:27:00 -0000
HI, I have to agree with Peter. The attack here is pretty clever, but (at least currently) is fairly limited to Chacha/Poly and CBC-etm. The workaround is easy: don't use those methods, and use GCM or OCB methods. I see no reason to throw out the whole protocol, including the decades of analysis and code reviews just because someone found an issue with a few added extensions. Now, if it turns out this can be extended, then we can re-open the discussion. -derek On Wed, December 20, 2023 6:35 am, Peter Gutmann wrote: > John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> writes: > >>SSH was just hit by a major vulnerability. > > Is it? It's more of a neat-trick attack [*], from a quick scan of the > paper > it only works if you implement one of two nonstandard modes invented by > the > OpenSSH guys, and then it only allows you to mess with extension packets, > of > which only server-sig-algs seems to be security-relevant. Even in that > case > it's hard to tell whether it's a real vuln or not (my code ignores this > packet > because in practice you can tell from the handshake algos used what > signature > algo to apply). > >>I strongly think the right future for SSH is to not do more patching and >>instead move to SSH3 > > Please, no! It's bad enough that the TLS folks decided to invent a > completely > new protocol breaking compatibility with all existing deployed systems so > you > now have to run two protocol stacks in parallel, doing the same thing for > SSH > when there's a simple fix available - don't use nonstandard mechanisms > that > one particular implementation invented - is completely unnecessary. > > In fact for the vast majority of legacy stuff out there which won't easily > be > able to move to any proposed SSHn+1 there's no fix necessary since they > never > supported the nonstandard OpenSSH modes in the first place. So it's the > very > rush to new! shiny! that caused the problem in the first place. > > Peter. > > [*] Not meant to disparage the work of the attack authors, it is a pretty > neat > trick :-). > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
- [Curdle] Time for SSH3? John Mattsson
- Re: [Curdle] Time for SSH3? Ilari Liusvaara
- Re: [Curdle] Time for SSH3? Peter Gutmann
- Re: [Curdle] [saag] Time for SSH3? Derek Atkins
- Re: [Curdle] [saag] Time for SSH3? Eric Rescorla
- Re: [Curdle] [saag] Time for SSH3? Theodore Ts'o
- Re: [Curdle] [saag] Time for SSH3? Stephen Farrell
- Re: [Curdle] [saag] Time for SSH3? Dmitry Belyavsky
- Re: [Curdle] [saag] Time for SSH3? David Schinazi
- Re: [Curdle] [saag] Time for SSH3? Tim Hollebeek
- Re: [Curdle] [saag] Time for SSH3? Theodore Ts'o
- Re: [Curdle] [saag] Time for SSH3? Peter Gutmann
- Re: [Curdle] [saag] Time for SSH3? Peter Gutmann
- Re: [Curdle] [saag] Time for SSH3? Watson Ladd
- Re: [Curdle] Time for SSH3? Matt Johnston
- Re: [Curdle] Time for SSH3? Peter Gutmann
- Re: [Curdle] [saag] Time for SSH3? Paul Wouters
- Re: [Curdle] [saag] Time for SSH3? Peter Gutmann
- Re: [Curdle] [saag] Time for SSH3? Orie Steele
- Re: [Curdle] [saag] Time for SSH3? Theodore Ts'o