IETF Logo Mail Archive

Re: [Curdle] Time for SSH3?

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 20 December 2023 11:36 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C499FC14F5F1 for <curdle@ietfa.amsl.com>; Wed, 20 Dec 2023 03:36:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P0fBEPWSYQJI for <curdle@ietfa.amsl.com>; Wed, 20 Dec 2023 03:35:59 -0800 (PST)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37EDFC14F5EF for <curdle@ietf.org>; Wed, 20 Dec 2023 03:35:58 -0800 (PST)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2168.outbound.protection.outlook.com [104.47.71.168]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-100-00DV0XGxMi-BpLC_dNRdSg-1; Wed, 20 Dec 2023 22:35:54 +1100
X-MC-Unique: 00DV0XGxMi-BpLC_dNRdSg-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by ME2PR01MB5748.ausprd01.prod.outlook.com (2603:10c6:220:d2::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7113.19; Wed, 20 Dec 2023 11:35:53 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::b620:111d:4fd9:315e]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::b620:111d:4fd9:315e%3]) with mapi id 15.20.7113.016; Wed, 20 Dec 2023 11:35:52 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, saag <saag@ietf.org>, "curdle@ietf.org" <curdle@ietf.org>
Thread-Topic: Time for SSH3?
Thread-Index: AQHaMy5mbhsuFmqslEGvkPxSGLInyLCyB9lB
Date: Wed, 20 Dec 2023 11:35:52 +0000
Message-ID: <SY4PR01MB6251678A7FD714B5CDC26A8FEE96A@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <GVXPR07MB96789816DE49A02D46AC25628996A@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB96789816DE49A02D46AC25628996A@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SY4PR01MB6251:EE_|ME2PR01MB5748:EE_
x-ms-office365-filtering-correlation-id: 2c7b91ab-53b5-48a0-fc7d-08dc014fd2b4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: pze4PTs95524SQQjJWBuvM8Ik9RjGnhLbGtVpMpmOQitsq8gwhas/6+i8PuoRpTjZNYVPEfkZhbFlqaJIQwHOgNT+7NwZWCAnY3gtF27fJpsLcVn+VddULVtvaOA3c8sWYzE+WGd7I6Xc645/GEXU72vx/BtbDQ9tk8+hbNhMqaRFnazdyUPclwptQRjaJleh152fCHNrxR8DMKqP/MqHrkdVNiGfK2glqTq2Pw74gIDGSG13GOGc35rhfonJR6EfTpCOjwVjntn41qbL8CEKYkqQWjm9xAI4GzbhRlXcjdIxqZAaSyk8dcN0SFZX/bSjNodD0AULhfLBPLw0+Z07TiHardLdVzHrGg5QSwktIvZmPvHJwWhTFueEksVTlWo+pY7C+fis7fOQFtKw9Jg0aXVEEKRhKqnmEQiLrBGJwAsu9mSTdUucNr2lpkTgR6nK6wF0sLEdra2H3+Aw9MQ75afZoqY5kqD89ldphUep9ZFVSmb/bgODGazxB7kkv8njEOJe1JIKTxqZ6IPu6RyaFLTfhuh7PkiMnlXJDYcV4nQWurWOCFjpypaSfPb14aAUs6xoV93BUa805fbrg6k+1BthYGNaBbOf8UhsPdHHjMq0p0kaf49MtEznR1b0B5+
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(346002)(39860400002)(396003)(366004)(136003)(376002)(230922051799003)(64100799003)(186009)(1800799012)(451199024)(55016003)(478600001)(7696005)(9686003)(6506007)(71200400001)(7116003)(52536014)(38100700002)(41300700001)(83380400001)(33656002)(122000001)(786003)(8676002)(8936002)(316002)(110136005)(66946007)(76116006)(66556008)(66476007)(64756008)(66446008)(26005)(38070700009)(86362001)(5660300002)(2906002); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4/HyhuOiHasclKkoNer84CoMoMOltquYcYXH+CMyLgrbcLZj9foIozIRo7UtutuU8xgxkNISmMgK5yO3wvkk4zrFbLLmh7xkbOiMbKMQsPQt3rcx7t/LbULomdZONS7Jx83LUkthTxkBnX8ZQXlBoNY22M8oLxIcPOOA9VUAtLV2brACIazZAKjf1pxtZw2uyE25+g0j8n6wpDUN4Lo0ZHxahpTKvC0TRy1PaOjtM+U0lqnl9aUuZ6ga4jhaaIBSP9pU/ymSxA/Hi8B7sn/Zp08HrO6Oi4xkdcZjrOLwQTXsNTOJwlWiLZwlJ5Jx2uKKyBjWXVnr1qbTYAyOFJ3fcR37Onq8tfm+c7FjQT5dGuRClEEVJ4KCdykaYUoM2WWUyQQ4/HEMNp5CfqovKx4h6od6CyrT9dcRm4uY0XlI08SyzBR8TwQRhxCqPZfI2EV28YFJeSmpSiJIKINvYHRjt0MFVAxPFydMXgWuDnjNPMa1Jxv4u5QbM+J5zSVLk7eb2OiPAIb6897UIeuHouLnVkGe9b8B5GEDagWKTvaiiM6dypiJZw6x9DCg+e/pXeA9ayWr+p080uYuo2eVXUA1eEb+n+ixb/zEMiWL8cXOVeOWasIsH+nn8kax5Gv3JKWBKiPWehFB6wicBd2/m0aWq4C4uhaK4+HO4SI6zIVlEiGoCqvz2fqpwAfnwrsh2g1bkLvcrtJCqWy5i8OAN5dJ5xofLKNWh6N+ASNJszVR1rASgEh9XEMX3uoll7tFfnSE1OZS8FbKwnYuZgOJL0ntbT/5GfvicL/HqHyvkc9PuHEyf1CfxNtG5T6dOxyjH30RDoeCsQjwsftZqG9iOWHbOjLDuaoaT2oryeeY6rXhxP9Oj2h2xTK6SH3Y2InPRyXs0gSuUn4KLpWGChZkkvZNUVLzJsAVGfY8xewjUWNyLYdQSfQ3+x8vTNXgJVhDVF1RvWU8v0zN21siLeFpweuWkVgvOLIAro5ut+A2tuQ0EQEH4swEuPMZvzlnpMP/xHzRqiSnxodBKbWi+BakzUBJuGy6/wNZlraTPP8IMrzUvk7e68JrYDISyXgMDtWQ47j8QVTYDoiP6QsxYHVxK4n/UQQZ9dq1D4lES7KcTU8HIbUpDXNdF48VbAYPdGjrkupwxGRaal0cxQHmCh8esnmEJl5SFfEcADmjsHDJGtVL4e3vYa+I++Td3+1wLq5nA8Q4/edE/HwsWBlvG4aZYbj3ALAs40Jcfbp4oQmXRD4T1jZ1tx9gyjh9iLn7oeSJC1Ymrge4Pvd3cvjGTnRdq12xfpzTWKe39p3ICS9+pusg5iUOcPZuPNyBdnTkxaERfsi6q5EdHNtJaIBslvKGXW2tbEtyQZdx91kCOiPQH0YlPtqPolnwPCaUknRwxR7gh8Q0P06bxePgNwA3DEwW07yxa6Ky0dEYr9Xrv17uM0DXZhZQX7C8h9OUjxIe3rcIRiWrLa9Ay55GuvG8lPb+xT+evNdUtkUlyl2eSO6J4mXbEdf+m0mECe4kvvObl9+N1ERfqel4dEQWw1eOURULQNnH3JpvcdvjqlWttWQG3WVEu14chewi/Vw5yY/f++04q0Zn
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2c7b91ab-53b5-48a0-fc7d-08dc014fd2b4
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2023 11:35:52.8291 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: p45f3/8Grhe6gjVBRoQXgaGw7eeyHjgWEro7K53QzIRyzZDJymVI+/cE0e5SVlmbhz7FNo4JvqwJp4WM8OoFjpYFY+lL+OEgjAdwYWUzV6Q=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME2PR01MB5748
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/ZCikx2ZqZdPtgg7iiSLjnfKFpHw>
Subject: Re: [Curdle] Time for SSH3?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Dec 2023 11:36:01 -0000

John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> writes:

>SSH was just hit by a major vulnerability.

Is it?  It's more of a neat-trick attack [*], from a quick scan of the paper
it only works if you implement one of two nonstandard modes invented by the
OpenSSH guys, and then it only allows you to mess with extension packets, of
which only server-sig-algs seems to be security-relevant.  Even in that case
it's hard to tell whether it's a real vuln or not (my code ignores this packet
because in practice you can tell from the handshake algos used what signature
algo to apply).

>I strongly think the right future for SSH is to not do more patching and
>instead move to SSH3

Please, no!  It's bad enough that the TLS folks decided to invent a completely
new protocol breaking compatibility with all existing deployed systems so you
now have to run two protocol stacks in parallel, doing the same thing for SSH
when there's a simple fix available - don't use nonstandard mechanisms that
one particular implementation invented - is completely unnecessary.

In fact for the vast majority of legacy stuff out there which won't easily be
able to move to any proposed SSHn+1 there's no fix necessary since they never
supported the nonstandard OpenSSH modes in the first place.  So it's the very
rush to new! shiny! that caused the problem in the first place.

Peter.

[*] Not meant to disparage the work of the attack authors, it is a pretty neat
    trick :-).

v2.29.0 | Report a Bug | By Email | System Status