| |||||||||||||
SSH plaintext recovery vulnerabilitySSH plaintext recovery vulnerabilityPosted Nov 20, 2008 21:23 UTC (Thu) by liljencrantz (subscriber, #28458)Parent article: SSH plaintext recovery vulnerability
Recovering 14 bits of data with the probability of 2^-14 should be exactly the same as guessing 14 bits at random, no? Perhaps one of the numbers here are of a bit?
(Log in to post comments)
SSH plaintext recovery vulnerability Posted Nov 21, 2008 13:00 UTC (Fri) by jbh (subscriber, #494) [Link]
The difference is in the knowledge that the guess is right. Guessing 14 bits has a probability of 2^-14, but unless there's a weakness you have to brute-force the other 50 bits *for each guess* to find out if your guess is right. So recovering 14 bits is 2^64 units of work. (I'm assuming 64 bit key length.)
If on the other hand you can recover 14 bits in 2^14 units of work, you can crack the key in 2^50+2^14 steps, considerably lower than 2^64.
SSH plaintext recovery vulnerability Posted Nov 21, 2008 23:32 UTC (Fri) by djm (subscriber, #11651) [Link]
Yes, the attack relies on the protocol's error behaviour to provide an "oracle" that verifies the guesses. However, this can't directly be used to recover keys - "just" plaintext that is sent over the SSH connection.
|
|||||||||||||