LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Strange SSH flaw raised by French porter

Strange SSH flaw raised by French porter

Posted Dec 15, 2010 6:15 UTC (Wed) by boog (subscriber, #30882)
Parent article: OpenBSD IPSEC backdoored?

Along similar lines, I remember a flaw in SSH reported by the French porter of the software who produced a version with a weaker cryptographic key to comply with French law at the time. I'm not competent to judge the reality of the problem, but he certainly thought it was a backdoor.

From:

ftp://ftp.nluug.nl/pub/metalab/docs/linux-doc-project/lin...

I often like to point out an incomprehensible weakness of the protocol concerning the "padding" (known as covered channel): in both version 1 and 2 the packets, have a length which is a multiple of 64 bits, and are padded with a random number. This is quite unusual and therefore sparing a classical fault that is well known in encrypting products: a "hidden" (or "subliminal") channel. Usually , we "pad" with a verified sequence as for example, give the value n for the byte rank n (self describing padding). In SSH, the sequence being (by definition) randomized, it cannot be checked. Consequently, it is possible that one of the parties communicating could pervert / compromise the communication for example used by a third party who is listening. One can also imagine a corrupted implementation unknown by the two parties (easy to realize on a product provided with only binaries as generally are commercial products). This can easily be done and in this case one only needs to "infect" the client or the server. To leave such an incredible fault in the protocol, even though it is universally known that the installation of a covered channel in an encryption product is THE classic and basic way to corrupt the communication, seems unbelievable to me . It can be interesting to read Bruce Schneier's remarks concerning the implementation of such elements in products influenced by government agencies. (http://www.counterpane.com/crypto-gram-9902.html#backdoors).

I will end this topic with the last bug I found during the portage of SSH to SSF (French version of SSH), it is in the coding of Unix versions before 1.2.25. The consequence was that the random generator produced ... predictable... results (this situation is regrettable in a cryptographic product, I won't go into the technical details but one could compromise a communication while simply eavesdropping). At the time SSH's development team had corrected the problem (only one line to modify), but curiously enough without sending any alert, not even a mention in the "changelog" of the product... one wouldn't have wanted it to be known, he wouldn't have acted differently. Of course there is no relationship with the link to the above article.

(Log in to post comments)

Strange SSH flaw raised by French porter

Posted Dec 15, 2010 12:41 UTC (Wed) by clump (subscriber, #27801) [Link]

I think you're illustrating the issues surrounding the SSH monoculture. There are very few alternatives to OpenSSH.

Strange SSH flaw raised by French porter

Posted Dec 15, 2010 15:24 UTC (Wed) by nix (subscriber, #2304) [Link]

Quite so.

"Error in complex cryptographic system -> conspiracy" is not exactly ironclad logic.

(I had no *idea* that there were so very many conspiracies around. There must be millions of them. Has anyone ever implemented *any* complex cryptographic system that didn't have at least one horrible flaw detected in hindsight? This is why Schneier, among others, no longer calls for better cryptography as the cure for all ills: when you get down to it any cryptosystem must be designed and implemented by human beings, and then deployed by others who know much less about the cryptosystem than the designers or implementors, and human beings make mistakes, or don't care, or have perverse incentives leading them to do a worse job than they might otherwise even absent conspiracy. So this is all a huge human-factors problem in the end, like virtually everything else.)

Strange SSH flaw raised by French porter

Posted Dec 16, 2010 8:28 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

There's a well-known alternative to the client: Putty:
http://www.chiark.greenend.org.uk/~sgtatham/putty/

I believe it is the most common client on win32. It is also works on Linux:
http://packages.debian.org/sid/putty-tools

As for the server: I know that dropbear is popular on embedded systems:
http://matt.ucc.asn.au/dropbear/dropbear.html

There are a number of other free implementations.

Strange SSH flaw raised by French porter

Posted Dec 16, 2010 20:47 UTC (Thu) by Comet (subscriber, #11646) [Link]

The version number cited and the description suggests that this relates to a port of the original SSH, not OpenSSH.

Strange SSH flaw raised by French porter

Posted Dec 16, 2010 3:44 UTC (Thu) by djm (subscriber, #11651) [Link]

That criticism applies to any protocol that uses non-determinism. By that logic, DH, CBC ciphers and anything that uses random challenges or nonces is flawed.

It only makes sense if the endpoints have no other way of leaking bits, which is not the case for the overwhelming majority of systems.

Strange SSH flaw raised by French porter

Posted Dec 17, 2010 12:05 UTC (Fri) by tialaramex (subscriber, #21167) [Link]

Leaking bits on the same channel has advantages in convenience and discreetness. It's convenient because when you tap the channel (perhaps under cover of claiming you'll do traffic analysis) you get this leaked data without also needing to tap a separate channel.

It's discreet because a fairly competent analysis of the affected system will find a separate channel, an IPSec implementation that sends mysterious ICMP packets to an anycast address will cause the researcher to go look up who owns that anycast address, what it's for, what's in the ICMP packets, etc. Whereas if the data is just in some padding bytes that's not something you'd necessarily do more than glance at.

Also there have been weaknesses involving one of the parties in a two party protocol choosing a bad "random" challenge or nonce. The protocol will usually include a step to detect this and retry, which will be seamless unless bad guys are involved, but of course an implementation which does not check will appear to work - it's just not secure.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds