User: Password:
Subscribe / Log in / New account

SSH plaintext recovery vulnerability

SSH plaintext recovery vulnerability

Posted Nov 20, 2008 21:23 UTC (Thu) by liljencrantz (guest, #28458)
Parent article: SSH plaintext recovery vulnerability

Recovering 14 bits of data with the probability of 2^-14 should be exactly the same as guessing 14 bits at random, no? Perhaps one of the numbers here are of a bit?

(Log in to post comments)

SSH plaintext recovery vulnerability

Posted Nov 21, 2008 13:00 UTC (Fri) by jbh (subscriber, #494) [Link]

The difference is in the knowledge that the guess is right. Guessing 14 bits has a probability of 2^-14, but unless there's a weakness you have to brute-force the other 50 bits *for each guess* to find out if your guess is right. So recovering 14 bits is 2^64 units of work. (I'm assuming 64 bit key length.)

If on the other hand you can recover 14 bits in 2^14 units of work, you can crack the key in 2^50+2^14 steps, considerably lower than 2^64.

SSH plaintext recovery vulnerability

Posted Nov 21, 2008 23:32 UTC (Fri) by djm (subscriber, #11651) [Link]

Yes, the attack relies on the protocol's error behaviour to provide an "oracle" that verifies the guesses. However, this can't directly be used to recover keys - "just" plaintext that is sent over the SSH connection.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds