W3C home > Mailing lists > Public > ietf-tls@w3.org > July to September 1996

Re: I-D ACTION:draft-ietf-tls-ssh-00.txt

From: <ma@pa.dec.com>
Date: Mon, 02 Sep 96 16:11:08 -0700
Message-Id: <9609022311.AA26208@torino.pa.dec.com>
To: ietf-tls@w3.org
Cc: Tatu Ylonen <ylo@ssh.fi>

The SSH protocol was mentioned a few times on this list. A pointer 
to the SSH Internet draft of June 13, 1996 was posted some time ago:
ftp://ds.internic.net/internet-drafts/draft-ietf-tls-ssh-00.txt

I recently read that Internet draft. As described, the SSH client 
authentication is flawed. If a client A is willing to talk to a server 
S1, then S1 can impersonate A in establishing a session with another 
server S2. Some details on this are below. 

The mistake in SSH seems to be fairly common; I spotted it in several 
protocols in the last few years. In summary, the mistake consists 
in not applying a digital signature to enough material to resolve 
ambiguities about the intended meaning of the signature. (Future 
protocol designers, beware.) It is not enough to use digital signatures 
for authentication---the right material must be signed. 

In SSH, the client signs the message SSH_MSG_HOSTAUTH, which is the 
analogue of the SSL message ClientVerify. Unfortunately, SSH_MSG_HOSTAUTH 
does not unambiguously identify the connection it is for. This problem 
should not be too hard to fix (cf. SSL's ClientVerify). Tatu Ylonen 
is thinking about it. 

The currently deployed implementation of SSH is based on an older 
specification. It may have weaknesses, but not this one; client authentication 
works differently. 

Martin Abadi 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some details on the attack, for any SSH experts:

Suppose that B is a server, A a client, and C wants to masquerade 
as A with respect to B. Suppose further that A is interested in having 
a session with C as server. I am going to write MESSAGE_TYPE(n) to 
show an instance of MESSAGE_TYPE. We can have the following message 
sequence: 

A -> C : SSH_MSG_KEXINIT(1)  /* A starts talking to C           */
C -> B : SSH_MSG_KEXINIT(1)  /* C forwards A's message to B     */
B -> C : SSH_MSG_KEXINIT(2)  /* B replies to C, including       */
                             /* a cookie Nb                     */
C -> A : SSH_MSG_KEXINIT(3)  /* C replies to A, with the server */
                             /* cookie Nb it got from B         */
B -> C : SSH_MSG_KEXRSA_HOSTKEY(1)                          
C -> A : SSH_MSG_KEXRSA_HOSTKEY(2)         
                             /* B and C show their respective   */
                             /*                    public keys  */               
A -> C : SSH_MSG_KEXRSA_SESSIONKEY(1)   
                             /* A sends a session key to C,     */
                             /* under C's public keys           */
C -> B : SSH_MSG_KEXRSA_SESSIONKEY(2)   
                             /* C sends a corresponding message */
                             /* to B                            */
                             /* after this point, everything is */
                             /* encrypted under session keys    */
                             /* which are both known to C       */
A -> C : SSH_MSG_HOSTAUTH(1) /* A signs A's name, A's cookie,   */     
                             /* and Nb                          */
C -> B : SSH_MSG_HOSTAUTH(1) /* C forwards A's signed message!  */
                             /* after reencrypting under the    */
                             /* appropriate session key         */

At this point, C has a connection with B, and a corresponding session 
key. B presumably believes that the connection is with A, because 
A has signed the server cookie that B generated. A is not confused. 
Received on Monday, 2 September 1996 19:20:40 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:51 EDT