Attacks Against SSH 1 And SSL 170
AndyR writes: "SecurityPortal has a very interesting article by Kurt Seifried in which he writes "dsniff 2.3 allows you to exploit several fundamental flaws in two extremely popular encryption protocols, SSL and SSH." He makes many very strong arguments about key validity and the problem with not having a trusted third party signing keys." Don't throw away SSH just yet, it's still a lot better than nothing.
Re:Encrypted key exchange (Score:1)
Re:Locks are to keep honest people honest (Score:1)
Credit card companies have fairly sophisticated fraud detection, as these things go, but never underestimate the ingenuity of criminals. It can be easy, but it usually isn't.
Real organized crime can sell the credit card numbers to trusted parties, who won't get caught spending, and they can get numbers from trusted sources. Put the two in a blender and you've got several apparently unconnected spates of fraud - with some common victims. Everything has been delivered to mail drops, it's pretty hard to chase, and much easier for the credit card companies to pass the "savings" along to you, the customer.
I've heard of many many people becoming the victims of card fraud. I've heard of relatively few - even scanning police blotters - who got caught for the same crimes. In between is a full percentage point above prime rate.
The number of people willing and able to exploit - and profit from - man-in-the-middle attacks is considerably fewer.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Lacking in Computer Security concept (Score:1)
Lacking of security mind cam be a major invulnerability indeed.
A lot of people has installed sshd to enable security telnet-replacement. It surprises me when I found that a lot of people enable BOTH Password authentication and RSA authentication.
Their rationale is that they want to have higher security in RSA, and convenience in password authentication. Say they setup RSA authenication between their client at home and server at work, but the same user can also login from some other machine with password in case the machine hasn't been setup for RSA connection.
In fact password authentication effectively breaks the RSA in this case. Why would the hacker bother to temper with the RSA while the system can be intruded by tempering with the weaker password authentication?
Say you've implmented a very secured physical key-lock on a door, but you also allow people open the door by entering keycode on the keypad in case people forgot to bring key to open the lock(it happens). Enable both password and RSA authentication in sshd is more or less the same thing.
Of course, it's a way to restrict a group of people using RSA and another group using password authen., but it makes no sense enable both of them for a user.
More worse, many people still enable both authen, regardless what what I recommended....Is that concept so hard to understand?
Re:a little work around (Score:1)
http://www.citi.umich.edu/projects/smartcard/ [umich.edu]
http://www.citi.umich.edu/projects/smartcard/ssh-
Re:So what does SSH2 do that makes it more secure (Score:1)
Beside, as the other guys said, they just haven't
spoof for ssh2 is just not available, YET.
Re:man in the middle is hard (Score:2)
Re:...and here's the rest (Score:1)
I tried the local two year olds, but they didn't seem to have attention span enough to wait for me to finish the problem, or they didn't understand the words I was using.
Tough luck. Next time, he should probably go for some better exaggerations.
Re:I fail to see how.... (Score:1)
Kurt's SSL article is wrong! (Score:3)
First, the technically useless. Every security product/protocol I am aware of is vulnerable to so-called social engineering attacks. That's their whole point! They go around the security perimeter and get "behind" the protection to get humans to give away information. It is certianly fair to analyze the ease to which some products/protocols facilitate this, but I didn't see much of that. Instead, the articles discuss a company called DigitalBond with a solution that perhaps is also vulnerable to social engineering attacks.
Now lets look at the technical attacks and claims, which are contained in the Sep 30th article. I'll only comment on the weaknesses he alleges are in SSL. His first claim is that you should not order from a store that uses the http GET method. He doesn't say why, and I cannot think of any reason. If the form is submitted with an SSL-secured action (action="https:...") then both are equally secure.
His next claim is that the user must inspect the certificate of the server every for every SSL connection. He does not say what attack he can mount if the user doesn't do this. I am guessing that he believes the man-in-the-middle can substitute his own certificates and appear to be legitimate. This is firstly not an attack on the SSL protocol, only perhaps on implementations, and secondly it does not work with the implentations I have tested, IE 5+ and Netscape 4.7+. These implementations verify that the hostname you asked the browser to connect to matches the hostname specified in the CN field of the certificate. Of course, you must trust that the CA will do some checking to make sure hostnames actualy belong to the entity getting the certificate, but that is way outside the scope of the SSL protocol. These "flaws" cannot be the basis for later claims of insecurities. These implementations do not rely entirely on having savvy users carefully inspect every certificate.
I'd like to check up on earlier broswer versions to see if they also behave similarly. I'd be particularly interested in browsers that were in play at the time the article was written, say fall of 1999.
--greg
Electrical work with the power on. (Score:2)
-russ
Re:...wanna tell us something we DON'T know, Kurt? (Score:1)
Printed means of distributing fingerprints should not be overlooked; you could include the fingerprint in small print in printed advertisements. Or perhaps a printed publication listing current correct fingerprints for major e-commerce sites; a "yellow pages" of the internet. It seems "backwards" but it solves a lot of problems. No, wait - I claim copyright on that idea!
Alternatively, a government-run key signing authority, that only signs keys requested by companies and requires signatures of the company owners/CEOs would be another way of dealing with this. Or perhaps a government "tree of trust" - with Governments able to issue signing keys to certificate authorities, with the proviso that if they are abused the company will be shut down, and the abusers hung, drawn and quartered.
Then you can be assured the signing authority is as good as the Government. Personally, in a world so corrupt that alcohol is legal and marijuana illegal, I still wouldn't trust it :-)
How about it, politics?
Re:Users are often the source of the problem (Score:1)
Real life vs. Network life (Score:1)
Last time I was at Bank of America they asked me to change my PIN# to one with 4 digits, instead of the usual max of 6 numbers. In the network world, you find administrators that configure systems to require more characters in a password than before, *never* less.
Take a look at Credit Cards. That's like: "I'm lazy, here's my login and password. Take only what you're supposed to." You try to tell a sysadmin that and he would flip out.
So yes, "real life" is a lot riskier. Why do we babble over our SSH bits-per-key, when in the real world we give our passwords away to the waitress?
-Justin
Re:This isn't as bad as it looks (Score:1)
So what does SSH2 do that makes it more secure ... (Score:1)
Kurt up to his usual tactics (Score:1)
"For example -- this is oversimplified but essentially correct -- user Alice wants to
talk to server Bob, and Charlie wants to snoop in on her session so he can read her
mail. Alice initiates a connection with Bob, Charlie sees this and intercepts it.
Charlie talks to Bob and pretends to be Alice; on the other side he talks to Alice
and pretends to be Bob. Alice sends her public key out, which Charlie intercepts;
Charlie then sends his own public key to Bob. Bob then sends his public key to
Alice, which is again intercepted by Charlie; Charlie sends his own public key on to
Alice. "
Yeah no kidding. Everyone has known this from the beginning. Can you please tell us something we DON'T know?
You have to check with the person who's site it is or the owner of the SSH server.
Get the fingerprint directly from them, then you won't have this problem. His little stupid analogy only works when you don't know the person's fingerprint.
So learn their fingerprint...duh.
SFS - DNS the way you want it (Score:3)
http://www.fs.net [fs.net]
Re:man in the middle is hard (Score:1)
So as of now I will wait for the next security based document pimping IPSec, Secure Tunneling, Diameter [diameter.org], SSH over SSL over Biometric based authentication, then point out the clueless (l)user who just did something stupid like use a protocol which doesn't provide any encyption down the strech.
Re:So what does SSH2 do that makes it more secure (Score:1)
Smthng
Re:Kurt's SSL article is wrong! (Score:1)
Well, if the store has ads served by a third party, when your browser gets the ad images it will send the third party the refering URL, which is the GET with all your info in it. I don't think this scenario is changed just because the refering page is https. This is a known privacy issue.
Re:Why do you think IPSec/DNSSEC will be better? (Score:1)
Get stunnel from stunnel.org, and you can SSLize lots of stuff.
ssh has too much stuff thrown into it, so it's harder to get right.
Link
Re:SSH + one time passwords? (Score:1)
Re:Ouch. (Score:2)
this is not a problem in ssl.
It is a very old, very well known attack approach, which both already guard against (that's what the 'host key changed' message is all about in ssh). If you see that message and haven't been notified (and sent a new key fingerprint to veryfy against by the admins), you *MUST* assume that a man-in-the-middle attack is being employed - it's what the message means!
Someone in the middle of your connection pretends to be the server to you, and pretends to be the client to your server. Poof, two valid connections, he forwards your data (he has it in plaintext, as he is your server), and you notice only one thing to tell you that something is amiss - that he *did't* know the right server key (ssh has caches it from previous connections to that server's IP, ssl can check the CA's notes about whose key it is) and had to send you a different one.
So your client warns you that the key has been changed. You need to get the key fingerprint from the server admin (out-of-band, not over the same potentially compromised network) and compare it to the one you recieved (you did do that when you first connected to the machine too, right? it should have come along with your account credentials, if not you needed to ask for it if you cared a bit about security) and make sure it matches the new print the server is offering.
to get a fingerprint for a host, use ssh-keygen -l -f
SSL is in a similar situation - the key bears the DNS name if the site it is for, and your browser will warn you if it recieves a key for the wrong site, or not signed by a recognized CA. You didn't turn those off did you? If not, then one or the other will come up when confronted with a man-in-the-middle attack (either he'll send a properly signed key, but not for the right site, or he'll have a forged and unsigned key for the site you were really going to) and you'll know what you're facing.
for ssl, if in doubt, click the little padlock in your browser, and read the key - see that it's for the site you think it is, and signed by a recognized CA.
If you don't use these tools correctly, you may as well not use them at all. Everything is in place to detect these attacks (which are not new), but if people simply ignore warning messages that indicate the presence of known attacks, there's not much else that can be done
Re:So when *should* it change? (Score:1)
what about VPN? (Score:1)
Re:Locks are to keep honest people honest (Score:3)
I disagree, the strength of your locks reflect your assessment of risk. If sufficiently valuable in the real world, locks are replaced with security guards and automatic rifles. Most people don't have anything that valuable, and find it more cost effective to place limits on their credit cards, check up on protection from their credit card companies and take up insurance policies.
If there were no banks and no insurance policies, would you, with your life savings under your mattress, still say that your locks are to keep honest people honest?
Besides, this SSH and SSL attack is very well documented, known and understood for a long time to be a limitation of the system. If your life savings are on the line, use callback, challenge response, or don't use remote logins at all.
Re:I don't get it (Score:1)
In which case they deserve whatever they get.
Re:...and here's the rest (Score:1)
My point exactly :-).
"A child of five would understand this. Send someone to fetch a child of five."
This isn't as bad as it looks (Score:4)
SSL is similar, but it is signed on the server side, usually not on the client.
This isn't anything new, it's just not there are publically available tools to exploit this.
Re:This isn't as bad as it looks (Score:4)
You most certainly do not need a certificate authority to trust the server on the other end. And for this article to imply that somehow SSH v2 is a solution is downright wrong.
If you're using SSH (either v1 or v2) to communicate with a server, and you want to avoid the man-in-the-middle attact described by the article, then you must be certain you're talking to to the server, and not to the man in the middle. The only way to do this is to be certain that the public key that you have for the server you want to talk to really is the public key for the server you want to talk to.
There are several ways to do this:
- You can copy the public key from the server using some secure method, such as copying it onto a floppy and transfering it to your machine using sneaker net, or transfering it through encrypted email
- You can copy the public key across the (possibly insecure) network, and verify that the key was not replaced in transit by verifying the key signature by some secure means (perhaps by getting on the telephone with an administrator of the other machine)
- Although I don't believe SSH directly supports it (someone will hopefully correct me if I'm wrong), the public key can be signed by some trusted third party. If you trust the thrid party, you can trust the key.
- or, you can simply allow SSH to transfer the public key across the insecure network, and when it asks "should I trust this key", you can simply answer "yes".
This last method, of course, is the only method that is vulnerable to the man in the middle attack described in the article. Unfortunatly, its also the default method used by most SSH users. Obviously, there are several ways to reliably transfer the public keys without using a signature by a certificate authority.It also can not be emphasised enough that a generic "certificate authority" by itself should not be considered a guarantee that you're talking to who you think you're talking to. Getting a signed certificate from a company like Verisign is not an insurmountable problem. Verisign is certainly reliable enough to trust with something like your credit card numbers -- credit card numbers are relatively inexpensive to replace if they're stolen, and stealing credit card numbers is painfully simple through many means much simpler than attacking Verisign. But I certainly wouldn't trust it for anything really important, unless I had absolutely no choice.
If you're using SSH (v1 or v2), or setting up a vpn, and you want to be reasonably certain you're not talking to a man in the middle, then nothing can replace coping the public key from machine in a known secure and reliable method. And if your client ever says "the signature of the server has changed. connect anyway (y/n)?" be very, very, very certain you know exactly what you're doing before you hit "y".
Re:what about VPN? (Score:2)
Well then, you'd lose your wager. OpenSSL has cert handling OK, but the SSH protocol can't use certificates directly
I did patch OpenSSH (version 1) a while ago so that it can use certificates if they are available via local files or an LDAP server, and am currently trying to get OpenSSH2 similarly able.
So there's hope yet
Pity... But: (Score:1)
Re:So when *should* it change? (Score:1)
Ouch. (Score:1)
Moz.
Re:Recommendations? (Score:1)
Re:So when *should* it change? (Score:2)
OpenSSH [openssh.com] supports SSH2 for free (beer and speech).
Re:So when *should* it change? (Score:1)
Re:Locks are to keep honest people honest (Score:1)
However, with online security, all too frequently, the people who are intercepting transmissions or forging them are quite intelligent (or have read the user docs for their script kiddie toy). Therefore it takes a little more then the standard protocols to insure a minimum level of safety.
No protocol is 100% safe. We accept that. Well, most of us
Oh well. Wonder how long it will be before the next "X isn't secure" story on
Kierthos
Re:So when *should* it change? (Score:1)
--
Re:I don't get it (Score:1)
SSL2 doesn't have client certificates; that's SSL3. The article says
To which the obvious answer is: pull your finger out and issue client certs to your users. If it's that important that you know who they are, then the effort must be worth it. This article is basically just an enormous troll.
Re:So what does SSH2 do that makes it more secure (Score:1)
Re:Interlock protocol is not applicable. (Score:1)
Re:Ehmz, no. (Score:1)
Re:Ehmz, no. (Score:1)
And how is he going to hack the router? The same way as he's hacking Bobs machine?
Re:So when *should* it change? (Score:1)
Most of our systems have the same ssh keys they had when we were running Debian 1.3, for example. The upgrade to OpenSSH which was in Debian 2.1 didn't change the keys. Motherboard and disk upgrades have not changed the keys.
Only YOU should be changing the keys.
Re:man in the middle is hard (Score:1)
Anyway, I've 'secured' this Windows box the same way you Linux boys always recommend doing it -- shutting off all services, no NBT (==no RPC), and no IIS. And I didn't need to read your sig to know not to run trojans, and lock down IE and not run as Administrator.
Meanwhile, RedHat keeps finding nice root holes in basic good ol' standbys such as LPD and BIND. I mean, Fucking A, look at the RedHat advisory list: modutils, pine, bash, nfs-util, ed(!)/vim/emacs/joe, PAM, 'usermode', traceroute, openldap, gpm, and so on. All bread-n-butter stuff in the Unix world, and still br0ken. (I won't even comment on the fact that the standard EDitor has a security hole.)
Oh yeah, but you know the Linux drill -- firewall, kill all the network services, don't allow interactive access. Sounds exactly as secure as Windows!
Re:So when *should* it change? (Score:1)
This is incredably stupid logic. What hacker who broke in wouldn't install a backdoor? And to brute force a SSH key would take literally three google (2^1024, or about 10^309) attempts at login for 1024 bit key. Any admin who didn't notice that deserves the death penalty for stupidity.
-David T. C.
SRP/Strong Password Protocols (Score:1)
Re:Ouch. (Score:1)
I didn't think the article was very groundbreaking or anything either but a good one to pass around the office to the technically challenged :)
But I did get a few things from the article. The above quote could result in a man in the middle attack if the "man" were able to get one of the known CA's to sign a cert for him with that hostname. As goofy as most CA's are, I don't see how difficult this could be.
It comes back to the eternal question of "who do you trust?". Do you know the registration policies of every CA in your netscape or IE database, or why those CA's are even in the database at all (eg, how were they picked)?
In a nutshell, I thought that this article was OK because I do believe in client and server certs which are issued by a common CA. If I were to buy something online and I at least knew who the CA was before I went to the secure side of the site, and had already been issued a client cert from the same CA and the browser asked me to pick one of one certs that match that environment, then I would feel as though that connection was much more secure than with only a server cert that I would more likely blindly trust because the url says https:// and the little lock icon is "locked".
Author comments (Score:2)
Some notes to slashdotters:
The article is long, why? Because I had to explain what SSL and SSH are, most people do not know how public key crypto/etc works. If I do not explain this trying to explain the security problems and why it's an issue would be pointless.
Before it was hard to attack SSL/SSH connections and do man in the middle. You'd have to write your own software or find some, which as a rule wasn't publically available (you could see it demo'ed at security conferences/etc but I don't remember anyone ever putting it up for anon ftp or on the web). Well now it is trivally easy to find, and the entry level for attacks just got a lot lower. Users should be aware of this.
Unfortunately I can't offer any really good solutions (go get software package foo and everything will be better). For now dsniff only does SSH1 attacks, so going to SSH2 should help (until somone modifies dsniff, as I point out in the article). How can you verify SSH keys, print out lists of key signatures and tape them to every workstation and teach users to verify them? Not likely. Ditto for SSL, how many of you actually look at the certs servers hand to you, and how many of you have clicked on OK or Continue when the cert is out of date or issued by a non trusted entity (i.e. a self signed cert).
Re:Encrypted key exchange (Score:1)
Re:man in the middle is hard (Score:1)
Re:So when *should* it change? (Score:1)
---
man sig
Re:ssh gives a warning if server key changes (Score:1)
- They don't show up the first time you connect to a new site
- When the warning appears, the user doesn't have any way of knowing whether or not the key change is legitimate, and most will simply ignore it, rendering it useless.
You can always write down host key fingerprints, but a system that depends on this kind of user vigilance for user security will never scale.The key should almost never change. (Score:2)
Been there, done that (this week). All the systems where I've changed out the sshd still have the same key. The key itself is stored in a separate file and isn't going to be affected by changing the binaries.
I just got through a few of those this week as well, and the systems still have the same key. Again, the key file is not part of the OS, and as such it isn't affected.
Okay, I haven't seen this one for a while, but I've still gone through it and had the key come through intact. IIRC, the most extreme case was switching a system from running on a sun4c machine to running on a macppc box. I moved the harddrive over, booted from CD, and installed the new binaries from there. When I rebooted from the harddrive, the machine came up with the same key.
The only case I've seen where the key changed was when a machine that wasn't important enough to back-up went down and was replaced with an entirely new machine. The only thing the new box had in common with the old one was the hostname.
Basically, you should only see key changes in extreme circumstances like that, and in the less extreme case of a CNAME changing to point to a different box, you would hope for some warning, too.
T. M. Pederson
"...and so the moral of the story is: Always Make Backups."
Re:Kurt up to his usual tactics (Score:1)
Re:So when *should* it change? (Score:1)
Some people like to change keys periodically (every 2 years or so) on the pretext that doing so limits the vunerability of having a host key brute-forced. (ie, it might be changed by the time the cracker broke it, or at least the cracker would be locked out eventually.) I don't like this, as it increases the complexity of using the software, and trains users to ignore key changes.
As other posters mentioned, ssh doesn't nicely deal with multiple meanchines all being referenced by the same DNS name. (It looks like the key changes, when you're really just getting a different machine.)
Does it matter? (Score:1)
Re:man in the middle is hard (Score:2)
OpenSSH helps here (Score:4)
There is also a project underway to allow OpenSSH to use keys distributed by DNSSEC.
This attack then comes back to user apathy (i.e not bothering to verify key fingerprints). An alternative (not yet implemented) is some form of PKI, which has its own problems (complexity, centralised trust, revocation issues).
Not a probelm for local nets (Score:3)
are perfectly secure. You can surely trust keys certificates that you generate yourself. As most of the dsniff tools rely on being on the same segment of ethernet, with careful key management they're not really a threat. Ever tried changing a ssh host key and then sshing into it ? You get the largest, scariest warning that makes you feel totally paranoid.
Also, if you are connecting to a server for the first time - fingerprints allow you to check the validity of the keys.
The problem is with connections to machines you can't personally validate, where DNS spoofing could be used, for example with e-commerce sites. But this is what CAs are for. So where's the problem (until a CA gets cracked that is
Re:This isn't as bad as it looks (Score:3)
Okay, these vulnerabilities have always existed and you could live with them because it was quite hard to exploit them.
However, as the author of the article points out, there is now a very convenient, easy to compile/install, almost 'off-the-shelf shrinkwrapped' set of applications that can do these kinds of things, which means the l33t 5(r1pt k1dd135 are probably going to find it a lot easier to use then before.
So that's why he writes the article, and I think he certainly has a point here.
Re:man in the middle is hard (Score:2)
...wanna tell us something we DON'T know, Kurt? (Score:4)
This is definitely FUD. The SSH documentation deals specifically with this issue. This is a good thing and SSH's handling of the situation is more secure than a central signing authority.
What he's basically advocating is removing the need for people to have secure methods for exchanging keys. Instead of having the chance of a "man-in-the-middle" attack during the first connection (which, if you've exchanged the fingerprint of the server with the admin of the server involved, is eliminated), he'd rather that we trust some other person with our security.
What if:
If any of these happen then your security is FUBAR. Bear in mind that the key could potentially be used to attack e-commerce sites, and is therefore pretty valuable. If the secret of the key being leaked is kept well enough, it is quite possible that no-one will ever find out - except for the odd sum of money missing from random credit cards worldwide.
Compare that to SSH, where upon connecting to the server, you are notified that you are connecting to an unknown host key, and it gives you its fingerprint to check against what you have recorded it should be. If the key ever changes, you are presented with a huge warning message saying that the host key has changed, and that a man in the middle attack may be in progress.
If you were using this commercially, you generally would be using SSH between two machines that you admin yourself, or between one that you admin and one that your peer's company admins, and you can verify the keys, set them up in each systems ssh_known_hosts file, and rest secure that you are not vulnerable to man-in-the-middle attacks.
Personally, I think he's trying to promote the idea that "security needs trusted arbitraries" to the corporate IT world - I wonder if Kurt Seifried has received any "donations" from any large key authorities recently?
Let's face it - if people use security that doesn't need key authorities, then they'll go away.
Every security system that uses a trusted authority is vulnerable to a purchase-key attack, and don't let anyone convince you otherwise!
Re:So when *should* it change? (Score:2)
This usually happens when a new version of the OS is installed on a given server, and the sysadmin is careless about not moving the contents of the SSH host key to the new server.
There are some protections against this attack. When the host key is changed, ssh for Unix gives you a warning that you would have to be blind to miss. If you want better protection than that, the best solution is to hack OpenSSH or what not to only accept a key with a given key fingerprint for a given IP. In other words, if the host key is changed, the hacked client will not connect to the host in question.
- Sam
ssh gives a warning if server key changes (Score:2)
Re:Ok, i'll bite.. (Score:2)
In your scheme, the following might occur:
- client: hey router, pass this package on to the server, will ya?
- evil router: OK (looks inside the package, finds a key request. Starts producing a fake key) Hey client, I just got this package from server. Any idea what's in it? Open it, quick!
- client: none of your biz! (turns side to router and opens package) Aah, finally, the keys from server! (encodes a package o'data) Hey router, pass this package on to the server, will'ya?
- evil router: Well, OK.
This would for instance mean that your ISP can still check out on you if you use SSH and if they desperately want to do so (government!).
It's... It's...
Re:Pity... But: (Score:2)
Go? I'm already there for the more secure stuff...
It all boils down to the concept of an `identity'. There is the identity that pays my enormous phone bills, one that writes this here and now, one that drives the car, another one that exists on my driving license, and a few GPG/PGP identities as well. Tying them all together into one is possible, but legally necessary. I think that's where the problem lies.
~Tim
--
Ehmz, no. (Score:3)
Bob : 245.345.0.20
Alice : 245.345.0.40
Charlie: 245.345.0.50
Now Alice wants on Bob's machine so he (Bob) opens up the firewall to allow Alice to access his server (don't forget; SSH isn't about encrypting and decrypting email, its a real time connection. And hey; if you need security and therefor use SSH but no firewall I think you're missing the point). Their keys get intercepted by Charlie. Charlie tries to access Bobs machine but is rejected by his firewall. Now what?
Re:...wanna tell us something we DON'T know, Kurt? (Score:4)
black is white. stop is go. SSH's handling of the situation is most certainly not more secure than a central signing authority.
he'd rather that we trust some other person with our security.
Look, the article was a tripey piece of crap, but it certainly never said that. The simple, basic fact that the article gave was this -- if you don't verify who you're talking to, then you haven't verified who you're talking to. Somehow, this dumbass managed to make an entire article out of that. And I read it, and got the ad impressions, and everything. I feel dirty.
For anyone who hasn't taken the time to read the article yet, or ever learn basic security stuff, let me boil it down: In every single system known to man or mathematics, to identify an entity X, you must trust something to say "method Y is an accurate method to identify X". Unfortunately, the default way to get get that identification method in SSH and SSL is fundementally flawed. If entity W has no way to identify X, but wants to talk to X for the very first time, W simply asks X "what is a question that only you can answer correctly, and by answering proves that you are X?" That leads to a false sense of security at best, because entity Z can step in front of X, and provide a false answer to the "how can I identify you?" question. Voila! Now, W is talking to Z, and since Z was presumably smart enough to supply a question it can answer, W will never know that its speaking to Z instead of X.
Most two year olds could come up with a half dozen solutions for this problem. Certificate Authorities (where, essentially, someone pays a third party to certify that the identification question is a valid one) are certainly one partial solution. Manually transmitting the identification question (usually in the form of public keys) on secure medium is another. Ignoring the problem, because its inconvenient to deal with, is another solution.
As many people have pointed out already, ignoring the problem is often the "good enough" thing to do anyhow, since intercepting SSH or SSL communications is still several orders of magnitude more difficult than other attack vectors. But saying a Certificate Authority is bad because you can be lulled into a false sense of security is kind of like saying "you should only do electrical work on your house with the power switched on, since switching the power off lulls you into a false sense of security." You're certainly still vulnerable to attacks to the Certificate Authority, in exactly the same way you can still be electrocuted even if you think the fuse box is off. But there are certainly many situations where the CA's are the least inexpensive and effective method to mitigate the most risk.
That man-in-the-middle attack doesn't work (Score:2)
The basic idea is to exchange session keys and verification data before a random public key. That way, the attacker can't substitute other public keys, because the attacker would have to be able to generate data based on information which has not yet been sent.
The article isn't actually talking about the described attack at all, but about spoofing servers. Identification of servers is a substantially different problem, and is a human-engineering one rather than a protocol one: what makes a server the one you are trying to connect to?
The attack is where the attacker wants to convince you that you're talking to the server you think you are by having you actually talk to that server, except that you are not talking directly. Most encrypted protocols do a good job of insuring that you are connected directly, over an encrypted channel to whatever it is you seem to be talking to. Whether the server you're talking directly to is the one you want to talk to is up to the user and other parts of the system.
Don't use SSH, use IPSec? Not! (Score:2)
TCP/IP and UDP provide no built-in encryption or authentication, and it will be a very long time before there is widespread use of IPSec.
IPSec isn't a solution either. Well, Bruce Schneier certainly doesn't think so, anyway. Check out this [counterpane.com] at Counterpane.
Sample quote:
We strongly discourage the use of IPsec in its current form for protection of any kind of valuable information, and hope that future iterations of the design will be improved. However, we even more strongly discourage any current alternatives, and recommend IPsec when the alternative is an insecure network. Such are the realities of the world.
Re:So when *should* it change? (Score:2)
Insurance (Score:3)
Why do we put locks on doors? To stop people walking in an stealing our stuff, So lets lock the windows, fair enough better security, people are less likely to break in that good. Fit an alarm?
So why not fit better locks? etc etc every upgrade costs money, and as it gets more expensive I get less return on my money. However this is completely ignoring one factor, insurance!
My SSL connection to buy a porn flick via my credit card... Hmm, how much do I care about it being broken.. well a thief just wants my number, my gf might be interested in my buying porn.
My GF does not have the skills to break the encryption, so SSL is secure. A thief, well so long as the Credit Card company pays up if someone else uses it I really don't care.
A tool should be fit for the job, SSL with real world insurance is seccure for credit cards, the day they don;t pay out, SSL falls!
James
Re:what about VPN? (Score:2)
I'll put my hand up in the air and admit I don't know much about SSH -- but SSL most certainly supports signed certificates on both ends: it's up to the server whether it requires a valid client certificate, up to the client whether it requires a valid server certificate. Try adding 'SSLVerifyClient require' to your Apache/Mod_SSL directory stanzas sometime.
Just because many deployed SSL applications choose not to use client certification (presumably because of the hassle for users of obtaining a client certificate) does not mean the protocol doesn't support it.
Actually I'll wager OpenSSH is able to require client certificates, since it is built on OpenSSL.
--
Re:This isn't as bad as it looks (Score:3)
Quite crappy article (Score:2)
That's the main problem. Key trnasfer. And this is the same problem as transferring and storing cypher books, passwords and many other things. In the rest SSH has shown that problems drop several orders of magnitude.
Now a problem. Why do I need a third party here? I need thrid parties only for a very specific set of problems. I can come to Alice and drop the key in her computer. Now in cases of extreme paranoidism I may ask a third party to do that job for me. For example, I know that Alice's Uncle is really angered for kicking his car. And I still remember what he said about me and Alice with that old rifle in my nose. But I do trust that Alice's Aunt will deliver her my diskette...
Other case is chenging info with a party I do know too much. For example a commercial transaction with some e-shop. We may use a third party we trust to process our transactions.
However, in these two cases we have a problem. We should trust the third parties. And the level of trust depends on how good I know them, if the channel between me and them is secure and what do I need them for. Interknowledge is something quite relative. We see many third parties in e-commerce and even don't know a thing about them. It does not matter too much if we just wanna buy a computer and we don't want our credit/debit card numbers being stollen. The problem of the channel gets up to the same level as Alice's problem. What if someone intercepts this "certificates" and keys? In the end, the need. Do I need them for e-commerce? Sure. For my local network. No thanks! Wanna come? Cool, where's the AK-47? It's our private property and no one has a damn to do here. I can myself run over the workstations and exchange the keys...
Besides there is a problem of centralization. Certifications are a form of centralization. What may happen when huge corps, states, mobs, large and small nets, individuals and computers will be tighten to such a thing? Forcing certifications over everything is the biggest error possible. That will break exactly the fundament of public key encryption, that each individual has the possibility to set its own key for private exchange of information. Such move will be the revival of such things like CLIPPER...
Re:Users are often the source of the problem (Score:2)
Locks are to keep honest people honest (Score:3)
Re:Pity... But: (Score:3)
Of course. I knew that.
But the article doesn't say anything new at all. I've long-since known about the possibility of interception, and when it comes to signed documents, the presence of a digital signature on a document, even one that matches someone else's signature, does not mean that that person wrote that document. (It means there exists at least one person out there who knows the private key password for that identity and/or chose to apply it to the document; if you go around signing things you didn't even write yourself willy-nilly, the whole concept loses any strength it had.)
Again, this is a luser-space problem. There is no security vulnerability in ssh that's been discovered, this is an "if you abuse it you'll lose it" article. Well woopie-doo.
~Tim
--
Re:Pity... But: (Score:2)
You should always double-check identity for yourself instead of taking someone's word for it. Anyone can ask Thawte or Verisign for a certificate; the money does not by security of identity for later transactions, unless you're a very gullible PHB, basically.
Oops, there goes "e-commerce", oh well.
This applies even more so to SSH, where you really must check the server's fingerprint before connecting. If that means phoning up the sysadmin remotely to confirm it, go ahead.
~Tim
--
Users are often the source of the problem (Score:2)
Sometimes it is the users, particularly those users with authority over you (like the ones who sign your paycheck). If they demand a service despite your protestations that the service in question compromises security, you are left with little choice but to provide the service knowing full well that it creates a security hole in your network, or look for a new job. In this case it is the user's fault, not the administrator's whose advice is being ignored or overridden.
That being said, you make an excellent point. The first thing anyone should do when building a new system is install ssh (including sshd) and disable telnet and ftp (on Linux/Unix: comment out the two entries in
As we've seen in this article, running ssh isn't a panacea, but it is a hell of a lot better than using no encryption at all
A Hybrid approach (Score:3)
The flexibility of the current approach could be maintained, with added levels of trust ranging from completely secure to completely open to "man-in-the-middle" attack.
There is still the possibility of abuse, however, as the "trusted third party" (particularly in the case of ISPs) could easilly be subverted by a law enforcement or spook agency into signing counterfeit keys. Indeed, they could legally be required to do so with legislation akin to the wiretapping laws requiring phone companies to provide technical facilities that facilitate evesdropping by law enforcement on demand.
just mitm (Score:5)
The interlock protocol, invented by ron rivest and adi shamir, has a good chance of foiling the man-in-the-middle attack. Here's how it works:
- Alice sends bob her public key.
- Bob sends alice his public key.
- Alice encryptions her message using bob's public key. She sends half of the encrypted message to bob.
- Bob encrypts his message using alice's public key. He sends half of the encrypted message to alice.
- Alice sends the other half of her encrypted message to bob.
- Bob puts the two halves of alice's message together and decrypts it with his private key. Bob sends the other half of his encrypted message to alice.
- Alice puts the two halves of bob's message together and decrypts it with her private key.
The improtant point is that half of the message is useless without the other half; it can't be decrypted. Bob cannot read any part of alice's message until step 6; Alice cannot read any part of bob's message until step 7. There are a number of ways to do this:- If the encryption algorithm is a block algorithm, half of each block (e.g., every other bit) could be sent in each half message.
- Decryption of the message could be dependent on an initialisation vector, which could be sent with the second half of the message.
- The first half of the message could be a one-way hash function of the encrypted message and the encrypted message itself could be the second half.
To see how this causes a problem for Mallory, let's review his attempt to subvert the protocol. He can still substitute his own public keys for alice's and bob's in steps 1 and 2. But now, when he intercepts half of alice's message in step 3, he cannot decrypt it with his private key and re-encrypt it with bob's public key. he must invent a totally new message and send half of it to bob. When he intercepts half of bob's message to alice in step 4, he has the same problem.Re:...wanna tell us something we DON'T know, Kurt? (Score:2)
I agree that the way CA's are generally used today, where often the only existing CA (VeriSign) is alone used in some kind of binary "trust/not trust" is almost insane. And for most of the traffic SSH is used for, methods of exchange are usually possible that are orders of magnitude more secure than trusting Verisign.
But for one of the most common types of encrypted traffic -- transmitting mostly non-sensitive information to e-commerce sites -- I think CA's are a fairly reasonable solution. If someone decides to steal my credit card numbers, Verisign is not the weak link. Getting on the phone to call a (potentially unreliable or corrupt) representitive of amazon.com to verify their server id is not likely to measurably improve the security of the transaction, and is almost certain not prevent me from losing anything of value (since my credit card numbers aren't worth that much to me anyhow -- I'd lose some time, but not money, if they were stolen, but I'd probably lose more time if I called every e-commerce site to verify the server id before placing an order). As long as people understand what the CA's are capable of doing, and what they're not capable of doing, I have no problem with them. It does seem that many people are confused about their capabilities, though.
dsniff 2.3 against SRP: anyone tested? (Score:2)
Re:what about VPN? (Score:2)
Basically as long as you are 100% sure who you are talking to on the other end your connection will be secure.
The problem comes from there being no way to be 100% sure who is on the other end without signed certificates on both ends. Since neither SSH or SSL use signed certificates on both ends they are potentially open to attack.
Re:Pity... But: (Score:2)
"On the Internet, no one knows you're a dog."
Just because I say I'm someone doesn't mean I am really that person. Just because I am using the PGP or SSH key of Joe Smith doesn't mean I am Joe Smith. Now, it's pretty likely that I am, but the possibility still exists that some 733t h4xx0r or script kiddie got them from Joe.
And there comes a point where too much security slows down the system. Hey, yeah, we could go to 4096-bit encryption, but what's the point?
Basically, it boils down to a couple points:
1) If you absolutely, positively don't want anyone else but the intended reader to see some private communication, hand it to them. No transmission media is 100% secure.
2) There comes a point where security paranoia limits efficiency. We're damn close to the paranoia limit.
Just my 2 shekels.
Kierthos
Re:a little work around (Score:2)
Information on burnable credit-card sizeed CD-ROMs is available at:
http://www.fadden.com/cdrfaq/faq07.html#[7-15] [fadden.com]
dsniff URL (Score:5)
http://www.monkey.org/~dugsong/dsniff/ [monkey.org]
Clever stuff...
--
Re:what about VPN? (Score:2)
For instance, what are the certification policies for your CA? How does he check that you really are who you say you are? How does he know that you manage the server you are requesting a certificate for? How does anyone else know that?
A VPN doesn't really help. Whenever you get authentication material from certificates there still remains the problem of identifying what entity is bound to that key, and what level of trust you should give to it.
The article doesn't really establish weaknesses in either SSL or SSH. It simply explores the problem of how to trust public keys -- which has been going on ever since PK systems were developed (think PGP, X.509, etc)
So when *should* it change? (Score:4)
I'm also pretty sure that rebooting the system isn't supposed to change the key. So what else is there that can legitimately change a key?
(And yes, I *did* try to RTFM. Checked the SSH specification, but that just says that hosts MUST have keys and MAY have multiple keys. STFW didn't help either; bunch of tech support announcements that some host somewhere was changing its key.)
Interlock protocol is not applicable. (Score:3)
Interlock only works if the actual communicating parties know they're interlocking. No attempt at automated interlock is going to work, because the MITM can separately spoof two separate interlocked conversations.
No, the correct answer is strong password protocols like SRP [stanford.edu] and B-SPEKE, as another poster has already observed ("Encrypted Key Exchange").
--
Mod this guy up - this is the Right Answer. (Score:2)
1. Decide which end you want to spoof - client or server
2. Choose a guess at the password
3. Do a protocol run.
3a. If you're pretending to be the client, try and log on using the password you've guessed.
3b. If you're pretending to be the server, somehow persuade the client to try and log onto you thinking you're the real server.
4a. If you guessed the password correctly, congratulations! You've successfully spoofed your way in.
4b. If you did not guess the password correctly, you lose! And you have learned *nothing* except that your guess was wrong.
5. If you want to have another guess, you'll have to return to step 1 and persuade the other end to play with you again. They may tire of this game before you do.
(Caveat. Password files have to be kept secret for this: compromise that and you can spoof the client into thinking your the server, while running a dictionary search against them on your supercomputers. Guard password files)
Strong password protocols are Right and Good and should be used everywhere that stronger authentication is not available. Remember to use key stretching on your passwords too.
--
Key stretching (Score:2)
--
Re:...wanna tell us something we DON'T know, Kurt? (Score:2)
If you use Open SSH and always check your key fingerprints, this is not an issue. Whenever I set up SSH on a new machine I copy the key fingerprint into my Handspring Visor. Then I can check it when I connect remotely. That eliminates the man-in-the-middle attack. This is not that hard to do, the SSH documentation talks about these things.
I prefer this to trusting a certificate authority (and probably having to PAY a certificate authority. Ugh.)
I do occasionally worry about using Putty SSH to connect from windows machines - somebody who broke into the Windows box could grab my password like that, but hey, you have to draw the line of paranoia somewhere. And CA's don't help at all for that problem anyway.
Torrey Hoffman (Azog)
Encrypted key exchange (Score:3)
Why are they not in widespread use? It might have something to do with the fact that (AFAIK) all these algorithms are patented. SRP is patented by Stanford but apparently they allow it to be used without licensing fees in free software.
Another problem is that these algorithms cannot be used with the existing password databases. Replacing critical components such as
----
Man-in-the-middle is not completely unavoidable (Score:3)
Not entirely true.
If you are using SSH to connect to a machine, the automated key exchange and authentication may be 'impossible' to do without being vulnerable to man-in-the-middle attacks. However, once you've logged in, compare the
man in the middle is hard (Score:3)
Authenticated (Score:2)
Certificates provide an attractive business model. They cost almost nothing to make, and if you can convince someone to buy a certificate each year for $5, that times the population of the Internet is a big yearly income. If you can convince someone to purchase a private CA and pay you afee for every certificate he issues, you're also in good shape. It's no wonder so many companies are trying to cash in on this potential market.With that much money at stake, it is also no wonder that almost all the literature and lobbying on the subject is produced by PKI vendors. And this literature leaves some pretty basic questions unanswered: What good are certificates anyway? Are they secure? For what?
Taken from a prior document written by Bruce Schneier which can be found here [securify.com].
Man in the middle attacks have been rampant for some time now so I don't know why anyone would use an article such as this for 'clarity's' sake where security is concerned. Sure it assists in dealing with issues and bringing them to light but when you need that much of a level of trust the easiest way to circumvent ANY man in the middle attack or any other form of an authentication issue can be achieved simpler via way of verifying a PGP key id over the phone before any trusted information is encrypted and sent down the wire using any key.
Would've made a nice longer post but Monday morning hangovers leave me feeling pissy
My Slashdot Spoof [antioffline.com]