The math itself is right, but the environment It is like relying Pythagoras' theorem for a triangle, but then it turns out that your triangles are on the surface of a sphere, which isn't a plane. Formal verification is still the most comprehensive and exhaustive form of testing that we have, but gaps can really bite you. But the researchers found non-obvious gaps between the environmental assumptions for the proofs and what is actually true in the real world. The SSH handshake had been formally verified. Turns out it's to allow for injection of messages designed to defeat traffic analysis? Not the right way to do it.Ģ. That the SSH protocol lacked a robust transcript hash all along, this seems like a staggering decision, and even though I'd read the RFCs, I'd never put this together. This issue isn't quite as serious as prior issues that impacted TLS/SSL.ġ. Thankfully the consequences aren't too big - everyone should update ssh (which will be a pain!) - but it likely doesn't need to happen at breakneck pace. This paper is the best protocol security research I've seen in a while. Maybe that's overkill or foolish doubling up? But it's convenient, performant, and bypasses a lot of complexity in other layers. I use internal VPNs for everything management related but not air gapped at this point, not just external. Not that SSH isn't still important to fix but I wonder if just tunneling everything is a decent default at this point. There is more scrutiny not just day 1 but in the whole process of design. But one does wonder a bit anyway with all the really old protocols at this point, just feels like there have been a lot of fundamental shifts in thinking around security (simplicity of implementations, not having lots of buttons and switches and flexibility, etc) such that there are less likely to be hidden bugbears now. Even through Starlink it's never a problem. What a cool bit of research, and as you said in your other comment also a interesting bit of living history as well.Īs far as mitigations and Noise, I've been tunneling all my SSH connections through WireGuard or Nebula anyway primarily just because they're such easy reliable ways to reach hosts behind NAT with in secure fashion, and while there is certainly overhead in putting SSH through something else all the tunnels are fat and fast enough that for just console control it's been fine, haven't had to use mosh (does mosh have the same issue?). But it took until 2023 for someone to do the legwork to figure out how broken it was. And you could look at SSH and SS元 and see "SSH is doing something really different and less sophisticated than SS元". This is a pretty obvious problem! It's absolutely not something you can just accept from a secure transport protocol. You can use this to, for instance, snipe out extension messages (for things like keystroke timing mitigation) from the beginning of an SSH session. If you're using ChaPoly (and often if you're using CBC), the protocol will sync up and keep going. Result: MITM attackers can set sequence numbers to arbitrary values (by injecting `IGNORE`s in the handshake), and then edit out subsequent messages (by just not sending them). `IGNORE` carries no data used to do key generation, so it has no impact on the handshake authentication - but it does impact sequence numbers. Not only that, but SSH has (for reasons passing understanding) a NOP message (`IGNORE`). The problem is: SSH also does implicit sequence numbers receivers keep track of how many messages they've received, senders keep track of how many they've sent. So instead of doing a transcript hash, SSH picks out the handshake values that will end up being inputs to the key exchange, and hashes those. SSH does something else: it looks at the handshake as a vehicle for setting up a DH-style key exchange that's all it's for, everything else happens inside the secure transport that key exchange provides. You can look at Noise for a streamlined, slick version of the same concept. Modern secure transport protocols (everything since SSL2) authenticate the handshake, so a MITM can't just edit the messages and, like, stick both sides on the NULL cipher (don't have a NULL cipher, though).Įver since Kocher and SSL 3.0, the gold standard for handshake authentication has been to keep a transcript of all the handshake messages, and just hash them to fingerprint the entire handshake. Secure transport protocols all do some kind of handshake to set up a session, agree on keys, etc.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |