Annotation of src/usr.bin/ssh/README.DEATTACK, Revision 1.1
1.1 ! dugsong 1: ============================================================================
! 2:
! 3: CORE SDI S.A.
! 4: Buenos Aires, Argentina
! 5: <http://www.core-sdi.com>
! 6:
! 7:
! 8: SSH insertion attack detection
! 9: ============================================================================
! 10:
! 11:
! 12: Crc32 Compensation attack detector
! 13: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
! 14: This document describes the scope and characteristics of SSH crc32
! 15: compensation attack detector engine. It will inspect an encrypted SSH protocol
! 16: 1.5 stream for suspicious patterns. If either the server or client is under
! 17: attack, the detector closes the conection and logs the attack.
! 18:
! 19:
! 20: Attack characteristics
! 21: ~~~~~~~~~~~~~~~~~~~~~~
! 22: An attacker, with sniffing and spoofing capabilities on the SSH network stream, may perform an active network attack by constructing a packet using a
! 23: known cipher/plaintext pair and computing addditional data to fill the packet
! 24: in a way that will produce a valid CRC-32 field and pass as a valid packet when
! 25: decryped and integrity checked on the server side.
! 26: If the attack succeeds, arbitrary commands will get executed on the server.
! 27:
! 28: This attack doesnt affect the confidential security characteristics of the
! 29: products using this protocols. However, integrity and authentication
! 30: of packets can no longer be trusted.
! 31:
! 32: Solution
! 33: ~~~~~~~~
! 34: This is not an implementation bug, but a protocol design vulnerability. The
! 35: protocol must be updated to use cryptographic strong message authentication
! 36: codes. SSH Protocol version 2 as published in [1] includes the use of a real
! 37: strong MAC.
! 38: However, this will require to update all clients and servers simultaneusly
! 39: while disabling compatibility with protocol version 1.5. On many installations
! 40: this is not practical.
! 41:
! 42: A mid-term solution exists, that will help protecting the server from the
! 43: auth/integrity vulnerabilities. On most scenarios it will be enough to upgrade
! 44: only the servers.
! 45:
! 46: This approach is based on the fact that an attacker will need to exploit some
! 47: of the linear characteristics of the integrity function in order to implement
! 48: the attack. In that context, the constructed packets will follow certain
! 49: patterns that could be detected on the encrypted stream.
! 50:
! 51: This is not a general solution, but a countermeasure against a model of all
! 52: of the possible attacks that exploits this vulnerabilities.
! 53:
! 54: The provided patch looks for patterns of repeated ciphered blocks in
! 55: each SSH packet received, the performance loss in speed is less 2% in an
! 56: uncompressed stream compared to an unpatched server. Memory usage increases
! 57: in about 8k per conection.
! 58: The chances of reporting a false attack in a 32GB file transfer is around
! 59: 1 in 2**51.
! 60:
! 61: Contact information
! 62: ~~~~~~~~~~~~~~~~~~~
! 63:
! 64: These vulnerabilities were discovered by Ariel Futoransky
! 65: and Emiliano Kargieman.
! 66:
! 67: Comments and questions regarding this vulnerability and the fix
! 68: should be sent to:
! 69:
! 70: Ariel Futoransky <futo@core-sdi.com>
! 71: Emiliano Kargieman <ek@core-sdi.com>
! 72:
! 73: For more information about CORE SDI S.A. contact <core@core-sdi.com>
! 74: or visit <http://www.core-sdi.com>
! 75:
! 76: For more information about this problem and related ones visit:
! 77:
! 78: <http://www.core-sdi.com/ssh>
! 79:
! 80: You can contact CORE SDI S.A. at <corelabs@core-sdi.com> using the
! 81: the following PGP key:
! 82:
! 83: -----BEGIN PGP PUBLIC KEY BLOCK-----
! 84: Version: 2.6.3ia
! 85: Comment: Requires PGP version 2.6 or later.
! 86:
! 87: mQCNAzVgfMgAAAEEAJSfJNdvCwIAc4AK0ckeimubLIwzsRVDRhjPQIOYt/7kxxio
! 88: DZybr53fwMEjyT8cHXRL08i0R9rcuFeCNAez6XcalbhqUKXDcLL/cZK80CCDSCs5
! 89: tRCZGGOEBnXQIoyvbvi4gNYhBS5wUvmh3b/mvRFTvhmRrUy9m/nO/LnPTgz1AAUR
! 90: tCBDT1JFTEFCUyA8Y29yZWxhYnNAY29yZS1zZGkuY29tPokAlQMFEDVgfMn5zvy5
! 91: z04M9QEBC6ED/0Szt3f54JTvkZG3ezQ8G60HvAw4/A5Ti6i3oze6jsXxzGp6pA1x
! 92: i0jaZpKaUSpo0MLc7BcijMKneuUHnN3XtN5YxtFt0aEoot1MIvv4BsdeUb3x257G
! 93: 3+vr8SxGk44Vm4tfuN8F/2dNo/00yYP9rd3zQ8Tl+gmr5VxnLViZIDuh
! 94: =ulRg
! 95: -----END PGP PUBLIC KEY BLOCK-----
! 96:
! 97: Copyright
! 98: ~~~~~~~~~
! 99:
! 100: This file, deattack.c and deattack.h are copyright (c) 1998
! 101: CORE SDI S.A., Buenos Aires, Argentina. All rights reserved.
! 102: Redistribution and use in source and binary forms, with or without
! 103: modification, are permitted provided that this copyright notice is retained.
! 104:
! 105: THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES
! 106: ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT,
! 107: INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING
! 108: FROM THE USE OR MISUSE OF THIS SOFTWARE.
! 109: