[fw-wiz] ssh holes? Trojans? [long]

Ben Nagy bnagy@sa.volante.com.au
Tue, 26 Sep 2000 15:08:46 +0930

> -----Original Message-----
> From: sean.kelly@lanston.com [mailto:sean.kelly@lanston.com]
> Sent: Tuesday, 26 September 2000 4:02 AM
> To: firewall-wizards@nfr.net
> Subject: RE: [fw-wiz] ssh holes? Trojans? [long]
> > From: Ben Nagy [mailto:bnagy@sa.volante.com.au]
> >
> > In summary, though, it's quite hard to do what you want. What you're
> > effectively trying to do is mount an active man-in-the-middle 
> > (MitM) attack
> > against the protocol. Sadly, the ephemeral keying in the SSH 
> > transport layer
> > is signed Diffie-Hellman, which is resistant to MitM.
> This got me thinking.  PGP supports the use of ADKs in its 
> Diffie-Hellman
> keys (as the recent ADK bug hoopla would attest), could SSH 
> do the same?
> I'm personally not a fan of ADKs but it would enable 
> monitoring of an SSH
> session.

You could probably perform a major overhaul of the protocol to make some
ADK-like behaviour happen, yes. I don't think you'd get much support from
the community, though.

For example, if the SSH proxy knows the client's random number it can work
out all the keys by watching the wire. Thus a busted / escrowed random
sequence on the client could allow for snooping. Or whatever.

We're talking about a fundamentally different protocol though. With the PGP
you encrypt a symmetric key with the RSA public key and send it to the
recipient - there's no negotiation of a shared secret - the secret is
unilaterally derived by the sender and included with the message. If you're
using ADKs you then ALSO encrypt the same symmetric key with the public key
of Eve (the eavesdropper).

With Diffie-Hellman and SSH the ephemeral keys that are used for content
encryption are derived interactively. I'm not a real crypto guy, so I can't
tell you for sure whether one of the DH parties can even force the resultant
keys into a weak group unilaterally, but I don't actually think so.

> Sean

So, in short, you could only do this by modifying the protocol or hacking up
a trojaned client - and if you're doing that there are much easier ways of
making the snooping work.

Background - Basic Diffie-Hellman

Ref: Schneier, Applied Crypto, Chapter 22.1

We get a big number, G, and a big prime P. There are known-good numbers to
use for G and P. The SSH drafts even have a mandatory G listed.

Alice wants to create a shared secret with Bob. Alice Just Makes Up a
number, which I'm calling A. Bob's Made Up Number is B.

Alice sends Bob ALICE, which is G^A mod P. Nobody can work out A unless they
can compute the discrete log of G^A mod P which is hard.

Bob sends Alice BOB, which is G^B mod P. Ditto for stealing B.

Alice then works out BOB^A mod P. Bob gets ALICE^B mod P. These numbers are
both the same and work out to be G^AB mod P - that's our shared secret.

Note that this is an interactive protocol. I don't think Alice can force the
final result to be weak, because the discrete log problem is always at least
as hard as G^B mod P (even if Alice picks 1 for A). However, a weak A can
lead to an attacker computing A if they are watching the exchange, which
then breaks the protocol.

I'll leave the MitM attack against this basic protocol as an exercise. It's
easy - that's why SSH uses _signed_ Diffie-Hellman.

Sorry if that made no sense - I warned you, though.


Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520