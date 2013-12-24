Stories
Understanding the Terrapin Attack Against SSH

posted by janrinok on Friday December 13, @01:40PM
from the work-in-progress dept.
Security

canopic jug writes:

A pseudononymous developer has begun a work in progress to describe the Terrapin attack against SSH servers for use later in coordinating mitigation efforts across SSH implementations. The Terrapin attack is a prefix truncation attack which breaks the integrity of SSH's secure channel during the initial connection handshake.

Terrapin operates by inserting an IGNORE message into one data stream
(for ease of language, I'll write as if it's always the server->client
one; that one is the higher-value target) during the cleartext phase,
then dropping the first message sent by the server after encryption
starts.  (It has to be the first message, since the MACs include the
sequence number; thus, not dropping the first message will cause its
MAC to fail with overwhelming probability.)  While the Terrapin paper
mentions the possibility of injecting more than one IGNORE and dropping
more than one initial message, it does not describe attempting that,
probably because it would not be useful against the implementations
they were working with.

From a theoretical point of view, this breaks the BPP's intent to
provide integrity protection, since the supposedly-protected data
stream seen by one peer differs from that seen by the other, without
the BPP's checks raising any alarm.

Previously:
(2023) SSH Protects the World's Most Sensitive Networks. It Just Got a Lot Weaker

Related Stories

SSH Protects the World's Most Sensitive Networks. It Just Got a Lot Weaker

upstart writes:

Novel Terrapin attack uses prefix truncation to downgrade the security of SSH channels:

Sometime around the start of 1995, an unknown person planted a password sniffer on the network backbone of Finland's Helsinki University of Technology (now known as Aalto University). Once in place, this piece of dedicated hardware surreptitiously inhaled thousands of user names and passwords before it was finally discovered. Some of the credentials belonged to employees of a company run by Tatu Ylönen, who was also a database researcher at the university.

The event proved to be seminal, not just for Ylönen's company but for the entire world. Until that point, people like Ylönen connected to networks using tools which implemented protocols such as Telnet, rlogin, rcp, and rsh. All of these transmitted passwords (and all other data) as plaintext, providing an endless stream of valuable information to sniffers. Ylönen, who at the time knew little about implementing strong cryptography in code, set out to develop the Secure Shell Protocol (SSH) in early 1995, about three months after the discovery of the password sniffer.

[...] Ylönen submitted SSH to the Internet Engineering Taskforce in 1996, and it quickly became an almost ubiquitous tool for remotely connecting computers. Today, it's hard to overstate the importance of the protocol, which underpins the security of apps used inside millions of organizations, including cloud environments crucial to Google, Amazon, Facebook, and other large companies.

[...] Now, nearly 30 years later, researchers have devised an attack with the potential to undermine, if not cripple, cryptographic SSH protections that the networking world takes for granted.

Named Terrapin, the new hack works only when an attacker has an active adversary-in-the middle position on the connection between the admins and the network they remotely connect to. Also known as a man-in-the-middle or MitM attack, this occurs when an attacker secretly positioned between two parties intercepts communications and assumes the identity of both the recipient and the sender. This provides the ability to both intercept and to alter communications. While this position can be difficult for an attacker to achieve, it's one of the scenarios from which SSH was thought to have immunity.

  by quietus on Friday December 13, @02:50PM

    by quietus (6328) on Friday December 13, @02:50PM (#1385341) Journal

    Since 9.6 (released Dec 18 2023), OpenSSH has a security fix [openssh.com] for this attack.

    ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian BÃ¤umer, Marcus Brinkmann and JÃ¶rg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted.

    While cryptographically novel, the security impact of this attack is fortunately very limited as it only allows deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user user authentication from proceeding and results in a stuck connection.

    The most serious identified impact is that it lets a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5. There is no other discernable impact to session secrecy or session integrity.

    OpenSSH 9.6 addresses this protocol weakness through a new "strict KEX" protocol extension that will be automatically enabled when both the client and server support it. This extension makes two changes to the SSH transport protocol to improve the integrity of the initial key exchange.

    Firstly, it requires endpoints to terminate the connection if any unnecessary or unexpected message is received during key exchange (including messages that were previously legal but not strictly required like SSH2_MSG_DEBUG). This removes most malleability from the early protocol.

    Secondly, it resets the Message Authentication Code counter at the conclusion of each key exchange, preventing previously inserted messages from being able to make persistent changes to the sequence number across completion of a key exchange. Either of these changes should be sufficient to thwart the Terrapin Attack.

    More details of these changes are in the PROTOCOL file in the OpenSSH source distribition.

