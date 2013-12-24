from the work-in-progress dept.
A pseudononymous developer has begun a work in progress to describe the Terrapin attack against SSH servers for use later in coordinating mitigation efforts across SSH implementations. The Terrapin attack is a prefix truncation attack which breaks the integrity of SSH's secure channel during the initial connection handshake.
Terrapin operates by inserting an IGNORE message into one data stream
(for ease of language, I'll write as if it's always the server->client
one; that one is the higher-value target) during the cleartext phase,
then dropping the first message sent by the server after encryption
starts. (It has to be the first message, since the MACs include the
sequence number; thus, not dropping the first message will cause its
MAC to fail with overwhelming probability.) While the Terrapin paper
mentions the possibility of injecting more than one IGNORE and dropping
more than one initial message, it does not describe attempting that,
probably because it would not be useful against the implementations
they were working with.
From a theoretical point of view, this breaks the BPP's intent to
provide integrity protection, since the supposedly-protected data
stream seen by one peer differs from that seen by the other, without
the BPP's checks raising any alarm.
(2023) SSH Protects the World's Most Sensitive Networks. It Just Got a Lot Weaker
Sometime around the start of 1995, an unknown person planted a password sniffer on the network backbone of Finland's Helsinki University of Technology (now known as Aalto University). Once in place, this piece of dedicated hardware surreptitiously inhaled thousands of user names and passwords before it was finally discovered. Some of the credentials belonged to employees of a company run by Tatu Ylönen, who was also a database researcher at the university.
The event proved to be seminal, not just for Ylönen's company but for the entire world. Until that point, people like Ylönen connected to networks using tools which implemented protocols such as Telnet, rlogin, rcp, and rsh. All of these transmitted passwords (and all other data) as plaintext, providing an endless stream of valuable information to sniffers. Ylönen, who at the time knew little about implementing strong cryptography in code, set out to develop the Secure Shell Protocol (SSH) in early 1995, about three months after the discovery of the password sniffer.
[...] Ylönen submitted SSH to the Internet Engineering Taskforce in 1996, and it quickly became an almost ubiquitous tool for remotely connecting computers. Today, it's hard to overstate the importance of the protocol, which underpins the security of apps used inside millions of organizations, including cloud environments crucial to Google, Amazon, Facebook, and other large companies.
[...] Now, nearly 30 years later, researchers have devised an attack with the potential to undermine, if not cripple, cryptographic SSH protections that the networking world takes for granted.
Named Terrapin, the new hack works only when an attacker has an active adversary-in-the middle position on the connection between the admins and the network they remotely connect to. Also known as a man-in-the-middle or MitM attack, this occurs when an attacker secretly positioned between two parties intercepts communications and assumes the identity of both the recipient and the sender. This provides the ability to both intercept and to alter communications. While this position can be difficult for an attacker to achieve, it's one of the scenarios from which SSH was thought to have immunity.
OpenSSH has a security fix
Since 9.6 (released Dec 18 2023), OpenSSH has a security fix [openssh.com] for this attack.