Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: unix5505.htm

OpenSSH\'s ssh-keysign weakness
3rd Jul 2002 [SBWID-5505]

	OpenSSH\'s ssh-keysign weakness


	OpenSSH all releases depending on operating systems


	Charles Hannum says :

	There  are  3  problems  we  observed  by   inspection   of   OpenSSH\'s

	1) [Charles Hannum] Since no blinding is done on the  RSA  calculations,
	ssh-keysign is effectively a fairly  efficient  oracle  for  mounting  a
	Kocher timing analysis attack on the host key(s).

	(Using OAEP padding -- per recent versions of PKCS1 --  would  not  only
	mitigate this  better,  but  would  also  mitigate  other  RSA  attacks.
	Unfortunately, this would require a change in the protocol.)

	2) [Bill Sommerfeld] There is a use-after-free bug; see:

	        if (valid_request(pw, host, &key, data, dlen) < 0)

	                fatal(\"not a valid request\");




	        if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)


	(This has already been fixed in the main OpenSSH tree.)

	3) [Charles Hannum] The protection of host keys is  not  very  good;  to

	        key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);

	        key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);





	Although current BSD systems  are  safe  (because  they  do  not  permit
	PTRACE_ATTACH, et al, on processes that  were  ever  set-id),  this  may
	permit direct reading of the host keys by users on other systems.


	see above comments

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH