What's with everyone using the word ***** to
describe a kink in armor?
Unless of course this is a racial slur aimed at
Chinese hackers. Maybe I should read the
article before I comment.
Chink in encryption armor discovered
Summary
An underlying design flaw in the widely used encryption protocol OpenSSH has been made public by researchers.
Topics
An underlying flaw in the widely used encryption protocol Open Secure Shell (OpenSSH) has been made public by researchers from the Royal Holloway, University of London.
The flaw, which lies in version 4.7 of OpenSSH on Debian/GNU Linux, allows 32 bits of encrypted text to be rendered in plaintext, according to a research team from the Royal Holloway Information Security Group (ISG).
An attacker has a 2^{-18} (that is, one in 262,144) chance of success. ISG lead professor Kenny Patterson told ZDNet UK last Monday that the flaw was more significant than previous vulnerabilities in OpenSSH.
"This is a design flaw in OpenSSH," said Patterson. "The other vulnerabilities have been more about coding errors."
According to Patterson, a man-in-the-middle attacker could sit on a network and grab blocks of encrypted text as they are sent from client to server. By re-transmitting the blocks to the server, an attacker can work out the first four bytes of corresponding plaintext. The attacker can do this by counting how many bytes the attacker sends until the server generates an error message and tears down the connection, then working backwards to deduce what was in the OpenSSH encryption field before encryption.
The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH, said Patterson.
Patterson gave a talk on Monday at the IEEE Symposium on Security and Privacy in California to explain his group's research findings. The three ISG academics involved in the research were Patterson, Martin Albrecht and Gaven Watson.
This vulnerability was first made public in November 2008 by the UK Centre for the Protection of National Infrastructure (CPNI), although full details of the flaw were not then given. According to the CPNI advisory, the OpenSSH flaw could be mitigated by IT professionals using AES in counter mode (CTR) to encrypt, instead of cipher-block chaining mode (CBC).
Patterson said his group had worked with OpenSSH developers to mitigate the flaw, and that OpenSSH version 5.2 contained countermeasures.
"They've fixed [OpenSSH]; they've put countermeasures in place to stop our attack," said Patterson. "But the standard has not changed."
Patterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days. In addition, proprietary SSH vendors had been informed of the issue in advance, and had put countermeasures in their code. However, Patterson added that it always takes time for sysadmins to apply patches to servers and clients, no matter whether the software is open source or proprietary.
This article was originally posted on ZDNet UK.
Talkback Most Recent of 11 Talkback(s)
-
ncnsolutions@...20th May 2009 -
No, it's "c h i n k".
Maybe you should look up the phrase before you comment. There is no such phrase as "kink in the armor". But I digress...
cgadbois@...20th May 2009 -
check your dictionary?
http://dictionary.reference.com/browse/chink
(meaning 1 - "a crack, cleft, or fissure: a chink in a wall.")
Kink is practically synonymous in the context, but there's absolutely nothing wrong with the world used in this article (just something wrong with the over-the-top racism filter on comments).
Chink is more appropriate to the armour metaphor.
exolon21st May 2009 -
See that! Even ZDNet thinks so
It actually bleeped out C H I N Kncnsolutions@...20th May 2009 -
RE: ***** in encryption armor discovered
Oh come on now! Do you also see little green men running around your home at night, how about monsters under your bed? You and the rest of the "politically correct police" see things where they don't exist. Get a life already and realize that ***** and kin may be interchangeable!
Sirgwain20th May 2009 -
***** is a proper word for gap or small hole.
The word in question is *****. it is not a racial slur, it is a description of a gap or small hole.
the whole problem with politically correct speach is that if politics is the art of compromise and one is already correct, there is no room for compromise. therefore it is all politically wrong.
zclayton220th May 2009 -
RE: ***** in encryption armor discovered
lol... its part of the title and ZDNet sensors it.
ZDNET QUIT TRYING TO BE SO POLITICALLY CORRECT!
gosh that hallarious... I've seen it happen before on
a ZDNet blog, but I don't remember what word.
shadfurman20th May 2009 -
RE: ***** in encryption armor discovered
OH MY GOD!! THEY FOUND A CH?NK IN ENCRYPTION ARMOUR!!!
Sounds dangerous.........
For the OpenSSH users
Parassassin21st May 2009 -
not debian specific, worse...
Article reads like this is a debian flaw. It is an openssh flaw, and per the original advisory, "We expect any RFC-compliant SSH implementation to be vulnerable to some form of the attack." So, probably an anyssh flaw.
http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt
johndoe999921st May 2009 -
Uh, say what?
"An underlying flaw in the widely used encryption protocol Open Secure Shell (OpenSSH) ..."
There's no protocol called "Open Secure Shell". SSH is the protocol name, OpenSSH is an implementation. It's 2009 and we still don't have any tech journos who can write cogently about this kind of crap? Unreal.
dddd_z21st May 2009 -
Thanks OpenBSD for fixing OpenSSH, for every OS!
Thanks OpenBSD for putting together some counter measures for those of us still using Debian with an old version of OpenSSH!
Nice to see OpenBSD do this, even though the [IETF?] hasn't changed the 'standards' flaw(s) in those RFC's.
My $0.02.
www.openssh.org
y0wch16th Jul 2009
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
