TweakTown
Tech content trusted by users in North America and around the world
5,683 Reviews & Articles | 36,171 News Posts
Weekly Giveaway: Fractal Design Arc Cases Contest (Global Entry!)

Flaw in OpenSSH could compromise data

Insecurity strikes again

| Posted: May 20, 2009 1:40 pm

A critical flaw in the OpenSSH standard has been fully disclosed by a team of researchers at the Royal Holloway, University of London.

 

The flaw lays in the ability of an attacker for force certain parts of the encryption sequence into plain text. They can force up to 32 bit of text out into the clear. The chances of this are slim but are still there and represent vulnerability for any highly sensitive information or data.

 

The attack uses flaws in the RFC (request for comment) standard that makes up OpenSSH. This problem was first disclosed in November 2008 but not all the details were made public.

 

The issue can be protected against by using AES in CTR mode instead of CBC (Cipher-Block Chaining Mode). The flaw is open in OpenSSH 4.7, Version 5.2 introduces counter measures against the flaw but does not actually correct the flaw.

 


Read more here.

 

Flaw in OpenSSH could compromise data

 


According to Paterson, a man-in-the-middle attacker could sit on a network and grab blocks of encrypted text as they are sent from client to server. By retransmitting the blocks to the server, an attacker can work out the first four bytes of corresponding plaintext. The attacker can do this by counting how many bytes the attacker sends until the server generates an error message and tears down the connection, then working backward to deduce what was in the OpenSSH encryption field before encryption.

 

The attack relies on flaws in the RFC (Request for Comments) Internet standards that define SSH, said Paterson.

 

Paterson gave a talk on Monday at the IEEE Symposium on Security and Privacy in Oakland, Calif., to explain his group's research findings. The three ISG academics involved in the research were Paterson, Martin Albrecht, and Gaven Watson.

 

Related Tags

Further Reading: Read and find more news at our news index page.

Do you get our news RSS feed? Get It!

Post a Comment about this news

Latest Tech News Posts

View More News Posts

Latest Downloads

View More Latest Downloads

TweakTown Web Poll

Question: Did EA kill the Battlefield franchise with the terrible BF4 issues?

Yes, Battlefield is doomed

No, Battlefield will live on strong

I'm not sure, but I know EA needs to improve its game

or View the Results

View More Polls

Forum Activity

View More Forum Posts

Press Releases

View More Press Releases
Get TweakTown updates via Facebook!
Just click the "Like" button below