TweakTown
Tech content trusted by users in North America and around the world
6,141 Reviews & Articles | 39,479 News Posts
Weekly Giveaway: Win an Antec Case, PSU and Cooler (Global Entry!)

Flaw in OpenSSH could compromise data

Insecurity strikes again

| Posted: May 20, 2009 1:40 pm

A critical flaw in the OpenSSH standard has been fully disclosed by a team of researchers at the Royal Holloway, University of London.

 

The flaw lays in the ability of an attacker for force certain parts of the encryption sequence into plain text. They can force up to 32 bit of text out into the clear. The chances of this are slim but are still there and represent vulnerability for any highly sensitive information or data.

 

The attack uses flaws in the RFC (request for comment) standard that makes up OpenSSH. This problem was first disclosed in November 2008 but not all the details were made public.

 

The issue can be protected against by using AES in CTR mode instead of CBC (Cipher-Block Chaining Mode). The flaw is open in OpenSSH 4.7, Version 5.2 introduces counter measures against the flaw but does not actually correct the flaw.

 


Read more here.

 

Flaw in OpenSSH could compromise data

 


According to Paterson, a man-in-the-middle attacker could sit on a network and grab blocks of encrypted text as they are sent from client to server. By retransmitting the blocks to the server, an attacker can work out the first four bytes of corresponding plaintext. The attacker can do this by counting how many bytes the attacker sends until the server generates an error message and tears down the connection, then working backward to deduce what was in the OpenSSH encryption field before encryption.

 

The attack relies on flaws in the RFC (Request for Comments) Internet standards that define SSH, said Paterson.

 

Paterson gave a talk on Monday at the IEEE Symposium on Security and Privacy in Oakland, Calif., to explain his group's research findings. The three ISG academics involved in the research were Paterson, Martin Albrecht, and Gaven Watson.

 

Related Tags

Further Reading: Read and find more news at our news index page.

Do you get our news RSS feed? Get It!

Got an opinion on this news? Post a comment below!

Latest Tech News Posts

View More News Posts

Forum Activity

View More Forum Posts

Press Releases

View More Press Releases