Posted on 20/05/2009
A new study has revealed a security flaw within the network protocol SSH which could allow attackers to access sensitive data even though it is encrypted using state-of-the-art techniques. Professor Kenny Paterson, of the world renowned Information Security Group (ISG) at Royal Holloway, University of London, presented the findings at the leading annual security conference, the IEEE Symposium on Security and Privacy in California, USA, on the 18 May 2009.
Originally designed as a replacement for insecure remote login procedures such as rlogin and telnet, SSH was regarded as impenetrable. SSH aims to provide a secure channel between networked devices by encrypting and integrity-protecting data. SSH is widely used by system administrators to allow them to securely access remote systems and to transfer sensitive data across the Internet. OpenSSH is the leading SSH implementation, accounting for more than 80% of SSH implementations on the Internet.
Working with two PhD students from the ISG, Martin Albrecht and Gaven Watson, who is sponsored by BT Research, Professor Paterson and his team discovered a basic design flaw which opens up the possibility of limited plaintext recovery attacks against SSH. ‘It is amazing to think that a short e-mail from Kenny suggesting a paper I should take a look at, resulted in us researching exactly how SSH is implemented and ultimately led us to finding attacks against SSH’, says Gaven Watson.
The team’s attacks against the OpenSSH implementation of SSH exploit subtle differences in the way in which the software reacts when it encounters errors during cryptographic processing. Professor Paterson comments, ‘While the attacks have low success probabilities, it should be kept in mind that SSH is regarded as being a bullet-proof protocol and is widely used to protect remote logins to sensitive systems. So it’s arguable that finding any chink in SSH’s armour represents a significant result’.
Paul Kearney, Chief Security Research Professional in BT’s Centre for Information and Security Systems Research, comments, ‘SSH is one of the main pillars of internet security, so it is vital that any vulnerability is picked up early and eradicated. Professor Paterson’s team are playing an important role in protecting the digital networked economy, and I’m delighted that BT’s sponsorship has enabled this work to be done. This is a great example of BT’s open innovation strategy in action’.
The ISG team worked with the UK’s Centre for Protection of National Infrastructure (CPNI) to disclose the attacks and ways of protecting systems against them. ‘Since our work had the potential of making an impact on real world implementations, we chose to do the responsible thing and contacted the CPNI’, explains Martin Albrecht. ‘They were very helpful in contacting SSH vendors and by now virtually every vendor out there has both acknowledged and addressed the vulnerability in a new release of its product. We couldn′t have covered so many corporate vendors without the help of the CPNI’.
At the end of February 2009, the OpenSSH team released a new version of their software – version 5.2 – containing several countermeasures to protect against the attacks, fixing the problems identified by the ISG team. Professor Paterson concludes, ‘The flaws that we found in SSH illustrate in a clear way the limitations that current theory has with respect to practice in the whole area of cryptographic protocol design. We need to develop better theory to help us study these kinds of attacks, and we need to develop better lines of communication to make sure that the theory gets translated into practice’.
Read the technical paper here: http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf