12 April 2001
Niels Provos talks about OpenSSH . . . SSH Background Unencrypted Network Traffic Password sniffing (tools available, e.g. dsniff) Command insertion Security with Encryption No depoyable solution available in 1995 (SKIP and IPSEC in infancy) Key exchange with RSA encryption in SSHv1 Host keys need to be configured on client man in the middle attacks: dsniff Confidentiality Encryption with 3DES or Blowfish Integrity No cryptographic message authentication insertion attacks possible OpenSSH History OpenBSD wanted to include SSH in base system ssh.com license more restrictive every year OSSH from Byoern Groenvall based on ssh 1.2.12, last free release OpenSSH created by OpenBSD developers Based on OSSH Replaced al crtypo and GPL components with free software mostly OpenSSL Roadtrips to Canada Completely free source base Improvements SSH v1.5 protocol support (Markus Friedl), backwqards compatible with SSH v1.3 Kerberos authentication s/key one-time password authentication bug fixes First release in 1999 with OpenBSD 2.6 Further improvement Portable version created by Damien Miller, Philip Hands, etc... SSH2 Protocol support (Markus Friedl!) SSHv1 and SSHv2 Differences SSHv1 protocol has security weaknesses poorly designed key exchange no strong integrity protection IETF SecSH WG formed to design protocol v2 (SSH name was taken by the Site Security Handbook WG) Key Exchange Authenticated Diffe-Hellman Authentication with DSA, now RSA, too. Keys derivation for ciphers and MAC sounder Cryptographic MAC (Msg. Authent. Code) Message authentication with HMAC-SHA1 Diffie-Hellman Group Exchange Proposed by OpenSSH project to improve key exchange Instead of using a fixed group, the server can send new groups to the server Flexible Extensions Sub-systems can be configured very easily sftp is a secure ftp client for SSHv2 that makes use of the subsystem feature It is a replacement for scp, thought OpenSSH also runs scp over SSHv2 Recent SSH Security Issues CORE-SDI deattack Deattack prevents insertion attacks in the SSHv1 protocol Heap overflow, remotely exploitable Fixed in OpenSSH, four months before it was known to be exploitable Bleichenbacher RSA Oracle Query a server to decrypt a session key Traffic Analysis Initial login password length can be guessed Single key strokes can be monitored No echo means a user types a password Scanning the Internet for SSH servers This can be interesting (don't scan .mil sites; Oak Ridge wasn't too happy about it) Scanning since September 2000 Scanning 2.4 million random addresses every two weeks Scanning from various hosts The scanning creates back pressure Can only scan a few times from one location Use of SSHv2 is growing, as is OpenSSH use (bigger share of "marketplace") Conclusion OpenSSH http://www.openssh.com/ ScanSSH http://www.monkey.org/~provos/scanssh/ People who have helped Bob Beck, Aaron Campbell, Markus Friedl, Philip Hands, Damien Miller, Niels Provos, Theo de Raadt, Dug Song, Kevin Steves and many others