security - Why doesn't SSH use the interlock protocol? -


it seems ssh designers cared great deal man in middle attack.

their approach was, save server's public key finger print @ first time you're connected server (and hope user doesn't connect poisoned network in first time, instance if has virus in computer). user uses fingerprint verify server's public key next time he'll connect server.

in practice, found out many user ignores warnings unmatched fingerprints, , assume it's due server re-installation. it's mitm attack difficult conduct , rare, never worry it. moreover, many times user wants use ssh many different computers, , wouldn't bother importing fingerprints computer might want use ssh (hey, can why site down, i'm panicked! i'm not in office, i'll drop nearest internet cafe , have look).

to fair, 1 can use dnssec , use dns servers ca. never saw used in practice. , anyhow, it's not mandatory part of protocol.

many years thought 1 cannot avoid mitm without preshared secret, i've been reading bruce schneir's excellent "practical cryptography", there mentions interlock protocol.

  1. alice sends bob public key.
  2. bob sends alice public key.
  3. alice encrypt message using bob's public key. sends half of encrypted message bob.
  4. bob encrypts message using alice's public key. sends half of encrypted message alice.
  5. alice sends other half of encrypted message bob.
  6. bob puts 2 halves of alice's message , decrypts private key. bob sends other half of encrypted message alice.
  7. alice puts 2 halves of bob's message , decrypts private key.

now, mallory has send bob in step (3) of protocol, after receives half of alice's message, though can't decrypt until gets alice in (5). must fabricate message bob, , bob notice he's fabricating, say, after ls home directory.

why didn't ssh use such scheme? seems fit goals. doesn't require other entity, , makes mitm attacks substantially more difficult.

is inherent? flaw in understanding of problem? or designer thought security doesn't worth complicating protocol?

ps: if think cause overhead, can force users of protocol use interlock first 10k of data in connection, in practice wouldn't matter much, mitm more difficult never less.

update: attack on interlock protocol described here, not mean mitm attack possible, mean if single password sent during communication mitm can intercept , user see time out error.

update 2: point eugene, raise valid. interlock protocol doesn't allow authentication. is, still can't sure if you're connecting example.com, indeed example.com, , not malicious.com impersonating example.com. can't know sure without, say, dnssec. example, if you're sshing missles silos, , write launch_missile -time now (without, say, using ls verify server indeed server in missiles silos), might wrote in malicious server, , enemy know you're launch missiles against him. type of attack indeed won't prevented interlock protocol.

however if understand protocol correctly, more dangerous attack, , practical attack, might prevented. if interlock protocol used, if don't know example.com, impossible ssh server, , eavesdrop entire ssh session. think type of attack more likely.

maybe ssh don't care mitm attack? think not, see instance putty faq:

those annoying host key prompts whole point of ssh. without them, cryptographic technology ssh uses secure session doing nothing more making attacker's job harder; instead of sitting between , server packet sniffer, attacker must subvert router , start modifying packets going , forth. that's not harder sniffing; , without host key checking, go undetected client or server.

he's talking mitm attack , not server authentication. think using interlock protocol prevent attack mentioned in putty faq , still don't understand why didn't use it.

i don't see how interlock protocol prevents mitm.

the problem not how exchange keys, how trust them. correctly point out, people ignore warnings keys don't match. biggest flaw, protocol describe doesn't solve problem of verification of key origin. ssl uses x.509 certificates , pki verify trust. ssh can use certificates, no ssh software supports them.


Comments

Popular posts from this blog

apache - Add omitted ? to URLs -

redirect - bbPress Forum - rewrite to wwww.mysite prohibits login -

php - How can I stop spam on my custom forum/blog? -