SSH protects the worlds most sensitive networks. It just got a lot weaker

MESSING WITH SSH DATA STREAMS — SSH protects the worlds most sensitive networks. It just got a lot weaker Novel Terrapin attack uses prefix truncation to downgrade the security of SSH channels.

Dan Goodin – Dec 19, 2023 5:35 pm UTC Enlarge / Terrapin is coming for your data.Aurich Lawson | Getty Images reader comments 113

Sometime around the start of 1995, an unknown person planted a password sniffer on the network backbone of Finlands Helsinki University of Technology (now known as Aalto University). Once in place, this piece of dedicated hardware surreptitiously inhaled thousands of user names and passwords before it was finally discovered. Some of the credentials belonged to employees of a company run by Tatu Ylnen, who was also a database researcher at the university.

The event proved to be seminal, not just for Ylnen’s company but for the entire world. Until that point, people like Ylnen connected to networks using tools which implemented protocols such as Telnet, rlogin, rcp, and rsh. All of these transmitted passwords (and all other data) as plaintext, providing an endless stream of valuable information to sniffers. Ylnen, who at the time knew little about implementing strong cryptography in code, set out to develop the Secure Shell Protocol (SSH) in early 1995, about three months after the discovery of the password sniffer.

As one of the first network tools to route traffic through an impregnable tunnel fortified with a still-esoteric feature known as “public key encryption,” SSH quickly caught on around the world. Besides its unprecedented security guarantees, SSH was easy to install on a wide array of operating systems, including the myriad ones that powered the devices administrators usedand the servers those devices connected to remotely. SSH also supported X11 forwarding, which allowed users to run graphical applications on a remote server.

Ylnen submitted SSH to the Internet Engineering Taskforce in 1996, and it quickly became an almost ubiquitous tool for remotely connecting computers. Today, its hard to overstate the importance of the protocol, which underpins the security of apps used inside millions of organizations, including cloud environments crucial to Google, Amazon, Facebook, and other large companies. Advertisement

Password sniffing attacks were very common at that time, with new incidents reported almost weekly, and arguably it was the biggest security problem on the Internet at the time, Ylnen wrote in an online interview. I did intend SSH to become as widely used as possible. It was critically needed for securing networks and computing systems, and it for the most part solved the password sniffing problem.

Now, nearly 30 years later, researchers have devised an attack with the potential to undermine, if not cripple, cryptographic SSH protections that the networking world takes for granted. Meet Terrapin

Named Terrapin, the new hack works only when an attacker has an active adversary-in-the middle position on the connection between the admins and the network they remotely connect to. Also known as a man-in-the-middle or MitM attack, this occurs when an attacker secretly positioned between two parties intercepts communications and assumes the identity of both the recipient and the sender. This provides the ability to both intercept and to alter communications. While this position can be difficult for an attacker to achieve, its one of the scenarios from which SSH was thought to have immunity.

For Terrapin to be viable, the connection it interferes with also must be secured by either “ChaCha20-Poly1305” or “CBC with Encrypt-then-MAC,” both of which are cipher modes added to the SSH protocol (in 2013 and 2012, respectively). A scan performed by the researchers found that 77 percent of SSH servers exposed to the Internet support at least one of the vulnerable encryption modes, while 57 percent of them list a vulnerable encryption mode as the preferred choice.

At its core, Terrapin works by altering or corrupting information transmitted in the SSH data stream during the handshakethe earliest stage of a connection, when the two parties negotiate the encryption parameters they will use to establish a secure connection. The attack targets the BPP, short for Binary Packet Protocol, which is designed to ensure that adversaries with an active position can’t add or drop messages exchanged during the handshake. Terrapin relies on prefix truncation, a class of attack that removes specific messages at the very beginning of a data stream. Page: 1 2 3 4 Next → reader comments 113 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Promoted Comments Skrillor That’s really ouchy, because that’s what I use everywhere. Argh. I don’t trust the other ECC curves because of the NSA fuckery (the magic numbers to construct the curves have been proven to be related, so it’s almost certain the NSA can break any of the NIST curves instantly), and I’ve been avoiding RSA because it’s old. Curve25519 was ideal: it has no ‘trust me’ numbers, works as a constant-time algorithm to make CPU sniffing harder, and is fast as heck. It’s not as fast as hardware-accelerated AES, but beats the crap out of pretty much any other algorithm implemented in software.

And now it has a huge hole. Argh.Hi there, Fabian Bumer (one of the authors) here. Do not confuse Curve25519 with ChaCha20-Poly1305, we only found weaknesses in the SSH implementation of the latter one. More technically speaking, Curve25519 is a key exchange algorithm while ChaCha20-Poly1305 is being used to encrypt and authenticate data transmitted over the secure channel. You can still use Curve25519 as you did previously. December 19, 2023 at 5:48 pm Skrillor So does this mean my fully patched servers are vulnerable unless I update my client software (e.g. PuTTY, MobaXterm, etc.) once it’s been patched? And does this mean that unpatched (or unpatchable) clients should not be used at all?Yes. This vulnerability is notoriously hard to patch because it resides deep within the specification. Strict key exchange makes incompatible changes to the message and sequence number handling and is, therefore, locked behind an indicator string. If and only if both peers signal support for strict key exchange, the countermeasure can take effect. December 19, 2023 at 6:02 pm Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars