nanog mailing list archives
Re: RSA Patent Expired
From: "Richard A. Steenbergen" <ras () e-gerbil net>
Date: Wed, 4 Oct 2000 23:39:44 -0400 (EDT)
On Wed, 4 Oct 2000, Frater M.A.Ch.H. 999 wrote:
That's fine and dandy, but the bugtraq exploit that you are pointing to in that link is, according to the bugtraq advisory, only applicable to ssh version 1.2.27. Other versions don't seem to be affected.
The crux of the problem is that the ssh1 protocol does not make use of cryptographically secure MACs (message authentication code), but instead relies on crc32 to provide integrity checks from insertion attacks. The problem with crc32 is it was designed to detect accidental data corruption but not to provide cryptographic verification of data integrity, so it is possible to "somewhat" easily create "different" data with the same crc32 value. Past version 1.2.27 code was added to detect someone doing this ("crc compensation"), so its not a real concern of vulnerability. But it is a theoretical design weakness, which is why MACs are used in ssh2. It is up to the admins to decide if running ssh2 is worth their time. Personally I run OpenSSH (now part of the default installation on [Free,Open]BSD) which supports both versions of the protocol much more seamlessly then the original ssh. Many people prefer ssh1, and keep in mind that some systems are ssh1 only, like the SSH available for Ciscos for example. But enough of this thread, everyone gets the point... :P -- Richard A Steenbergen <ras () e-gerbil net> http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Current thread:
- RE: RSA Patent Expired Richard Welty (Oct 03)
- Re: RSA Patent Expired Bill Fumerola (Oct 03)
- <Possible follow-ups>
- RE: RSA Patent Expired Roeland M.J. Meyer (Oct 03)
- RE: RSA Patent Expired Richard A. Steenbergen (Oct 04)
- RE: RSA Patent Expired Enkhyl (Oct 04)
- RE: RSA Patent Expired Richard A. Steenbergen (Oct 04)
- Re: RSA Patent Expired Frater M.A.Ch.H. 999 (Oct 04)
- Re: RSA Patent Expired Richard A. Steenbergen (Oct 04)
- RE: RSA Patent Expired Enkhyl (Oct 04)
- RE: RSA Patent Expired Greg A. Woods (Oct 04)
- RE: RSA Patent Expired Joe Shaw (Oct 05)
- RE: RSA Patent Expired Joe Shaw (Oct 05)
- Re: RSA Patent Expired Bora Akyol (Oct 05)