[17063] in Kerberos_V5_Development
Re: Is a replay attack possible when using SSH2(or other protected
daemon@ATHENA.MIT.EDU (Henning Horst)
Fri Jul 22 16:43:21 2011
Message-ID: <4E29E0CF.1010202@derooter.org>
Date: Fri, 22 Jul 2011 22:42:55 +0200
From: Henning Horst <horst.h@derooter.org>
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
In-Reply-To: <CAK3OfOjusB=ZUJ2jAU3NV7OyZaA+himb8kpzmXJ=+qEVFoYEqQ@mail.gmail.com>
Cc: krbdev@mit.edu
Content-Type: multipart/mixed; boundary="===============0829803370=="
Errors-To: krbdev-bounces@mit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============0829803370==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig0AE91CA663097EAB18C5E16F"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig0AE91CA663097EAB18C5E16F
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Thanks Nico for your remarks, too !! I really appreciate these swift
responses from you guys!! Thanks again, and have a nice weekend as well!!=
Henning
On 07/22/2011 08:09 PM, Nico Williams wrote:
> No replay attack is possible against SSHv2 with gssapi-with-mic nor
> gssapi-keyex, not in SSHv2 itself. This is true regardless of whether
> the server uses a replay cache. The MIC token used serves to ensure
> this since it authenticates a quantity that is not fully under control
> of the client (nor the server), that being the SSHv2 session ID (which
> is derived from the SSHv2 key exchange and key exchange messages).
>
> However, if you do also use rsh or rlogin and don't require that the
> session be protected, then it could be possible to replay a Kerberos
> GSS excehange from SSHv2 in rsh/rlogin, but only if the attacker could
> get their hands on those context tokens. The only attacker that could
> do that is the client, and the client can always try a replay attack
> anyways, which are to be defeated via replay caching on the
> server-side.
>
> If you had nothing but SSHv2 services using the "host" service then
> you could technically forgo the replay cache altogether on the
> server-side because the way SSHv2 uses GSS is impervious to replays.
>
> Nico
> --
--------------enig0AE91CA663097EAB18C5E16F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJOKeDPAAoJEIie6vfnBxWxHq4QAI41+t5uh8kb7I20BOqUGbWm
C5W5ahxtcrSBKDPOs/FJo+pFgmaCTYULo920qcUywCYr9XkPyOg78nVlMrcd1suz
NqIjCemlds9lZ3Bl192cP3YtppNNJWsveOeOjmxOHRD1xAtRpvvGVh8gAlXuGJca
VNN54aHm1w42OvVM0ConCsRE2TMm5jvuGwi0UZqWDwLfQXmbF2l8yrKV/Q52uAn5
VfklRQx1tSzkakI0ySUYW3RuThCUyoYIlpeW89GglLBc9sBZn62u0u1wuBosp89H
rpomAP4SoUhfZpV1iB552IJ59sx6u7v1QbgQMaG6c0/HsUhDXX9WSMYviJ4cAJih
/qWqGhgzjv/E6Z7ONdLYzOm3fWzcOZTA4tru7SOeqwSK3BprYEdgKjHwmxFdFn/w
8yRxC7T2CwGXT/R5wgd1bWAIggz+L8qwoofWUuRFF3IBtQ5ijDssvUKL8SMTwIT6
65KDoDYyC4/2VcHbXrAVnjSYKS2JRMvC5xQsPRn3RIB8h3a55D6Mj6+C1ZyRvO+l
FdaGWTwG/mWySTZ4RWWFgZjkHPs9dgdebmzjMBm4hkc4wgtapcyWtPZAAoYgjxyG
H4Tq/IrVT/dr+5lZQk/KrKfsMhVzYueN20WSvEG9GOMdkQuTomYZSUP4UHJ7fxen
UKA7PwbeYQXPrQmfsjYn
=e39R
-----END PGP SIGNATURE-----
--------------enig0AE91CA663097EAB18C5E16F--
--===============0829803370==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============0829803370==--
