This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Flaw found in SSH that might allow encrypted data to be accessed

Share this article:

Hackers may be able to access encrypted sensitive data due to a security flaw within the network protocol SSH.

 

Working with two PhD students from the Information Security Group, Martin Albrecht and Gaven Watson, Professor Kenny Paterson from Royal Holloway, University of London discovered a basic design flaw which opens up the possibility of limited plaintext recovery attacks against SSH.

 

It was previously believed that SSH was ‘regarded as impenetrable' as it aims to provide a secure channel between networked devices by encrypting and integrity-protecting data.

 

The team's attacks against the OpenSSH implementation of SSH exploits subtle differences in the way in which the software reacts when it encounters errors during cryptographic processing.

 

Professor Paterson said: “While the attacks have low success probabilities, it should be kept in mind that SSH is regarded as being a bullet-proof protocol and is widely used to protect remote logins to sensitive systems. So it's arguable that finding any chink in SSH's armour represents a significant result.

 

“The flaws that we found in SSH illustrate in a clear way the limitations that current theory has with respect to practice in the whole area of cryptographic protocol design. We need to develop better theory to help us study these kinds of attacks, and we need to develop better lines of communication to make sure that the theory gets translated into practice.”

 

Watson, who is sponsored by BT Research, said: “It is amazing to think that a short email from Kenny suggesting a paper I should take a look at, resulted in us researching exactly how SSH is implemented and ultimately led us to finding attacks against SSH.”

 

SSH is widely used by system administrators to allow them to securely access remote systems and to transfer sensitive data across the internet. OpenSSH is the leading SSH implementation, accounting for more than 80 per cent of SSH implementations on the internet.

 

Professor Paterson will present the findings at the IEEE Symposium on Security and Privacy in California, USA, on 18 May 2009.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

StubHub ticketing agency taken for a million pounds

StubHub ticketing agency taken for a million pounds

Police around the world have arrested seven people - thought to have tied into an international fraud ring - that allegedly defrauded the eBay-owned StubHub online ticketing service of around ...

DDoS attacks grow as first DIY kits emerge

DDoS attacks grow as first DIY kits emerge

The latest report from Akamai Technologies has revealed another increase in DDoS attacks and the resurgence of botnets to carry out server-based attacks.

WordPress plugin flaw opens blogs up to cybercriminals

WordPress plugin flaw opens blogs up to cybercriminals

A WordPress plugin called MailPoet - which has been downloaded around 1.7 million times - has placed large numbers of WordPress-based websites at risk of incursion.