This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Flaw found in SSH that might allow encrypted data to be accessed

Share this article:

Hackers may be able to access encrypted sensitive data due to a security flaw within the network protocol SSH.

 

Working with two PhD students from the Information Security Group, Martin Albrecht and Gaven Watson, Professor Kenny Paterson from Royal Holloway, University of London discovered a basic design flaw which opens up the possibility of limited plaintext recovery attacks against SSH.

 

It was previously believed that SSH was ‘regarded as impenetrable' as it aims to provide a secure channel between networked devices by encrypting and integrity-protecting data.

 

The team's attacks against the OpenSSH implementation of SSH exploits subtle differences in the way in which the software reacts when it encounters errors during cryptographic processing.

 

Professor Paterson said: “While the attacks have low success probabilities, it should be kept in mind that SSH is regarded as being a bullet-proof protocol and is widely used to protect remote logins to sensitive systems. So it's arguable that finding any chink in SSH's armour represents a significant result.

 

“The flaws that we found in SSH illustrate in a clear way the limitations that current theory has with respect to practice in the whole area of cryptographic protocol design. We need to develop better theory to help us study these kinds of attacks, and we need to develop better lines of communication to make sure that the theory gets translated into practice.”

 

Watson, who is sponsored by BT Research, said: “It is amazing to think that a short email from Kenny suggesting a paper I should take a look at, resulted in us researching exactly how SSH is implemented and ultimately led us to finding attacks against SSH.”

 

SSH is widely used by system administrators to allow them to securely access remote systems and to transfer sensitive data across the internet. OpenSSH is the leading SSH implementation, accounting for more than 80 per cent of SSH implementations on the internet.

 

Professor Paterson will present the findings at the IEEE Symposium on Security and Privacy in California, USA, on 18 May 2009.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...