This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Flaw found in SSH that might allow encrypted data to be accessed

Share this article:

Hackers may be able to access encrypted sensitive data due to a security flaw within the network protocol SSH.

 

Working with two PhD students from the Information Security Group, Martin Albrecht and Gaven Watson, Professor Kenny Paterson from Royal Holloway, University of London discovered a basic design flaw which opens up the possibility of limited plaintext recovery attacks against SSH.

 

It was previously believed that SSH was ‘regarded as impenetrable' as it aims to provide a secure channel between networked devices by encrypting and integrity-protecting data.

 

The team's attacks against the OpenSSH implementation of SSH exploits subtle differences in the way in which the software reacts when it encounters errors during cryptographic processing.

 

Professor Paterson said: “While the attacks have low success probabilities, it should be kept in mind that SSH is regarded as being a bullet-proof protocol and is widely used to protect remote logins to sensitive systems. So it's arguable that finding any chink in SSH's armour represents a significant result.

 

“The flaws that we found in SSH illustrate in a clear way the limitations that current theory has with respect to practice in the whole area of cryptographic protocol design. We need to develop better theory to help us study these kinds of attacks, and we need to develop better lines of communication to make sure that the theory gets translated into practice.”

 

Watson, who is sponsored by BT Research, said: “It is amazing to think that a short email from Kenny suggesting a paper I should take a look at, resulted in us researching exactly how SSH is implemented and ultimately led us to finding attacks against SSH.”

 

SSH is widely used by system administrators to allow them to securely access remote systems and to transfer sensitive data across the internet. OpenSSH is the leading SSH implementation, accounting for more than 80 per cent of SSH implementations on the internet.

 

Professor Paterson will present the findings at the IEEE Symposium on Security and Privacy in California, USA, on 18 May 2009.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.