Re: [tlug] SSH Issues

[Curt Sampson <cjs@example.com>]

On 2008-11-25 01:10 +0900 (Tue), Stephen J. Turnbull wrote:

> But no, HTTPS is *not* analogous to DNSSEC.  It serves many purposes
> without need of authentication or prior communication of any kind.

No, it does not serve those purposes, though there's a very common
illusion out there that it does. There are MITM attacks in the wild
based around exactly the common idea that you still have encryption
without authentication.

I don't have time to dig up the various blog entries, etc. on this,
but the short summary is that the attacker does something (e.g., DNS
spoofing on your home router) that lets her insert a proxy between
you and the target of your HTTP request. Alice contacts Bob, who is
actually Eve, Eve forwards the request to Bob, accepts the response,
generates a new self-signed HTTP cert, and forwards the response back to
Alice. Alice accepts Eve's self-signed cert (since she can't tell the
difference between that and Bob's self-signed cert), and now has a fully
encrypted communications channel to Eve and thence Bob.

In other words, you should assume that, unless you've *authenticated*
the other end of an HTTPS connection, you should assume that it's quite
possible you're talking to an attacker in the middle who's evesdropping
on everything you do.

Note that rootkit-style packages are available for this sort of thing.

> So I don't understand your analogy.  What purpose does DNSSEC serve if
> the data being received is not being authenticated?

None. Just as with HTTPS.

> Huh?  SSH is a well-known, very commonly used protocol, and everybody
> who uses it understands that they must explicitly distribute keys to
> hosts they wish to contact via SSH even if they haven't a clue as to
> how public key cryptography works.

Not that I've seen. Hands up here, how many people always use ssh
with strict checking on (i.e., abort the connection if the remote
host's public key or a fingerprint of it isn't known)? Contrawise, how
many have received in the last few months a "No host key is known for
server.example.com; do you want to continue connecting?" prompt and
answered "yes" without checking the fingerprint, first?

I see people do the latter all the time.

> If they don't install a key, they will be prompted for a secret when
> they run ssh.

You're thinking of something different here. See my example above.

> As HTTPS shows, authentication is not the only use of cryptography in
> network security.

As HTTPS shows (see above), encryption without authentication does not
protect against eavesdropping.

> It happens that DNSSEC *is* used for authentication and *does* depend
> on a pre-existing secret, and on that fact I was mistaken.  Understand
> *that*, and the whole conversation becomes explicable.

I guess it's not explicable to me what DNSSEC would be used for besides
authentication.

> hat's why I used Diffie- Hellman as an example! "Presence of a
> pre-shared secret" can't be what you mean here, because *precisely
> stated* Diffie-Hellman's contribution is to make construction of a
> shared secret possible *without* previous communication of another
> secret. No more (though that is plenty!)

It's not, because with DH, as with HTTPS above, you're subject to MITM
attacks unless you can authenticate the remote end. Thus, you need some
out-of-band information that indicates that you're talking to whom you
really think you're talking to, and not an attacker.

cjs
-- 
Curt Sampson       <cjs@example.com>        +81 90 7737 2974   
Mobile sites and software consulting: http://www.starling-software.com