draft-ietf-secsh-architecture-15.2.ps

OTP是开放电信平台的简称

5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 12]) s
_R
S
PStoPSsaved restore
%%Page: (12,13) 7
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 13 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   parameters\) are pseudo-random then the pseudo-random number generator) s
5 679 M
(   should be cryptographically secure \(i.e., its next output not easily) s
5 668 M
(   guessed even when knowing all previous outputs\) and, furthermore,) s
5 657 M
(   proper entropy needs to be added to the pseudo-random number) s
5 646 M
(   generator.  RFC 1750 [1750] offers suggestions for sources of random) s
5 635 M
(   numbers and entropy.  Implementors should note the importance of) s
5 624 M
(   entropy and the well-meant, anecdotal warning about the difficulty in) s
5 613 M
(   properly implementing pseudo-random number generating functions.) s
5 591 M
(   The amount of entropy available to a given client or server may) s
5 580 M
(   sometimes be less than what is required.  In this case one must) s
5 569 M
(   either resort to pseudo-random number generation regardless of) s
5 558 M
(   insufficient entropy or refuse to run the protocol.  The latter is) s
5 547 M
(   preferable.) s
5 525 M
(9.2 Transport) s
5 503 M
(9.2.1 Confidentiality) s
5 481 M
(   It is beyond the scope of this document and the Secure Shell Working) s
5 470 M
(   Group to analyze or recommend specific ciphers other than the ones) s
5 459 M
(   which have been established and accepted within the industry.  At the) s
5 448 M
(   time of this writing, ciphers commonly in use include 3DES, ARCFOUR,) s
5 437 M
(   twofish, serpent and blowfish.  AES has been accepted by The) s
5 426 M
(   published as a US Federal Information Processing Standards [FIPS-197]) s
5 415 M
(   and the cryptographic community as being acceptable for this purpose) s
5 404 M
(   as well has accepted AES.  As always, implementors and users should) s
5 393 M
(   check current literature to ensure that no recent vulnerabilities) s
5 382 M
(   have been found in ciphers used within products.  Implementors should) s
5 371 M
(   also check to see which ciphers are considered to be relatively) s
5 360 M
(   stronger than others and should recommend their use to users over) s
5 349 M
(   relatively weaker ciphers.  It would be considered good form for an) s
5 338 M
(   implementation to politely and unobtrusively notify a user that a) s
5 327 M
(   stronger cipher is available and should be used when a weaker one is) s
5 316 M
(   actively chosen.) s
5 294 M
(   The "none" cipher is provided for debugging and SHOULD NOT be used) s
5 283 M
(   except for that purpose.  It's cryptographic properties are) s
5 272 M
(   sufficiently described in RFC 2410, which will show that its use does) s
5 261 M
(   not meet the intent of this protocol.) s
5 239 M
(   The relative merits of these and other ciphers may also be found in) s
5 228 M
(   current literature.  Two references that may provide information on) s
5 217 M
(   the subject are [SCHNEIER] and [KAUFMAN,PERLMAN,SPECINER].  Both of) s
5 206 M
(   these describe the CBC mode of operation of certain ciphers and the) s
5 195 M
(   weakness of this scheme.  Essentially, this mode is theoretically) s
5 184 M
(   vulnerable to chosen cipher-text attacks because of the high) s
5 173 M
(   predictability of the start of packet sequence.  However, this attack) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 13]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 14 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   is still deemed difficult and not considered fully practicable) s
5 679 M
(   especially if relatively longer block sizes are used.) s
5 657 M
(   Additionally, another CBC mode attack may be mitigated through the) s
5 646 M
(   insertion of packets containing SSH_MSG_IGNORE.  Without this) s
5 635 M
(   technique, a specific attack may be successful.  For this attack) s
5 624 M
(   \(commonly known as the Rogaway attack) s
5 613 M
(   [ROGAWAY],[DAI],[BELLARE,KOHNO,NAMPREMPRE]\) to work, the attacker) s
5 602 M
(   would need to know the IV of the next block that is going to be) s
5 591 M
(   encrypted.  In CBC mode that is the output of the encryption of the) s
5 580 M
(   previous block. If the attacker does not have any way to see the) s
5 569 M
(   packet yet \(i.e it is in the internal buffers of the ssh) s
5 558 M
(   implementation or even in the kernel\) then this attack will not work.) s
5 547 M
(   If the last packet has been sent out to the network \(i.e the attacker) s
5 536 M
(   has access to it\) then he can use the attack.) s
5 514 M
(   In the optimal case an implementor would need to add an extra packet) s
5 503 M
(   only if the packet has been sent out onto the network and there are) s
5 492 M
(   no other packets waiting for transmission. Implementors may wish to) s
5 481 M
(   check to see if there are any unsent packets awaiting transmission,) s
5 470 M
(   but unfortunately it is not normally easy to obtain this information) s
5 459 M
(   from the kernel or buffers.  If there are not, then a packet) s
5 448 M
(   containing SSH_MSG_IGNORE SHOULD be sent.  If a new packet is added) s
5 437 M
(   to the stream every time the attacker knows the IV that is supposed) s
5 426 M
(   to be used for the next packet, then the attacker will not be able to) s
5 415 M
(   guess the correct IV, thus the attack will never be successfull.) s
5 393 M
(   As an example, consider the following case:) s
5 360 M
(         Client                                                  Server) s
5 349 M
(         ------                                                  ------) s
5 338 M
(         TCP\(seq=x, len=500\)            ->) s
5 327 M
(         contains Record 1) s
5 305 M
(                             [500 ms passes, no ACK]) s
5 283 M
(        TCP\(seq=x, len=1000\)            ->) s
5 272 M
(         contains Records 1,2) s
5 250 M
(                                                                   ACK) s
5 217 M
(   1.  The Nagle algorithm + TCP retransmits mean that the two records) s
5 206 M
(       get coalesced into a single TCP segment) s
5 195 M
(   2.  Record 2 is *not* at the beginning of the TCP segment and never) s
5 184 M
(       will be, since it gets ACKed.) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 14]) s
_R
S
PStoPSsaved restore
%%Page: (14,15) 8
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 15 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   3.  Yet, the attack is possible because Record 1 has already been) s
5 679 M
(       seen.) s
5 657 M
(   As this example indicates, it's totally unsafe to use the existence) s
5 646 M
(   of unflushed data in the TCP buffers proper as a guide to whether you) s
5 635 M
(   need an empty packet, since when you do the second write\(\), the) s
5 624 M
(   buffers will contain the un-ACKed Record 1.) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 15]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 16 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   On the other hand, it's perfectly safe to have the following) s
5 679 M
(   situation:) s
5 646 M
(         Client                                                  Server) s
5 635 M
(         ------                                                  ------) s
5 624 M
(         TCP\(seq=x, len=500\)           ->) s
5 613 M
(            contains SSH_MSG_IGNORE) s
5 591 M
(         TCP\(seq=y, len=500\)           ->) s
5 580 M
(            contains Data) s
5 558 M
(      Provided that the IV for second SSH Record is fixed after the data for) s
5 547 M
(      the Data packet is determined -i.e. you do:) s
5 536 M
(           read from user) s
5 525 M
(           encrypt null packet) s
5 514 M
(           encrypt data packet) s
5 481 M
(9.2.2 Data Integrity) s
5 459 M
(   This protocol does allow the Data Integrity mechanism to be disabled.) s
5 448 M
(   Implementors SHOULD be wary of exposing this feature for any purpose) s
5 437 M
(   other than debugging.  Users and administrators SHOULD be explicitly) s
5 426 M
(   warned anytime the "none" MAC is enabled.) s
5 404 M
(   So long as the "none" MAC is not used, this protocol provides data) s
5 393 M
(   integrity.) s
5 371 M
(   Because MACs use a 32 bit sequence number, they might start to leak) s
5 360 M
(   information after 2**32 packets have been sent.  However, following) s
5 349 M
(   the rekeying recommendations should prevent this attack.  The) s
5 338 M
(   transport protocol [1] recommends rekeying after one gigabyte of) s
5 327 M
(   data, and the smallest possible packet is 16 bytes. Therefore,) s
5 316 M
(   rekeying SHOULD happen after 2**28 packets at the very most.) s
5 294 M
(9.2.3 Replay) s
5 272 M
(   The use of a MAC other than 'none' provides integrity and) s
5 261 M
(   authentication.  In addition, the transport protocol provides a) s
5 250 M
(   unique session identifier \(bound in part to pseudo-random data that) s
5 239 M
(   is part of the algorithm and key exchange process\) that can be used) s
5 228 M
(   by higher level protocols to bind data to a given session and prevent) s
5 217 M
(   replay of data from prior sessions. For example, the authentication) s
5 206 M
(   protocol uses this to prevent replay of signatures from previous) s
5 195 M
(   sessions.  Because public key authentication exchanges are) s
5 184 M
(   cryptographically bound to the session \(i.e., to the initial key) s
5 173 M
(   exchange\) they cannot be successfully replayed in other sessions.) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 16]) s
_R
S
PStoPSsaved restore
%%Page: (16,17) 9
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 17 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   Note that the session ID can be made public without harming the) s
5 679 M
(   security of the protocol.) s
5 657 M
(   If two session happen to have the same session ID [hash of key) s
5 646 M
(   exchanges] then packets from one can be replayed against the other.) s
5 635 M
(   It must be stressed that the chances of such an occurrence are,) s
5 624 M
(   needless to say, minimal when using modern cryptographic methods.) s
5 613 M
(   This is all the more so true when specifying larger hash function) s
5 602 M
(   outputs and DH parameters.) s
5 580 M
(   Replay detection using monotonically increasing sequence numbers as) s
5 569 M
(   input to the MAC, or HMAC in some cases, is described in [RFC2085] />) s
5 558 M
(   [RFC2246], [RFC2743], [RFC1964], [RFC2025], and [RFC1510].  The) s
5 547 M
(   underlying construct is discussed in [RFC2104].  Essentially a) s
5 536 M