5

It seems that the SSH designers cared a great deal about man in the middle attack.

Their approach was, to save server's public key finger print at the first time you're connected to the server (and hope that the user doesn't connect from a poisoned network in the first time, for instance if he has a virus in the computer). The user then uses the fingerprint to verify the server's public key next time he'll connect to this server.

In practice, I found out that many user simply ignores warnings about unmatched fingerprints, and assume it's due to server re-installation. It's just MITM attack is so difficult to conduct and rare, you never worry about it. Moreover, many times a user wants to use ssh many different computers, and he wouldn't bother importing all the fingerprints to any computer he might want to use SSH with (hey, can you look why my site is down, I'm panicked! I'm not in the office, I'll drop to the nearest internet cafe and have a look).

To be fair, one can use DNSSEC and use the DNS servers as the CA. However I never saw that used in practice. And anyhow, it's not a mandatory part of the protocol.

Many years I thought one cannot avoid MITM without preshared secret, but I've been recently reading Bruce Schneir's excellent "Practical Cryptography", there he mentions the interlock protocol.

  1. Alice sends Bob her public key.
  2. Bob sends Alice his public key.
  3. Alice encrypt her message using Bob's public key. She sends half of the encrypted message to Bob.
  4. Bob encrypts his message using Alice's public key. He sends half of the encrypted message to Alice.
  5. Alice sends the other half of her encrypted message to Bob.
  6. Bob puts the two halves of Alice's message together and decrypts it with his private key. Bob sends the other half of his encrypted message to Alice.
  7. Alice puts the two halves of Bob's message together and decrypts it with her private key.

Now, Mallory has to send something to Bob in step (3) of the protocol, after he receives half of Alice's message, even though he can't decrypt it until he gets everything from Alice in (5). He must fabricate a message to Bob, and Bob is likely to notice he's fabricating, say, after he ls his home directory.

Why didn't SSH use such a scheme? It seems to really fit its goals. It doesn't require any other entity, and it makes MITM attacks substantially more difficult.

Is it something inherent? A flaw in my understanding of the problem? Or just the designer thought the extra security doesn't worth complicating the protocol?

PS: If you think that it would cause too much overhead, you can force the users of the protocol to use interlock only for the first 10K of data in the connection, so in practice it wouldn't matter too much, but MITM would be more difficult never the less.

Update: The attack on the interlock protocol described here, does not mean a MITM attack is possible, it does mean that if a single password is sent during the communication the MITM can intercept it and the user would only see a time out error.

Update 2: The point Eugene, raise is valid. The interlock protocol doesn't allow authentication. That is, you still can't be sure that if you're connecting to example.com, it is indeed example.com, and not malicious.com impersonating to example.com. You can't know that for sure without, say, DNSSEC. So for example, if you're SSHing to the missles silos, and write launch_missile -time now (without, say, using ls to verify the server is indeed the server in the missiles silos), it might be that you actually wrote that in a malicious server, and now the enemy know you're about to launch missiles against him. This type of attack indeed won't be prevented by the interlock protocol.

However if I understand the protocol correctly, a much more dangerous attack, and very practical attack, might be prevented. If the interlock protocol is used, even if you don't know anything about example.com, it is impossible that you would SSH to your server, and someone would eavesdrop to the entire SSH session. I think that this type of attack is much more likely.

Maybe SSH don't care about MITM attack? I think not, see for instance Putty FAQ:

Those annoying host key prompts are the whole point of SSH. Without them, all the cryptographic technology SSH uses to secure your session is doing nothing more than making an attacker's job slightly harder; instead of sitting between you and the server with a packet sniffer, the attacker must actually subvert a router and start modifying the packets going back and forth. But that's not all that much harder than just sniffing; and without host key checking, it will go completely undetected by client or server.

He's clearly talking about MITM attack and not about server authentication. I think using the interlock protocol will clearly prevent the attack mentioned in the Putty FAQ and I still don't understand why didn't they use it.

Elazar Leibovich
  • 32,750
  • 33
  • 122
  • 169
  • The wiki page you point to clearly states that Interlock is vulnerable to MITM (Bellovin/Merritt attack), and if you don't use a pre-shared secret, you'll only be able to ensure no-one modifies the messages, and have no guarantee no-one is listening... Interlock can't be used to provide authentication, only integrity assurance. (That's how I understand the Wikipedia page, correct me if I'm incorrect!) – Romain Feb 18 '11 at 14:19
  • @Romain, read the paper, it's very readable, and I don't think it says a "classical" MITM attack is possible. Specifically, it won't be possible to eavesdrop to the entire ssh session, even with Bellovin's attack. See my update. – Elazar Leibovich Feb 18 '11 at 15:02

1 Answers1

1

I don't see how interlock protocol prevents MITM.

The problem is not how to exchange keys, but how to trust them. You correctly point out, that people ignore warnings that the keys don't match. This is really the biggest flaw, but the protocol you describe doesn't solve the problem of verification of key origin. SSL uses X.509 certificates and PKI to verify trust. SSH can also use certificates, but almost no SSH software supports them.

Elazar Leibovich
  • 32,750
  • 33
  • 122
  • 169
Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • @Eugene, I don't understand. (1) Do you claim that SSH designer didn't care about MITM attacks? (2) Can you describe an example attack utilizing the unverified key origin? I didn't quite got it, and an example would help. – Elazar Leibovich Feb 18 '11 at 14:11
  • @Elazar I am not SSH designer so I can't "claim" anything about his intentions. MITM attacks are described quite a lot in literature. – Eugene Mayevski 'Callback Feb 18 '11 at 14:12
  • @Eugene, I don't understand what you're saying. (1) Do you agree that the interlock protocol will prevent MITM attacks? It would be difficult to pretend I'm your server while tunneling the connection to the real server. Do we agree on this fact? (2) Again, can you please explain me what does unverified key origin mean in this context? Can you please give an example of an attack utilizing it. I'm not a crypto expert, so I might be missing something. – Elazar Leibovich Feb 18 '11 at 14:21
  • @Elazar the questionable part of interlock protocol is *authenticated* key exchange. "Authenticated" means that the recipient can trust the received key. With SSH keys there' no way to check the key's owner. With certificates one uses PKI to check validity of the certificate. I guess you need to read more about PKI and SSH, cause it's not possible to explain you contents of many books in 450 characters. – Eugene Mayevski 'Callback Feb 18 '11 at 15:15
  • @Eugene, Thanks, I think I do understand this concept, see "update2" in my answer. I'll be glad if you correct any mistake I might have. – Elazar Leibovich Feb 19 '11 at 17:05
  • @Elazar Authentication of the server is what prevents MITM attack (it's a long story to explain how exactly). And if/when the operator on the client checks the key received is the correct one, he performs manual key validation and thus authentication of the server "by hand" (in opposite to SSL where such check is performed by software which validates certificates). To re-state - MITM and server authentication are linked things and the paragraph you quoted refers to both of them. – Eugene Mayevski 'Callback Feb 19 '11 at 17:49
  • @Eugene, of course, server authentication by preshare keys (somehow, PKI, or by prerecording the fingerprint by hand) prevents MITM. But when server authentication is not possible, for example, in the first time you connect to the SSH server and don't have its fingerprint, the interlock protocol also prevents MITM (although the attacker can still pretend to be the server, but he can't eavesdropt to your communication with the real server). Restating my question. SSH doesn't really support full server authentication (unlike SSL with mandatory PKI), so at least let it use the interlock protocol. – Elazar Leibovich Feb 19 '11 at 19:05
  • @Elazar I don't see how interlock protocol prevents MITM. The attacker impersonates a server for the client and a client for the server. Attacker becomes a proxy. And without validating the server key the client can't know that it's connected to proxy and not to real server (the same applies to the server, but this is less critical usually). So reliable delivery of pre-shared keys is the key. And if pre-shared keys are not possible, authentication can be performed only by validating the key itself. – Eugene Mayevski 'Callback Feb 19 '11 at 21:10
  • @Eugene, I really think it does. Indeed, you would connect successfully to the attacker's proxy server. The proxy will share a public key K with me, and a public key T with the real server. Now I'll send the proxy half of the encrypted message, and demand answer before I'll send him the other half. Now, the proxy cannot decrypt my message and find out what I wrote, so it must make up an answer. And I'll figure out its not the real server. – Elazar Leibovich Feb 19 '11 at 22:23
  • @Elazar this is so if you reliably exchanged some information between the client and the server before. In case of SSH public keys *are* this pre-shared part. And if the key has been replaced but you (operator) don't care, then here comes a room for MITM – Eugene Mayevski 'Callback Feb 20 '11 at 09:39
  • @Eugene, even if you don't have anything preshared, using the interlock protocol means the attacker cannot act as a proxy, it must commit to half of the encrypted content before he can encrypt it. So he can fabricate a server and guess what the real server will answer, but he cannot act as a proxy and simply transmit to you what the server wanted to transmit encrypted with his own key. That's the whole point of the interlock protocol. – Elazar Leibovich Feb 20 '11 at 11:06
  • @Elazar Ok, I finally understood what you mean. Needs further cryptographic investigation, I guess. The paper you were referring to mentions, that the algorithm doesn't stand more complicated attacks, so if it doesn't solve a problem completely, why use it? Maybe that was SSH inventors' thought. – Eugene Mayevski 'Callback Feb 20 '11 at 12:14
  • @Elazar after further thinking (about SSH protocol) I don't see what would prevent MITM from forging data sent on steps 3 and 4. Neither the client nor server know what *real* data must be there (and if they know it, then MITM can know it too, or we must again deal with some pre-shared secret). – Eugene Mayevski 'Callback Feb 20 '11 at 16:06
  • @Eugene, I'm not sure you're correct. There are many things which will make me suspect, and are trivial to the real server to know. For instance, I do many times `ls` on my home folder. The attacker must fabricate it, how can he know that? Or I'm querying the content of a specific file. The attacker won't get caught if I just ssh'd for `httpd stop`, but anything more complex is bound to raise alarm. – Elazar Leibovich Feb 20 '11 at 19:26
  • @Elazar here you are missing the nature of SSH. SSH is not about getting to the remote system's console. This is a complicated protocol *family*, where shell access is done via one of several established tunnels. And verification of the keys and authentication is performed at the very beginning (during handshake) where neither the client nor server know any patterns. So I suggest you read about SSH now. – Eugene Mayevski 'Callback Feb 20 '11 at 20:46
  • @Elzar: Follow Eugene's advise, it appears your understanding of how SSH works is too partial for you to understand the intricacies of this discussion. – Romain Feb 21 '11 at 10:49