[ILUG] SSH dictionary attacks.
Harry Duncan
usr.src.linux at gmail.com
Tue Aug 29 23:17:11 IST 2006
Owen O' Shaughnessy wrote:
> paul at clubi.ie wrote:
>> For public-key and MAC mode signatures, this means the attack is only
>> meaningful if the attacker knows the secret key (the digest value is
>> immutable unless one knows the secret key) in which case, the
>> weakness in the digest algo makes no difference.
>
> Your degree of verbosity on the subject far exceeds my understanding
> of both the topic and the english language, but from the limited
> knowledge that I do have of both, I understand that the basis for a
> collission attack on the ciphers is always based on using two distinct
> private keys, and not one as you suggest.
Hmm... why did Paul bring private keys into this... anyway, thats
unimportant... Owen, you seriously misunderstand whats going on. What
your describing sounds something like a digital signature, where I
sign a message, basically encrypting it with my private key so that
the resulting signature can be decrypted with my public key to
re-generate the original message, and this recreated message is
directly compaired to the signed message for validation purposes.
MD5 & SHA1 are one way hashing functions, they are merely irreversible
mathematical functions.
> However, that is unimportant in the scheme of the latest attack. The
> notion put forward is that two distinct keys can sign different
> "meaningful" messages and end up with the same digital signature. The
> attack is based on HTML rendering of the data, and hiding "garbage" in
> the unrendered metadata in the file. So, the messages are only
> meaningful when viewed as rendered data in a html viewer, but the raw
> data reveals any amount of meaningless data making the attack readily
> identifiable.
>From what I've just read on slashdot, I think you might be right, but
I simply can't state that categorically.... its not my world I'm
afraid.
> The solution to this problem is much simpler than Proinnsias's dual
> signature approach, you simply need to take the file size into
> consideration to beat this attack, as the attack will not render two
> files of identical file size. This would render all variations on the
> attack, ie. when its taken outside the realm of html, useless.
If the nature of the attack is as you descibe above, then yes, that
would be a valid solution. The question is, how do you transmit that
file size info in a trustworthy fashion without resorting to bulky
digital signatures?
> The world of cryptography is therefore saved without any miraculous
> intervention from the world of matematics or the superior knowledge of
> Jackma & Co ;-D
I take it the extra c is for Colm??
Harrcy.
> Regards,
>
> Owen.
More information about the ILUG
mailing list