Network Security News

Data encryption security flaw found in 'bullet-proof' SSH protocol

Wednesday, May 20, 2009

Security researchers have uncovered a flaw in the encryption protocol Open Secure Shell (OpenSSH), which was previously thought to provide a "bullet-proof" channel between networked devices.

Researcher Kenny Paterson from the Royal Holloway, University of London, revealed the flaw last November, but did not disclose the full findings until this week at the IEEE Symposium on Security and Privacy in Oakland.

Paterson and his team discovered a basic data security design flaw which, if exploited, could potentially allow an attacker to recover up to 32 bits of plaintext from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration.

Paterson told CNET news that a man-in-the-middle attacker could grab blocks of encrypted text as they are sent from client to server and then retransmit the data to the server until the connection was stopped.

The attacker could count out how many bytes it takes until the server stops the connection and then deduce what was in the OpenSSH encryption field before encryption, CNET reported.

"While the attacks have low success probabilities, it should be kept in mind that SSH is regarded as being a bullet-proof protocol and is widely used to protect remote logins to sensitive systems," Paterson said, according to a report from the university.
ADNFCR-1765-ID-19179159-ADNFCR

Related News:

Zeus botnet performs MySpace spam campaign to spread itself further - 11.20.2009
A sophisticated Trojan dubbed "Zeus" has sent a flood of email messages to MySpace users in an attempt to propagate itself onto more computers, according to researchers at the University of Alabama at Birmingham.

Experts dissect Chrome OS security features - 11.20.2009
Yesterday's release of Google's groundbreaking new cloud-based operating system, Chrome OS, has caused a stir in techie circles, with experts of all stripes rushing to examine the product and issue their judgments.

Microsoft counts Chrome coup with discovery of security flaw - 11.20.2009
Security researchers at Microsoft recently discovered a security vulnerability in Google's controversial Chrome Frame for Internet Explorer, a browser plug-in that simulates Chrome functionality within an Internet Explorer session.

iPhone user sues games maker, claiming to have found hidden spyware - 11.18.2009
An iPhone gamer filed a federal lawsuit against mobile game programmer Storm8 today, alleging that the company violated his privacy by including hidden code in its games that gathered his personal information without permission.

Government watchdog warns of possible IT leaks at Los Alamos - 11.16.2009
The Government Accountability Office has issued a report on data security at the Los Alamos National Laboratory which says that sensitive and highly classified information is vulnerable to outside access.
View Related Resources
Or
Watch an Online Demo
Or
Have us call you now