Data encryption security flaw found in 'bullet-proof' SSH protocol
Wednesday, May 20, 2009
Security researchers have uncovered a flaw in the encryption protocol Open Secure Shell (OpenSSH), which was previously thought to provide a "bullet-proof" channel between networked devices.
Researcher Kenny Paterson from the Royal Holloway, University of London, revealed the flaw last November, but did not disclose the full findings until this week at the IEEE Symposium on Security and Privacy in Oakland.
Paterson and his team discovered a basic data security design flaw which, if exploited, could potentially allow an attacker to recover up to 32 bits of plaintext from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration.
Paterson told CNET news that a man-in-the-middle attacker could grab blocks of encrypted text as they are sent from client to server and then retransmit the data to the server until the connection was stopped.
The attacker could count out how many bytes it takes until the server stops the connection and then deduce what was in the OpenSSH encryption field before encryption, CNET reported.
"While the attacks have low success probabilities, it should be kept in mind that SSH is regarded as being a bullet-proof protocol and is widely used to protect remote logins to sensitive systems," Paterson said, according to a report from the university.
Related News:
Cyber criminals exposed medical records - 3.8.2010
More than 18,000 patients, whose medical information is stored on the computer systems of five doctors in Torrance, California, were potential victims of identity theft in September when cyber criminals penetrated the doctors' networks, according to the Los Angeles Times.
McAfee advises companies to boost web security relating to source code - 3.4.2010
At the RSA Conference, currently taking place in San Francisco, McAfee released a report indicating that companies regularly use too few web security protocols when protecting intellectual property such as source code.
False social networking attacks provides teachable moment for web security - 2.25.2010
A unique tool developed to prevent the spread of malware from social networking websites has been recommended Processor.com, a web and network security news provider.
With global web security under siege, exports point to problems - 2.25.2010
In 2009, Garlik, a United Kingdom-based web security company, reported a 207 percent increase in malware use to overtake bank accounts. Recent events have also shown vulnerability in corporate, private and governmental web security systems.
Kaspersky reports malware growing more sophisticated - 2.24.2010
Kaspersky, a web security provider, reported Wednesday that while there is very little growth in the amount of malware currently roaming the web, it is becoming more advanced and much harder to detect.
|
