2

I am trying to find out if the SSH protocol preserves integrity of the transferred data in the following scenario:

The SSH client is running on a virtual machine, at some point in the middle of the connection a snapshot is made of the virtual machine and another copy of the client is brought up in some location.

I am assuming that the adversary has no direct control over any of the endpoints, but has full control over the network between them. This means the adversary could feed all three nodes with a stream of data for which TCP sequence numbers as well as checksums would be correct. What I don't know is to what extent the additional checks performed by the SSH layer will help preserve integrity in this setting.

Obviously the adversary can pick one of the two clients and pass only data from this client to the server where it will be accepted. And the adversary can pass data from the server to the chosen client. In that case the chosen client and the server will continue communicating without any problems. I assume the adversary would also be able to pass the data from the server to the other client, which would accept that data (at least until the next key negotiation).

What I don't know is if the adversary can go beyond this and feed the server with a mix of data from the two clients.

In the above scenario could the adversary pick some data from one client and some data from the other client and get the server to accept it? If it could that would mean the server would accept a stream of data that does not match anything produced by either client.

If the message authentication code used by SSH would cover not just the payload data in the current packet but also the message authentication code of the previous packet, then I believe the integrity would be preserved.

But as far as I can tell this is not the case. So I am suspecting the answer is that there is nothing preventing the adversary from sending packet number $n$ from the first client to the server followed by packet number $n+1$ from the second client and getting the server to accept both.

kasperd
  • 1,377
  • 1
  • 10
  • 23
  • Does the cloned clients produce the same "random" bits? $:$ Can the adversary make the clients send different plaintext to the server despite receiving the exact same communication from the server? $\hspace{.63 in}$ –  Nov 10 '14 at 00:12
  • @RickyDemer The clients would be communicating with the outside world using other protocols than ssh, and this would cause the plaintext send by the clients to the ssh server to be different. – kasperd Nov 10 '14 at 00:23
  • Would that also cause the "random" bits produced by the clients to be different? $:$ If yes, $\hspace{.9 in}$ would it cause those to be computationally independent? $;;;;$ –  Nov 10 '14 at 00:42
  • @RickyDemer Does it even make a difference if random bits produced by the two clients are identical or not? I would assume ssh only use random bits while setting up the connection and not for each packet. – kasperd Nov 10 '14 at 01:22
  • I have no idea. $;$ –  Nov 10 '14 at 02:34
  • @owlstead TCP has no protection against mitm attacks. An adversary can trivially reconstruct each endpoint's internal state at the TCP layer. And the adversary can trivially send valid TCP packets to all three nodes. Having each MAC cover the previous MAC would help because even though the adversary can see the MAC, the adversary could not get a client to compute another MAC on top of one it had not produced itself. – kasperd Nov 10 '14 at 14:35
  • @owlstead I never said anything about getting the server to accept a message twice. I asked about getting the server to accept some messages from one client and some messages from the other client. – kasperd Nov 10 '14 at 14:56
  • @owlstead As stated in the question, I assume the adversary controls the network. The adversary can simply drop some of the packets. – kasperd Nov 10 '14 at 15:05
  • OK, OK, as long as you can keep the session counter up to a certain point and you don't break the protocol then the MAC does not protect auto-magically against twin clients I suppose. But you would need the clients to both accept the same responses from the server even for different messages from the clients (deleting some old comments). – Maarten Bodewes Nov 10 '14 at 15:11

0 Answers0