AES-CBC mode in OpenSSH

In OpenSSH 5.2 release notes it says there are mitigations to to CPNI-95703=
7 "Plaintext Recovery Attack Against SSH", but in the latest release of Ope=
nSSH 7.3, AES-CBC is disabled.  Should AES-CBC mode not be used because of =
the Univ of London hack.  http://www.openssh.com/txt/cbc.adv

Changes since OpenSSH 7.2

Note that CBC ciphers
   are disabled by default and only included for legacy compatibility.

Changes since OpenSSH 5.1


 * This release changes the default cipher order to prefer the AES CTR
   modes and the revised "arcfour256" mode to CBC mode ciphers that are
   susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".

 * This release also adds countermeasures to mitigate CPNI-957037-style
   attacks against the SSH protocol's use of CBC-mode ciphers. Upon
   detection of an invalid packet length or Message Authentication
   Code, ssh/sshd will continue reading up to the maximum supported
   packet length rather than immediately terminating the connection.
   This eliminates most of the known differences in behaviour that
   leaked information about the plaintext of injected data which formed
   the basis of this attack. We believe that these attacks are rendered
   infeasible by these changes.
10/6/2016 6:51:09 PM
comp.security.ssh 4228 articles. 0 followers. terra1024 (490) is leader. Post Follow

0 Replies

Similar Articles

[PageSpeed] 44