Re: spoof rsa fingerprint
> In the scenario that the OP hypothesized, yes, spoofing the > fingerprint would help the attacker. A user who attempted to ssh to > the router would not be warned that the host had changed and would > submit their password to a rogue host. > > In answer to the original question, though, spoofing the fingerprint > would be extraordinarily difficult. I don't see any fingerprints stored in /etc/ssh/ssh_known_hosts or the user's equivalent ~/.ssh/known_hosts, these are the actual public half of the RSA keys. Spoofing these means breaking RSA and generating the corresponding private pair. If someone could do this, I doubt they would waste their talents on logging in to some poor schmuck's Fedora box. There are much jucier and lucrative targets. -wolfgang -- Wolfgang S. Rupprecht If the airwaves belong to the public why does the public only get 3 non-overlapping WIFI channels? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: spoof rsa fingerprint
On Tue, 2009-11-17 at 08:33 -0800, Gordon Messmer wrote: > On 11/17/2009 04:53 AM, Patrick O'Callaghan wrote: > > > > It's my understanding that the password would still be sent over an > > encrypted channel (using the original host's public key), so I don't see > > the problem. > > > > There is no original host in the hypothesized scenario. There's an > attacker whose public key has a fingerprint that matches the original > host. The victim connects to the attacker instead of the original > host. Since the original host isn't involved, the original host's key > won't be either. No, the OP's scenario is that there *was* an original host, which presumably set up the key pair and established a fingerprint. That's the assumption behind everything I've been saying. poc -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: spoof rsa fingerprint
Gordon Messmer wrote: > On 11/17/2009 04:53 AM, Patrick O'Callaghan wrote: >> >> It's my understanding that the password would still be sent over an >> encrypted channel (using the original host's public key), so I don't see >> the problem. >> > > There is no original host in the hypothesized scenario. There's an > attacker whose public key has a fingerprint that matches the original > host. The victim connects to the attacker instead of the original > host. Since the original host isn't involved, the original host's key > won't be either. > > However, as previously stated, this is extraordinarily difficult by design. > From the original post: > what happens, if someone turns off my router, then installs a pc > with ip 192.168.1.1? > > And! - it spoofs _the same rsa fingerprint_, that was on my > router. I think what the OP was missing was that the fingerprint being sent is telling you what public key to use. If you already have that key, then the replacement machine is out of luck unless it also has the matching private key. Now, if the fingerprint sent does not match a public key in known_hosts, and the host is not known, you will be asked to accept the public key. But if the host is known, and the fingerprint does not match, you will be warned about a possible man-in-the-middle attach, and will have to authorize the connection. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup! signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: spoof rsa fingerprint
On 11/17/2009 04:53 AM, Patrick O'Callaghan wrote: It's my understanding that the password would still be sent over an encrypted channel (using the original host's public key), so I don't see the problem. There is no original host in the hypothesized scenario. There's an attacker whose public key has a fingerprint that matches the original host. The victim connects to the attacker instead of the original host. Since the original host isn't involved, the original host's key won't be either. However, as previously stated, this is extraordinarily difficult by design. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: spoof rsa fingerprint
On Tue, 2009-11-17 at 00:55 -0800, Gordon Messmer wrote: > On 11/15/2009 05:08 AM, Patrick O'Callaghan wrote: > > > > Did you read the URL I posted? It's a tutorial with very explicit > > information. If you understand how public-key crypto works, you'll > > realize that spoofing the fingerprint doesn't help the attacker. > > > > In the scenario that the OP hypothesized, yes, spoofing the fingerprint > would help the attacker. A user who attempted to ssh to the router > would not be warned that the host had changed and would submit their > password to a rogue host. It's my understanding that the password would still be sent over an encrypted channel (using the original host's public key), so I don't see the problem. poc -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: spoof rsa fingerprint
On 11/15/2009 05:08 AM, Patrick O'Callaghan wrote: Did you read the URL I posted? It's a tutorial with very explicit information. If you understand how public-key crypto works, you'll realize that spoofing the fingerprint doesn't help the attacker. In the scenario that the OP hypothesized, yes, spoofing the fingerprint would help the attacker. A user who attempted to ssh to the router would not be warned that the host had changed and would submit their password to a rogue host. In answer to the original question, though, spoofing the fingerprint would be extraordinarily difficult. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: spoof rsa fingerprint
On Sun, 2009-11-15 at 02:32 -0800, Eugeneapolinary Ju wrote: > so the attacker can't generate a spoofed fingerprint like the one used > on the server? even when using only password authentication? [Please don't top-post on this list. See the Guidelines] Did you read the URL I posted? It's a tutorial with very explicit information. If you understand how public-key crypto works, you'll realize that spoofing the fingerprint doesn't help the attacker. Also, password-only authentication only happens *after* the secure channel is established. See the ssh(1) manpage: Finally, if other authentication methods fail, ssh prompts the user for a password. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. All this assumes that the client and server have had a previous communication where they set up their keys, which is why in the scenario you asked about ssh checks the fingerprint. Obviously if the server has never had such a previous communication, it has no way of genuinely authenticating the client within the session, so the user either has to assume averything is OK the first time, or use an out-of-band channel such as a physical file copy to establish the keys on either side. poc -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: spoof rsa fingerprint
so the attacker can't generate a spoofed fingerprint like the one used on the server? even when using only password authentication? --- On Sun, 11/15/09, Patrick O'Callaghan wrote: > From: Patrick O'Callaghan > Subject: Re: spoof rsa fingerprint > To: fedora-list@redhat.com > Date: Sunday, November 15, 2009, 1:27 AM > On Sat, 2009-11-14 at 15:09 -0800, > Eugeneapolinary Ju wrote: > > When I first log in to my router [192.168.1.1] through > ssh, it says: > > > > The authenticity of host '.XX (192.168.1.1)' can't > be established. > > RSA key fingerprint is > 51:c6:d1:7a:45:c4:74:3e:31:ee:3a:5a:2d:e1:bf:74. > > Are you sure you want to continue connecting > (yes/no)? > > > > that's OK [it gets stored in the known_hosts file, on > my client machine]. > > > > But: > > > > what happens, if someone turns off my router, then > installs a pc with ip 192.168.1.1? > > > > And! - it spoofs _the same rsa fingerprint_, that was > on my router. > > > > Then, when I want to log in to 192.168.1.1, I will > type my password, and it will stole my password... > > > > So the question is: > > > > Could that be possible, to spoof the rsa_fingerprint? > [because the router say's the fingerprint when first logging > in to it, etc..so could that be spoofed?] > > The fingerprint is simply a hash of the router's full > public key. > Spoofing the fingerprint still won't enable the spoofer to > understand > encrypted communications sent to them (which will continue > to use the > router's genuine public key since the client hasn't noticed > anything > changed). The spoofer can't guess the private key from the > public key > without physical access to the router. > > If the spoofer generates its own public/private key pair, > the client > will notice that the signature changed. That's the point of > the warning > message. > > See http://www.securityfocus.com/infocus/1806 > > poc > > -- > fedora-list mailing list > fedora-list@redhat.com > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: spoof rsa fingerprint
http://www.openssl.org/news/secadv_20060905.txt --- On Sat, 11/14/09, Eugeneapolinary Ju wrote: > From: Eugeneapolinary Ju > Subject: spoof rsa fingerprint > To: "fedora list" > Date: Saturday, November 14, 2009, 11:09 PM > When I first log in to my router > [192.168.1.1] through ssh, it says: > > The authenticity of host '.XX (192.168.1.1)' can't be > established. > RSA key fingerprint is > 51:c6:d1:7a:45:c4:74:3e:31:ee:3a:5a:2d:e1:bf:74. > Are you sure you want to continue connecting (yes/no)? > > that's OK [it gets stored in the known_hosts file, on my > client machine]. > > But: > > what happens, if someone turns off my router, then installs > a pc with ip 192.168.1.1? > > And! - it spoofs _the same rsa fingerprint_, that was on my > router. > > Then, when I want to log in to 192.168.1.1, I will type my > password, and it will stole my password... > > > So the question is: > > Could that be possible, to spoof the rsa_fingerprint? > [because the router say's the fingerprint when first logging > in to it, etc..so could that be spoofed?] > > > > -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: spoof rsa fingerprint
Eugeneapolinary Ju wrote: > When I first log in to my router [192.168.1.1] through ssh, it says: > > The authenticity of host '.XX (192.168.1.1)' can't be established. > RSA key fingerprint is 51:c6:d1:7a:45:c4:74:3e:31:ee:3a:5a:2d:e1:bf:74. > Are you sure you want to continue connecting (yes/no)? > > that's OK [it gets stored in the known_hosts file, on my client machine]. > > But: > > what happens, if someone turns off my router, then installs a pc > with ip 192.168.1.1? > > And! - it spoofs _the same rsa fingerprint_, that was on my router. > > Then, when I want to log in to 192.168.1.1, I will type my > password, and it will stole my password... > > > So the question is: > > Could that be possible, to spoof the rsa_fingerprint? [because > the router say's the fingerprint when first logging in to it, etc..so > could that be spoofed?] > Only if they can get a copy of the host's private key. When the host is added to the known_hosts file, what you are really adding it the hosts public key. This is used to exchange encrypted messages between the two computers to establish that the server you are connecting to is the server it says it is. This can not be done if you do not have the server's public key. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup! signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: spoof rsa fingerprint
On Sat, 2009-11-14 at 15:09 -0800, Eugeneapolinary Ju wrote: > When I first log in to my router [192.168.1.1] through ssh, it says: > > The authenticity of host '.XX (192.168.1.1)' can't be established. > RSA key fingerprint is 51:c6:d1:7a:45:c4:74:3e:31:ee:3a:5a:2d:e1:bf:74. > Are you sure you want to continue connecting (yes/no)? > > that's OK [it gets stored in the known_hosts file, on my client machine]. > > But: > > what happens, if someone turns off my router, then installs a pc with ip > 192.168.1.1? > > And! - it spoofs _the same rsa fingerprint_, that was on my router. > > Then, when I want to log in to 192.168.1.1, I will type my password, and it > will stole my password... > > So the question is: > > Could that be possible, to spoof the rsa_fingerprint? [because the router > say's the fingerprint when first logging in to it, etc..so could that be > spoofed?] The fingerprint is simply a hash of the router's full public key. Spoofing the fingerprint still won't enable the spoofer to understand encrypted communications sent to them (which will continue to use the router's genuine public key since the client hasn't noticed anything changed). The spoofer can't guess the private key from the public key without physical access to the router. If the spoofer generates its own public/private key pair, the client will notice that the signature changed. That's the point of the warning message. See http://www.securityfocus.com/infocus/1806 poc -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
spoof rsa fingerprint
When I first log in to my router [192.168.1.1] through ssh, it says: The authenticity of host '.XX (192.168.1.1)' can't be established. RSA key fingerprint is 51:c6:d1:7a:45:c4:74:3e:31:ee:3a:5a:2d:e1:bf:74. Are you sure you want to continue connecting (yes/no)? that's OK [it gets stored in the known_hosts file, on my client machine]. But: what happens, if someone turns off my router, then installs a pc with ip 192.168.1.1? And! - it spoofs _the same rsa fingerprint_, that was on my router. Then, when I want to log in to 192.168.1.1, I will type my password, and it will stole my password... So the question is: Could that be possible, to spoof the rsa_fingerprint? [because the router say's the fingerprint when first logging in to it, etc..so could that be spoofed?] -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines