You are here

How the NSA corrupted SSH

Lots of articles about the NSA and its PRISM program were published recently. Most of them, for example this one from The Guardian, says this :

"It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006."

Unluckily they are not saying which standard was corrupted and so I decided to investigate further. Some are saying the Elliptic Curve encryption was the NSA target and they might be right but there is no standard published in 2006 about this, only RFC4492 under the 'informational' status. This brings me to believe that SSH (at least) was deliberately corrupted.

The standardization process by the IETF is described in this RFC document.
In 2006, 459 documents were considered enough interesting to be published by the IETF, and among them 260 were published with the 'standard' flag. Finally, there are over 40 documents related to security, most of them talking about Kerberos, SASL, PKI, TLS, or SSH.
Reading all of these documents trying to find weaknesses would be a hard task, and in our case reading only their abstracts was enough. Also, it's noticeable that the answer was given in another standard from 2006 and then it was not necessary to read everything published since that year.

The suspect
RFC4253 was published in January 2006 by SSH Communications Security Corporation and Cisco, both well-known commercial enterprises. During the same month, the RFC4344 was published by researchers with the goal to correct some security weaknesses of RFC4253 :

Researchers have discovered that the authenticated encryption portion
of the current SSH Transport Protocol is vulnerable to several
attacks.
This document describes new symmetric encryption methods for the
Secure Shell (SSH) Transport Protocol and gives specific
recommendations on how frequently SSH implementations should rekey.

This matches quite well with the uncomplete explanation given by The Guardian.

Final word
As a rule of thumb, it's once more better to choose for opensource product (OpenSSH) rather the commercial one (SSH Communications). It's funny to see such big banks paying for SSH Communications products which are probably less secure than the opensource.

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer