Understanding the Terrapin Attack Against SSH

canopic jug writes:

A pseudononymous developer has begun a work in progress to describe the Terrapin attack against SSH servers for use later in coordinating mitigation efforts across SSH implementations. The Terrapin attack is a prefix truncation attack which breaks the integrity of SSH's secure channel during the initial connection handshake.

Terrapin operates by inserting an IGNORE message into one data stream
(for ease of language, I'll write as if it's always the server->client
one; that one is the higher-value target) during the cleartext phase,
then dropping the first message sent by the server after encryption
starts. (It has to be the first message, since the MACs include the
sequence number; thus, not dropping the first message will cause its
MAC to fail with overwhelming probability.) While the Terrapin paper
mentions the possibility of injecting more than one IGNORE and dropping
more than one initial message, it does not describe attempting that,
probably because it would not be useful against the implementations
they were working with.

From a theoretical point of view, this breaks the BPP's intent to
provide integrity protection, since the supposedly-protected data
stream seen by one peer differs from that seen by the other, without
the BPP's checks raising any alarm.

Previously:
(2023) SSH Protects the World's Most Sensitive Networks. It Just Got a Lot Weaker

Original Submission

Read more of this story at SoylentNews.