I have tried to implement a downgrade attack against the SSH protocol as the fir
ID: 656049 • Letter: I
Question
I have tried to implement a downgrade attack against the SSH protocol as the first steps (encryption protocols exchange) are not signed, as per RFC4253. The idea is to intercept (mitm) these steps and replace strong algorithms by weaker algorithms supported by both sides.
The replacement is working well, and server and client receive a weakened list of supported algorithms. However, the communication is directly interrupted when the server receive the client's list.
I have expected some protection against downgrade attack to be implemented by the protocol, but I don't see nowhere in RFC (or log files) how. SSL proceeds for instance by resending the first steps encrypted, to let the other side discover what the first steps were, and avoid this way any downgrade attack. But there is no re-send of anything tcpdump says.
What mechanisms prevent downgrade attacks on SSH?
Explanation / Answer
There is downgrade protection in the SSH protocol. The server and the client perform the DH/ECDH key exchange and calculate the shared secret. This shared secret, along with the server and client version strings and algorithm lists are hashed to produce a symmetric key.
If you change the supported algorithms, the server and the client will calculate different symmetric keys, unless you have a preimage attack on the hash function which also works if some of the input is secret.