"Host key did not match signature" error during rekey - SSH

This is a discussion on "Host key did not match signature" error during rekey - SSH ; Hi I am trying to implement rekey functionality for a ssh proxy application which maintains Ssh sessions. The particular scenario that concerns this question is where the proxy acts as a server to an ssh client. I get the above ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: "Host key did not match signature" error during rekey

  1. "Host key did not match signature" error during rekey

    Hi

    I am trying to implement rekey functionality for a ssh proxy
    application which maintains Ssh sessions. The particular scenario that
    concerns this question is where the proxy acts as a server to an ssh
    client. I get the above error when the SSH_MSG_KEXDH_REPLY is sent to
    the client. In all liklihood, i'm doing something wrong while
    processing the SSH_MSG_KEXDH_INIT and generating the
    SSH_MSG_KEXDH_REPLY, but I can't figure out what. The spec (RFC 4253
    Section 9) says that the re-exchange is performed identically to the
    first key exchange except the session identifier is reused which I
    interpret to mean that the hash H is to be calculated only the first
    time and reused afterwards. This is the steps I follow:

    H has been generated for the first time as shown in RFC 4253 section 8
    pg 23.

    receive rekey SSH_MSG_KEXDH_INIT
    extract mpint e (as per RFC 4253 section 8 for SSH_MSG_KEXDH_INIT)
    save exchange hash H
    generate new keys (incoming and outgoing encryption keys, mac keys)
    extract mpint f (as required in RFC 4253 section 8 for
    SSH_MSG_KEXDH_REPLY)
    generate shared secret
    generate signature of H
    create SSH_MSG_KEXDH_REPLY from server hostkey, mpint f and signature
    of F


    So basically, I save H and recalculate everything. Note even though H
    is the old one, signature of H will be different as the new signature
    is obtained using the newly generated keypair. Also note that these
    steps are pretty much exactly whats done for a new session which work
    perfectly - the only different thing I do for rekey is reuse the H.

    The error "Host key did not match signature" basically seems to
    indicate that there was a mismatch in either key generation or
    signature generation. I hope someone familiar with key implementations
    can point out what I am doing wrong here. Would also appreciate
    pointers as to what I should look for to pinpoint the error.

    I can send detailed traces of the message bytestreams if required
    (including putty client log).

    Thanks in advance,
    CV


  2. Re: "Host key did not match signature" error during rekey

    > receive rekey SSH_MSG_KEXDH_INIT
    > extract mpint e (as per RFC 4253 section 8 for SSH_MSG_KEXDH_INIT)
    > save exchange hash H
    > generate new keys (incoming and outgoing encryption keys, mac keys)
    > extract mpint f (as required in RFC 4253 section 8 for
    > SSH_MSG_KEXDH_REPLY)
    > generate shared secret
    > generate signature of H
    > create SSH_MSG_KEXDH_REPLY from server hostkey, mpint f and signature
    > of F



    The last line should read
    "create SSH_MSG_KEXDH_REPLY from server hostkey, mpint f and signature
    of H"


  3. Re: "Host key did not match signature" error during rekey

    In article <1190992774.120972.298880@n39g2000hsh.googlegroups. com>,
    Chet Vora wrote:
    >The spec (RFC 4253
    >Section 9) says that the re-exchange is performed identically to the
    >first key exchange except the session identifier is reused which I
    >interpret to mean that the hash H is to be calculated only the first
    >time and reused afterwards.


    That's wrong. A new exchange hash, H, gets generated, and used
    everywhere the spec specifies H. It's just the session identifier that
    doesn't change, and retains the value generated during the first key
    exchange.

    As an example, the first block of key material is specified to be:

    K1 = HASH(K || H || X || session_id) (X is e.g., "A")

    Where this mentions 'H', that's the exchange hash from the current key
    exchange, whereas where it mentions 'session_id', that's the session
    identifier, i.e. the exchange hash from the first key exchange.

    >So basically, I save H and recalculate everything. Note even though H
    >is the old one, signature of H will be different as the new signature
    >is obtained using the newly generated keypair.


    Um, the signature is generated using the host key, which doesn't
    (usually) change between key exchanges, so I'm not sure how you get a
    different signature.

    --
    Ben Harris

  4. Re: "Host key did not match signature" error during rekey



    On Sep 28, 6:07 pm, Ben Harris
    wrote:
    > >The spec (RFC 4253
    > >Section 9) says that the re-exchange is performed identically to the
    > >first key exchange except the session identifier is reused which I
    > >interpret to mean that the hash H is to be calculated only the first
    > >time and reused afterwards.

    >
    > That's wrong. A new exchange hash, H, gets generated, and used
    > everywhere the spec specifies H. It's just the session identifier that
    > doesn't change, and retains the value generated during the first key
    > exchange.
    >
    > As an example, the first block of key material is specified to be:
    >
    > K1 = HASH(K || H || X || session_id) (X is e.g., "A")
    >
    > Where this mentions 'H', that's the exchange hash from the current key
    > exchange, whereas where it mentions 'session_id', that's the session
    > identifier, i.e. the exchange hash from the first key exchange.
    >


    Thanks, Ben for that clarification. Does X vary between the first key
    exchange and the current key exchange or is it merely for
    differentiating between the various key types and hence can stay same
    between the rekeys?


    > >So basically, I save H and recalculate everything. Note even though H
    > >is the old one, signature of H will be different as the new signature
    > >is obtained using the newly generated keypair.

    >
    > Um, the signature is generated using the host key, which doesn't
    > (usually) change between key exchanges, so I'm not sure how you get a
    > different signature.
    >


    You're right about the signature. It is the same. I had a bug.

    Thanks,
    CV

    > --
    > Ben Harris




  5. Re: "Host key did not match signature" error during rekey

    In article <1191253659.893167.151870@22g2000hsm.googlegroups.c om>,
    Chet Vora wrote:
    >On Sep 28, 6:07 pm, Ben Harris
    >wrote:
    >> As an example, the first block of key material is specified to be:
    >>
    >> K1 = HASH(K || H || X || session_id) (X is e.g., "A")
    >>
    >> Where this mentions 'H', that's the exchange hash from the current key
    >> exchange, whereas where it mentions 'session_id', that's the session
    >> identifier, i.e. the exchange hash from the first key exchange.

    >
    >Thanks, Ben for that clarification. Does X vary between the first key
    >exchange and the current key exchange or is it merely for
    >differentiating between the various key types and hence can stay same
    >between the rekeys?


    I don't see how it could vary, but no, it's the same for each key
    exchange, and just varies between key types.

    --
    Ben Harris

+ Reply to Thread