Hi Peter, On 11 Feb 2013, at 22:45, Peter Gutmann wrote:
> Ralph Holz <h...@net.in.tum.de> writes: > >> From what I can tell from our data, the most common symmetric ciphers in SSH >> are proposed by client/servers to be used in CBC mode. With SSL/TLS and >> XMLEnc, this mode has had quite some publicity in the recent past. > > There have been attacks on SSH based on the fact that portions of the packets > aren't authenticated, and as soon as the TLS folks stop bikeshedding and > adopt > encrypt-then-MAC I'm going to propose the same thing for SSH, it's such a > no-brainer it should have been adopted years ago when the first attacks > popped > up. I think you're referring to the 2009 Oakland paper here? In fact, SSHv2 adopts a "Encrypt & MAC" construction and all fields in SSHv2 are authenticated. But the issue is that this authentication cannot be checked until the whole message has arrived, and the receiver has to use a field in the plaintext to determine how long that message should be. So the receiver has to act on unauthenticated plaintext data. This (in combination with the use of CBC mode) is the root cause of the attack. The attack on SSH would still work exactly as before if you adopted an encrypt-then-MAC construction in SSH with the encryption being implemented using CBC mode. So your proposal to fix SSH (after we sort out TLS!) should be approached with great care. Regards Kenny _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography