Jeff, >> >> There have been attacks on SSH based on the fact that portions of the packets >> aren't authenticated, and as soon as the TLS folks stop bikeshedding and >> adopt >> encrypt-then-MAC I'm going to propose the same thing for SSH, it's such a >> no-brainer it should have been adopted years ago when the first attacks >> popped >> up. > Hi Doctor. Out of curiosity, why wait?
The reason to wait, and to approach with extreme care, is contained in my previous message to Peter and repeated below. For SSH, it's not as simple as ripping out one algorithm/construction and replacing it with another. > Krawczyk told us how to do authenticated encryption back in 2001. > Confer: The Order of Encryption and Authentication for Protecting > Communications (http://www.iacr.org/archive/crypto2001/21390309.pdf). > He also said the details of the other schemes were tricky to get > right, and history (failures?) has shown he was correct. > Indeed he did. But his paper does apply in case your protocol is also trying to hide message lengths by encrypting them. Some Encrypt-then-MAC instantiations (in particular, CBC-mode encryption + any MAC) would also be insecure in SSH. > I know its nothing new here. I'm just befuddled why standardized > protocols written in stone by bright folks (IETF, IEEE, et al) > continue to suffer defects that I don't make/endure (because I listen > to cryptographers like you). A simplistic answer: because they prioritise backwards compatibility over cryptographic security. In fact, the same thing is happening all over again with W3C's Web Crypto effort. Cheers Kenny _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography