Hi Ralph, CBC mode is indeed a bad choice for SSH, but for other reasons than the recent artacks on TLS. The paper you mention was published as:
Albrecht, Paterson, Watson, Plaintext recovery attacks on SSH. IEEE Symposium on Security and Privacy, 2009 and explains why. CTR mode in SSH seems to be secure and is now preferred to CBC mode in SSH - see my Eurocrypt 2010 paper with Gaven Watson for a formal security analysis of this (it's also on eprint: http://eprint.iacr.org/2010/095 ) I'm not aware of any other work on SSH's symmetric encryption since. Cheers Kenny Sent from my iPhone On 11 Feb 2013, at 19:15, "Ralph Holz" <h...@net.in.tum.de> wrote: > Hi, > > From what I can tell from our data, the most common symmetric > ciphers in > SSH are proposed by client/servers to be used in CBC mode. With SSL/ > TLS > and XMLEnc, this mode has had quite some publicity in the recent past. > > I was wondering to which degree the attacks that were possible on SSL > with AES/CBC might also be applicable to SSH? Quickly asking Google > yielded things like > > http://modular.math.washington.edu/home/wstein/www/home/malb/papers/plaintext_recover_attacks_against_ssh.pdf > > http://www.kb.cert.org/vuls/id/958563 > > I was wondering if there have recently been any more insights? > Grateful > for any pointers. > > Thanks, > Ralph > > -- > Ralph Holz > Network Architectures and Services > Technische Universität München > Phone +49 89 28918043 > http://www.net.in.tum.de/de/mitarbeiter/holz/ > PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF > > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
