On Mon, Feb 11, 2013 at 5:45 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > Ralph Holz <h...@net.in.tum.de> writes: > > >From what I can tell from our data, the most common symmetric ciphers in SSH >>are proposed by client/servers to be used in CBC mode. With SSL/TLS and >>XMLEnc, this mode has had quite some publicity in the recent past. > > There have been attacks on SSH based on the fact that portions of the packets > aren't authenticated, and as soon as the TLS folks stop bikeshedding and adopt > encrypt-then-MAC I'm going to propose the same thing for SSH, it's such a > no-brainer it should have been adopted years ago when the first attacks popped > up. Hi Doctor. Out of curiosity, why wait?
Krawczyk told us how to do authenticated encryption back in 2001. Confer: The Order of Encryption and Authentication for Protecting Communications (http://www.iacr.org/archive/crypto2001/21390309.pdf). He also said the details of the other schemes were tricky to get right, and history (failures?) has shown he was correct. Wagner and Schneier also told us what should be authenticated back in 1996. Confer: Analysis of the SSL 3.0 Protocol (http://www.schneier.com/paper-ssl.html). Folks are still getting that wrong too. If you use the contrapositive from Wagner and Schneier paper, you can also determine useless protocol fields. I know its nothing new here. I'm just befuddled why standardized protocols written in stone by bright folks (IETF, IEEE, et al) continue to suffer defects that I don't make/endure (because I listen to cryptographers like you). Jeff _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
